MQTT Broker Bridge to HiveMQ Cloud

I am trying to make a Bridge between my HASSIO MQTT Broker and the Broker from HiveMQ Cloud, but it isn’t working. It was working before, but after I changed stuff with “topic in …” it stopped working.
Informaroin in [] is filled in witht he correct data.

I get a SSL error in the Mosquitto Log when it tries to Connect to HiveMQ:

1633077812: Connecting bridge hivemq ([address]:8883)
1633077812: Bridge hassio1 sending CONNECT
1633077812: OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

My Mosquitto Broker Configuration:

logins: []
customize:
  active: true
  folder: mosquitto
certfile: fullchain.pem
keyfile: privkey.pem
require_certificate: false

I created a file named mosquitto.conf in /share/mosquitto with the following content:
File trustid-x3-root.pem is saved in /share/mosquitto.

# https://mosquitto.org/man/mosquitto-conf-5.html
# For debugging
log_type all
connection hivemq
address [address]:8883
remote_clientid hassio
remote_username [username]
remote_password [password]
start_type automatic
bridge_cafile /share/mosquitto/trustid-x3-root.pem
cleansession true
notifications false
try_private false
bridge_insecure false
topic # in 0

When I publish a message with mqtt-spy to home/test with a message: test on HiveMQ Broker nothing is received on home/test on HASSIO mosquitto Broker.

What am I doing wrong?

Log on startup:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] mosquitto.sh: executing... 
[10:42:12] INFO: SSL is not enabled
[cont-init.d] mosquitto.sh: exited 0.
[cont-init.d] nginx.sh: executing... 
[cont-init.d] nginx.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[10:42:13] INFO: Starting NGINX for authentication handling...
[10:42:14] INFO: Starting mosquitto MQTT broker...
1633077734: Loading config file /share/mosquitto/mosquitto.conf
1633077734: mosquitto version 1.6.12 starting
1633077734: |-- *** auth-plug: startup
1633077734: Config loaded from /etc/mosquitto/mosquitto.conf.
1633077734: Loading plugin: /usr/share/mosquitto/auth-plug.so
1633077734:  ├── Username/password checking enabled.
1633077734:  ├── TLS-PSK checking enabled.
1633077734:  └── Extended authentication not enabled.
1633077734: Opening ipv4 listen socket on port 1883.
1633077734: Opening ipv6 listen socket on port 1883.
1633077734: Opening websockets listen socket on port 1884.
1633077734: Warning: Mosquitto should not be run as root/administrator.
1633077734: Connecting bridge hivemq ([address]:8883)
1633077734: Bridge hassio sending CONNECT
1633077734: mosquitto version 1.6.12 running
1633077734: New connection from 127.0.0.1 on port 1883.
1633077734: New connection from 192.168.1.249 on port 1883.
1633077734: Socket error on client <unknown>, disconnecting.
{"result": "ok", "data": {}}1633077734: New client connected from 192.168.1.249 as mosqsub|257-xiaomidafan (p1, c1, k60, u'username').
1633077734: No will message specified.
...
1 Like

Certificate issue, obviously.

What certificate is installed on HiveMQ side?
What does openssl s_client -showcerts -connect [address]:8883 show?

What certificate is installed on HiveMQ side?
Sorry but I have no idea.

openssl s_client -showcerts -connect [address]:8883 shows:

CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.s1.eu.hivemq.cloud
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgISA0rhmuusT904pxO9p2EWZG9TMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MTExNzE3MzRaFw0yMTEyMTAxNzE3MzNaMB8xHTAbBgNVBAMM
FCouczEuZXUuaGl2ZW1xLmNsb3VkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEApW7Paww+bHHbD9/zX9gAQpNs1kwk+Tb6igsWDmHFe9F4X4DAhPhe9n4w
uFIq8XGaCEkX4EH1bKGqtwksYMI/izpI4tZNiLEShNxotS+Kqqf7TqRioMnoTzc0
axztPjYOU+fOpxlmM9F532u3gI/dGB5mVbJhmCIPwWgkb2CJ7zK2KEX8WQZlPxM3
hWSXa9BreZ8FZ54qty6Fws/GohYPP/fSJh8u0R7klhhJygIpNdw/1JRK2OlHykO9
85Z29qw4C4HLvIFvHTX/iVxC3nSF9uFNH8rXj8Pis2S669TuS1JCejFVcLxgPAbO
SfLXQMW3rmZVgs1lwFC04scc5kZXfQIDAQABo4ICZDCCAmAwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBSlCBv1UXDVuBQvMU5zaNYYdAGZoTAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAzBgNVHREELDAqghQqLnMxLmV1LmhpdmVtcS5jbG91ZIISczEuZXUu
aGl2ZW1xLmNsb3VkMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYK
KwYBBAHWeQIEAgSB9gSB8wDxAHYAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdo
mX4i8NcAAAF71hQ4VQAABAMARzBFAiBNuWX3MM+hrmEQ6aRyf9sQFlQ1KnmU6puu
KP4qlQ2GCgIhAIcCa78R190TwFbL/jJeXxXlkpVguLgH0Ym7ec3FgCCIAHcAb1N2
rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAF71hQ5ZwAABAMASDBGAiEA
sQiLS9uO6DqCJVGlw+9/gA6BkdFXPgiCshnuocj4olcCIQDkWceCUfQbhj2xHBbo
pCwMxsgCexWWIyzXtSBQM8SJMzANBgkqhkiG9w0BAQsFAAOCAQEAC40VanfjRXqq
oeUU5XQaEC6siicqGpoARRKO3YYCOza4D2Gnmj1/xzjZXDYiucsbwsRJPdS4fikN
ZLnaY/3ClYBkwmUeY3kwqpYN6TPpgw+p1kCNnvlrdAoAEf1ck5Elw7/F+fXfqn8p
4gBGyiwiBrKvitaVXO1c7mo3S13k0SPOaqIQs5yNOCMSm7yLtWKfCHd18KEVmLve
3oJYgL2n+rIqo2N76QZf6/5AO1ApNsLABXqxgyu3uNPxwEhbQreu4uaYdKIDwXxm
o60kKu7z1T93v5M0x9lUZ+yd+3rze4c+cN0YKcKwjm1+FzHl/0wKvsNUz3IIlSj0
AQ/GVCr/6Q==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.s1.eu.hivemq.cloud

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4523 bytes and written 446 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: EDB58E8122AD1ABE255C0B749109DC39A78E64F39CD7DFBB5B0D9A00F1BF9E3E
    Session-ID-ctx: 
    Master-Key: 593903E42623BE6D61970B66AB97A94F2228E63D6A36CAC76C8D6BCD61E33C11102DAA816DE4964202DB11B371B13252
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1633173235
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

HiveMQ says this:


Which gives me:
mosquitto_pub version 2.0.11 running on libmosquitto 2.0.11.
but the LOG from Hassio when I start the addon shows me:
mosquitto version 1.6.12 starting

HiveMQ also:

And the “you can download the cert from here” is the one you specify on the mosquitto config?
Is that HiveMQ page public?

If you don’t point to HiveMQ via a “*.s1.eu.hivemq.cloud” [address], you’ll also have to add bridge_insecure true

Yes. Thats the cert I specified in the config file.
I think this HiveMQ page is only accessable when logged in but here is the page:


I use this in my config:
[address].s1.eu.hivemq.cloud:8883

I might be wrong, but the “X3” certificate you have might be the one that famously expired on 30 sep.
You can try with letsencrypt own root certificate: https://letsencrypt.org/certs/isrgrootx1.pem

1 Like

You saved me. It is working. Amazing. :partying_face:
I would have never solved this.
How often do those certs expire?

Not sure if there are absolute rules, but that one is good until 2035 :wink:

$ openssl x509 -in isrgrootx1.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Jun  4 11:04:38 2015 GMT
            Not After : Jun  4 11:04:38 2035 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1

BTW, if HiveMQ is actually still proposing the expired one, it might be worth telling them :wink:

2 Likes