Connection to Mosquitto MQTT Broker Suddenly Stopped Working

Perhaps someone can help me - I am baffled. Home Assistant has just stopped connecting to my MQTT broker - a connection that has worked flawlessly for years. My mobile phone still connects to the same broker as it always did, so does Node Red running on another Pi, but HA always complains ‘Failed to connect’ and the debug logs show:

[546901313728] Error talking to MQTT: The client is not currently connected.
2023-09-13 16:19:12.865 ERROR (MainThread) [homeassistant.components.mqtt.client] Failed to connect to MQTT server due to exception: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1006)

The connection does not use certificates, just username & password, so I am quite puzzled by the certificate expired message. The broker is a Mosquitto instance running in an AWS hosted cloud instance, and as I mentioned before, has worked fine for years.

The configuration is unchanged for ages



So far I have updated everything (HA 2023.9.2, Supervisor 2023.08.3, Operating System 10.5) running on a Pi4, done a full reboot, and tested with other MQTT clients. Only HA is the issue. How can I debug this?

8883 is typically the port used by MQTT for SSL-enabled connections, thus using a server certificate that seem to be expired.

Maybe your other clients are using port 1883, which is the non-ssl port.

Thank you for the reply - but every client is connecting the same way, over port 8883 with the same credentials and settings. They are all authenticating the same way. Now, it may be possible that HA is the only implementation enforcing the correct approach, but that results in it not connecting.

I guess I have to dig in and find out what certificate may be in use and see if it expired. Any good hints how to do this? I remember when I set this up (years ago) it was more by trial and error until something half-secured worked.

You don’t give us any hint on how/where your broker is hosted :wink:

The first post mentions that the broker is a Mosquitto instance hosted by me on an AWS EC2 - more details though - it is running Ubuntu 18.04.6 LTS and mosquitto version 1.4.15. This works fine from my Android phone using the MQTT Dash app, and from Node Red on the Pi I use to control all the automations.

The phone app is just for testing, writing to individual topics to test the downstream automations. Either HA or the phone app can initiate changes (like turn garden lights on/off, start watering the garden etc.) by publishing to MQTT topics, and the Node Red instance listens and controls the actuators - everything works fine except HA.

Here, for example, is the configuration in Node Red -
Connection details -
image
Username & password -
image

This connects fine and works perfectly. The phone app is set to Use SSL/TLS with a self signed certificate.


Again, everything is working just fine except HA decided yesterday that it just won’t connect any more. I am completely stumped.

OK - so this is what seems to have happened. Several months ago I switched DNS provider to DuckDNS, and the Letsencrypt certificates the Mosquitto broker has were still associated with the old DNS provider. Perhaps these expired yesterday, or my old DNS provider finally removed the service, but in any case certbot could not renew the certificates so these would have expired. I have now switched certbot to use the new DNS, created new certificates, and everything works again.

This may be a bug in HA, though - I had, at my own risk, specifically set the connection to ignore the certificate validity which HA did not.

Thank you for your support anyway, much appreciated.