Connect to external MQTT server with TLS

devotio · October 21, 2022, 10:02am

I have a Smart Meter (AMS) I want to read meter values from to use in Energy. I have a reader from OSS (oss.no) which has an API which also provides me access to their MQTT broker with the data.
I want to connect to the MQTT broker, but have not been able to configure this in Home Assistant.

I have been able to connect using MQTT Explorer using the following details:

mqtt://mqtt.oss.no
Port: 8883
Username: my e-mail
Password: My public token
Encyption (tls): enabled (true)
Validate certiicate: disabled (false)

If I add the details in Home Assistant I am not able to make any configuration to add Encryption (tls). I just get an error message from HA (“Failed to connect”). I assume this is because I have not enabled Encryption.

I have tried to add “auto” as described here: MQTT Certificate - Home Assistant

# Example configuration.yaml entry
mqtt:
  certificate: 'auto'

However, this did not help.

I have also tried to generate my own ca.crt and ca.key as described here: [solved] MQTT with SSL/TLS not working with Home Assistant - #11 by fufs
Basically, these:

Create CA private key (recommended to create password)
$ openssl genrsa -des3 -out ca.key 2048
Generate CA certificate (valid for 20 years)
$ openssl req -new -x509 -days 7300 -key ca.key -out ca.crt

I have added this to my ssl folder with the below configuration:

mqtt:
  client_cert: /ssl/ca.crt
  client_key: /ssl/ca.key

This did not help. either…

I am a bit lost. Anyone know how I can connect to the broker from HA?

PS! Just to be clear, I do not need to specify any certs or keys when connect using MQTT Explorer, but if I enable the “Validate certificate” I get an error…

devotio · October 21, 2022, 11:53pm

I have tried to connect to the MQTT Test server on test.mosquitto.org port 8883, this also fails on Home Assistant, but works on MQTT Explorer when I have TLS enabled but disabled “Validate certificate”.

I have tried a few different configuration options, my current configuration is below.

mqtt:
  certificate: /etc/ssl/certs/ca-certificates.crt
  tls_insecure: true

I have also tried to use:

mqtt:
  certificate: auto
  tls_insecure: true

This did not change anything, still get error when trying to connect…

I am running out of options… I’d appreciate any help!

rmoschetti1 · November 29, 2022, 9:27am

Hi! I have a very similar problem. I need to connect home assistant to an external mqtt broker configured with SSL/TLS over port 8883.
My configuration requires no username/password, but a fixed clientID, and all the certificates.
My configuration works perfectly fine when I test it with an external tool like MQTT explorer, but when I use the same data setting up MQTT in home assistant I get a “impossible to connect” error.
I am also not able to find any log concerning the error, so this is proving very difficult to debug.
My configuration:

broker: xxx.amazonaws.com
port: 8883
username: (empty)
password: (empty)
clientId: xxx
Use a client certificate: on (with the certificates added)
Broker certificate validation: off (I tried also custom, with the .pem file, but it does not work either)

Do you have any insight (or at least a way to debug better what is happening?)

Thank you

fufs · May 18, 2023, 6:32pm

The certificate: param is the CA certificate you get from them. If you weren’t provided one, then that means that it probably is a CA that’s commonly trusted and setting the CA certificate to Auto should work (Note: the documentation you refrenced says to do it in the UI, not YAML). If, however, they use self-signed certificates and don’t provide the CA certificate, then you need to disable CA certificate verification. It used to be that in YAML under mqtt: you would set insecure: true or tls_insecure: true, I don’t remember exactly. Not sure where in the UI it would be.

devotio:

I have also tried to generate my own ca.crt and ca.key as described here: [solved] MQTT with SSL/TLS not working with Home Assistant - #11 by fufs
Basically, these:

Create CA private key (recommended to create password)
$ openssl genrsa -des3 -out ca.key 2048

Generate CA certificate (valid for 20 years)
$ openssl req -new -x509 -days 7300 -key ca.key -out ca.crt

I have added this to my ssl folder with the below configuration:
mqtt:
  client_cert: /ssl/ca.crt
  client_key: /ssl/ca.key

This is something different all together. client_cert and client_key is used for certificate authentication. You use this instead of a username and a password. From what it seems the broker you’re trying to connect to is using username and password authentication so don’t event bother with those fields.

Try setting the MQTT broker from the UI as it’s the current way to setup mqtt.

ChadwickTheCrab · February 5, 2024, 3:06pm

Sorry to dig up an older thread. Has anyone been able to figure this out? I have no issues connecting to the mqtt server over tls with various mqtt explorers. HASS just doesn’t want to connect. I also can’t see any relevant log information to try to debug this.

In the meantime I just opened up an insecure listener on port 1883 and it works fine. I would just prefer TLS if possible.

Andy256 · February 11, 2024, 9:55pm

Not sure if it’s the same issue but I found this bug report that fixed it for me. Once I turned on advanced settings in my profile they came available in the MQTT configuration UI and I was then able to set check broker certificate to automatic which fixed the issue.