MQTT bridge to Victron Venus OS with Mosquitto Add-on using SSL connection

Third party integrations
, ,
1

Hello everyone, I would like to kindly ask for help with my struggle:

I am trying to make MQTT bridge to Victron Cerbo GX with HA Mosquitto Add-on using SSL connection.

The key requirements:

  • use SSL
  • use password authentication

Note:

  • Venus OS 3.50 with MQTT SSL/password auth support
  • it works on insecure connection using 1883
  • it works when not using password authentication
  • I am trying to make this work for several months - I’ve been waiting for Victron firmware updates every month to see if they already implemented password-protected MQTT communication, was trying to achieve this with previous firmwares, manual mqtt service mods inside Venus over SSH
  • I’ve read dozens of threads on the internet, followed many different guides, but none of them utilized the SSL+password protected connection
  • Connecting to Cerbo using MQTT explorer, with TLS:on, Verify:off and using username/password works perfectly
  • I’ve tried to solve this issue with Victron community (Where to get CA certificate for Venus SSL self-signed certificate - Modifications - Victron Community), but it seems that since the MQTT communication works in another software (MQTT explorer), the problem will be in HA Mosquitto.

The issue:
When Mosquitto tries to connect to Victron, the connenction fails on SSL certificate verification. The Victron (Venus) SSL certificate is self-signed, has no CA in the chain.

To overcome the verification issues, I tried:

  • set bridge_insecure option
  • set bridge_cafile / bridge_capath options
  • reconfigure MQTT device / Mosquitto Add-on in HA, switch different “verify key” or similar options

I use the SSL certificate from Venus https/SSL, downloaded using browser.

Here is the bridge configuration file:

connection victron

address 192.168.1.15:8883

remote username victron 
remote_password **************

bridge_insecure true

# Just for reference - the various options I tried to combine:
#bridge_cafile /share/mosquitto/certs/venus-ca.crt
#bridge_certfile /share/mosquitto/certs/venus-ca.crt
#bridge_capath /etc/ssl/certs
#bridge_tls_version tlsv1.3
#bridge_protocol_version mqttv311

topic N/# in 0 victron/ 
#topic R/# out 0 victron/ 
#topic W/# out 0 victron/
#topic # both 0

When I set:

bridge_insecure true

I get this in Mosquitto Add-on log:

2024-11-02 21:19:56: Connecting bridge victron (192.168.1.15:8883)
2024-11-02 21:19:56: Client local.core-mosquitto.victron closed its connection.

When I set:

bridge_insecure false
bridge_cafile /share/mosquitto/certs/venus-local-chain.crt

I get this in Mosquitto Add-on log:

2024-11-02 21:21:34: Connecting bridge victron (192.168.1.15:8883)
2024-11-02 21:21:34: OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2024-11-02 21:21:34: Bad socket read/write on client local.core-mosquitto.victron: A TLS error occurred.

Any ideas how to make this working? Did anyone make bridge connection with self-signed certificate?

1 Like