ESPHome remote device using HA Mosquitto MQTT addon over TLS secured connection

Hi all,

I’m using the (latest) Home Assistant Operating System that has LetsEncrypt, ESPHome and Mosquitto MQTT add-ons. Everything is up-to-date.

Home Assistant is accessible on its own fully qualified domain name and has a certificate installed using LetsEncrypt.

I have an esp32-s3-devkitc-1 development kit with some temperature sensors attached to it. I would like to install this device on remote locations, therefore it needs to send the temperature readings using MQTT. This works.

Next step is to secure the MQTT messages using TLS. I’ve read MQTT Client Component — ESPHome and generated self-signed CA and server certificates using the following commands (on a different Linux box):

1. Create CA key: sudo openssl genrsa -des3 -out ca.key 2048
2. Create Self Signed CA Certificate: sudo openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
3. Create Server key: sudo openssl genrsa -out server.key 2048
4. Create Server Certificate Request: sudo openssl req -new -out server.csr -key server.key
5. Create Self Signed Server Certificate: sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

The hostname used in the certificate generation above is the same as the domain name used for LetsEncrypt.

I copied the files ca.crt, server.key and server.crt to the ssl folder on the Home Assistant box and changed the Mosquitto yaml to:

logins: []
require_certificate: true
certfile: server.crt
keyfile: server.key
customize:
  active: false
  folder: mosquitto
cafile: ca.crt

On the ESPHome device I’m using the configuration:

esphome:
  name: "myespdevice"

esp32:
  board: esp32-s3-devkitc-1
  framework:
    type: esp-idf

# Enable logging
logger:

# Enable Home Assistant MQTT
mqtt:
  broker: <redacted / same hostname used for LetsEncrypt.>
  port: 8883
  skip_cert_cn_check: false
  idf_send_async: false
  certificate_authority: |
    -----BEGIN CERTIFICATE-----
    <redacted>
    -----END CERTIFICATE-----

ota:
  password: "<redacted>"

wifi:
  ssid: !secret wifi_ssid
  password: !secret wifi_password

  # Enable fallback hotspot (captive portal) in case wifi connection fails
  ap:
    ssid: "myespdevice"
    password: "u74VGrt64CL0K8"

.... other sensor stuff ....

The ESP device keeps reporting:

INFO Successfully reconnected to the MQTT server

Mosquitto MQTT logs:

Client connection from 10.42.10.15 failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

or

OpenSSL Error[0]: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate

I’m probably missing something, but can’t seem to find what. Help is appreciated in getting the communication (preferably without any proxies) secured.

Thanks.

It’s poorly documented on the addon side (I actually think it’s plain wrong ), but this means you require a client certificate from ESP, which is not what you want.

From mosquitto.conf man page | Eclipse Mosquitto

Hi Koying,

Thank you for your reply. I changed the required_certificate to false and added a login to the Mosquitto configuration and restarted it. I added the username and password to the ESPHome device configuration as well and that results in the following log-output in Mosquitto:

2023-03-22 10:29:27: New connection from 192.168.1.35:51273 on port 8883.
2023-03-22 10:29:43: Client <unknown> disconnected: Protocol error.
2023-03-22 10:29:43: Client connection from 192.168.1.35 failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.
2023-03-22 10:29:43: New connection from 192.168.1.35:40361 on port 8883.
2023-03-22 10:30:15: Client <unknown> disconnected: Protocol error.
2023-03-22 10:30:15: New connection from 192.168.1.35:59345 on port 8883.
2023-03-22 10:30:15: OpenSSL Error[0]: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

IP 192.168.1.35 is the local (internal) address of the HA and Mosquitto machine.

Any ideas?

Hi Chris,

did you have any luck getting it to work? Running into the same issue as you.

thanks!