I am having trouble connecting two HA instances with certificates via MQTT

Firstly, I apologize if this has already been discussed elsewhere. I’ve seen a lot of discussions and blog posts covering similar topics and parts of my particular setup but I’m having trouble finding discussion of my precise setup.

I currently have two HA setups running in my house. My main instance is connected via ethernet inside my house and the second is in my garage in order to manage my Z-Wave garage door sensors and shelly switches that I’m going to be installing to control my garage doors. I was not getting a reliable connection when I had my main instance controlling the Z-Wave. I generated a self-signed root certificate so that I could create the certificates and keys to run each of the instances using https.

I’m trying to connect the two instances via MQTT so that I can use the main instance as the controller sending and receiving MQTT messages between it and the instance in my garage. To start, I set up an MQTT broker using the Mosquitto broker Add-on and then configure the MQTT integration on the main instance to connect to this broker. The broker is set up to reference the certificate and key files that I generated for the main instance and when I test that in the MQTT integration, it appears to be working within that single instance. I am able to subscribe to a topic and I see messages published to this topic appear.

The problem comes when I try to set up the integration on the second instance. My understanding is that I should only need to set up a single broker and can set this up to run on either instance. In my case, I have configured it to run on the main instance. I then use the MQTT integration on the second instance to try to connect to the MQTT broker on the main instance but I have been unable to get this connection to succeed. I receive this message.

One additional thing that I noticed is that I assumed when connecting on the main instance that I would need to specify the client and CA certificates as well as the client key. If this is true, I also assumed that I did not need to specify a user and password but this didn’t seem to be the case. In order to connect the main instance’s MQTT integration to the broker, I did not need to specify any certificates and in fact couldn’t connect unless I provided the user and password. Maybe this is because they’re running on the same instance. Does that make sense?

I assume that when configuring the second instance, I should specify the broker as the IP address of the main instance. I have also tried specifying what I believe to be the IP address of broker itself and putting in the name of the broker. None of these appear to work. Can anyone confirm what exactly I should be entering for the broker in MQQT integration on the second instance?

For the certificates, I’m specifying the client certificates as the certificate and key that I generated for the second instance. I used the same root certificate to generate the certificates for both instances so I also specify that as a custom broker certificate in the integration. Obviously, this isn’t working.

I also can’t connect the second instance’s integration to the broker by specifying the username and password that I used to connect the main instance’s integration to the broker.

So, I’m assuming that I am not doing something correctly with the certificates and that that is breaking my ability to connect. I could try disabling all the certificates and not use ssl to see if I’m able to then connect at least by using the username and password but I’m wondering if there’s anything obviously wrong in my set up that someone that is more experienced in certificates and MQTT can point out to me.

Sorry for the novel; I’m trying to include as much info as possible to set the context so hopefully it’s not overkill. Does anyone have any suggestions as to what I’m doing wrong?

Here is the configuration that I am trying to use with the MQTT integration on the second instance when trying to connect to the broker running on the main instance.

Sorry, I couldn’t post all the pictures in the original post on the count of being a new member to the forum.

One more:

Taking another look at generating the certificates and keys for the broker and the clients, I suspect that I probably make a mistake somewhere in there and didn’t use the correct common name for the server or something like that.

So, I started fresh and got this working by disabling the certificates requirement so I at least know all that is set up correctly. Now I just need to debug the certificates.

For whatever it’s worth, I followed the instructions here: Self Signed Certificate with Custom Root CA for Home Assistant · GitHub

This HACs integration might suit you.

Thanks! I’ve actually got this configured at the moment but I was hoping to be able to get MQTT going instead, partly just to understand how MQTT works a little better.

Is there a practical advantage of using the remote_homeassistant component as opposed to MQTT other than simplicity of configuring it? I’m curious if one or the other is generally considered to be a better solution, assuming either could be configured without significant technical difficulty.

To be honest I don’t use either, so I can’t personally say which is better/reliable/etc.

The main difference would be no broker required for remote home assistant as it uses the api I think.

So

Ha1 <–> broker <–> Ha2

Vs

Ha1 <-api-> Ha2

It’s probably the same overhead and almost the same speed in practice though.