MQTT Broker Bridge to HiveMQ Cloud

naitsimp · October 1, 2021, 8:47am

I am trying to make a Bridge between my HASSIO MQTT Broker and the Broker from HiveMQ Cloud, but it isn’t working. It was working before, but after I changed stuff with “topic in …” it stopped working.
Informaroin in [] is filled in witht he correct data.

I get a SSL error in the Mosquitto Log when it tries to Connect to HiveMQ:

1633077812: Connecting bridge hivemq ([address]:8883)
1633077812: Bridge hassio1 sending CONNECT
1633077812: OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

My Mosquitto Broker Configuration:

logins: []
customize:
  active: true
  folder: mosquitto
certfile: fullchain.pem
keyfile: privkey.pem
require_certificate: false

I created a file named mosquitto.conf in /share/mosquitto with the following content:
File trustid-x3-root.pem is saved in /share/mosquitto.

# https://mosquitto.org/man/mosquitto-conf-5.html
# For debugging
log_type all
connection hivemq
address [address]:8883
remote_clientid hassio
remote_username [username]
remote_password [password]
start_type automatic
bridge_cafile /share/mosquitto/trustid-x3-root.pem
cleansession true
notifications false
try_private false
bridge_insecure false
topic # in 0

When I publish a message with mqtt-spy to home/test with a message: test on HiveMQ Broker nothing is received on home/test on HASSIO mosquitto Broker.

What am I doing wrong?

Log on startup:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] mosquitto.sh: executing... 
[10:42:12] INFO: SSL is not enabled
[cont-init.d] mosquitto.sh: exited 0.
[cont-init.d] nginx.sh: executing... 
[cont-init.d] nginx.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[10:42:13] INFO: Starting NGINX for authentication handling...
[10:42:14] INFO: Starting mosquitto MQTT broker...
1633077734: Loading config file /share/mosquitto/mosquitto.conf
1633077734: mosquitto version 1.6.12 starting
1633077734: |-- *** auth-plug: startup
1633077734: Config loaded from /etc/mosquitto/mosquitto.conf.
1633077734: Loading plugin: /usr/share/mosquitto/auth-plug.so
1633077734:  ├── Username/password checking enabled.
1633077734:  ├── TLS-PSK checking enabled.
1633077734:  └── Extended authentication not enabled.
1633077734: Opening ipv4 listen socket on port 1883.
1633077734: Opening ipv6 listen socket on port 1883.
1633077734: Opening websockets listen socket on port 1884.
1633077734: Warning: Mosquitto should not be run as root/administrator.
1633077734: Connecting bridge hivemq ([address]:8883)
1633077734: Bridge hassio sending CONNECT
1633077734: mosquitto version 1.6.12 running
1633077734: New connection from 127.0.0.1 on port 1883.
1633077734: New connection from 192.168.1.249 on port 1883.
1633077734: Socket error on client <unknown>, disconnecting.
{"result": "ok", "data": {}}1633077734: New client connected from 192.168.1.249 as mosqsub|257-xiaomidafan (p1, c1, k60, u'username').
1633077734: No will message specified.
...

koying · October 2, 2021, 8:48am

Certificate issue, obviously.

What certificate is installed on HiveMQ side?
What does openssl s_client -showcerts -connect [address]:8883 show?

naitsimp · October 2, 2021, 11:28am

What certificate is installed on HiveMQ side?
Sorry but I have no idea.

openssl s_client -showcerts -connect [address]:8883 shows:

CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.s1.eu.hivemq.cloud
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgISA0rhmuusT904pxO9p2EWZG9TMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MTExNzE3MzRaFw0yMTEyMTAxNzE3MzNaMB8xHTAbBgNVBAMM
FCouczEuZXUuaGl2ZW1xLmNsb3VkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEApW7Paww+bHHbD9/zX9gAQpNs1kwk+Tb6igsWDmHFe9F4X4DAhPhe9n4w
uFIq8XGaCEkX4EH1bKGqtwksYMI/izpI4tZNiLEShNxotS+Kqqf7TqRioMnoTzc0
axztPjYOU+fOpxlmM9F532u3gI/dGB5mVbJhmCIPwWgkb2CJ7zK2KEX8WQZlPxM3
hWSXa9BreZ8FZ54qty6Fws/GohYPP/fSJh8u0R7klhhJygIpNdw/1JRK2OlHykO9
85Z29qw4C4HLvIFvHTX/iVxC3nSF9uFNH8rXj8Pis2S669TuS1JCejFVcLxgPAbO
SfLXQMW3rmZVgs1lwFC04scc5kZXfQIDAQABo4ICZDCCAmAwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBSlCBv1UXDVuBQvMU5zaNYYdAGZoTAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAzBgNVHREELDAqghQqLnMxLmV1LmhpdmVtcS5jbG91ZIISczEuZXUu
aGl2ZW1xLmNsb3VkMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYK
KwYBBAHWeQIEAgSB9gSB8wDxAHYAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdo
mX4i8NcAAAF71hQ4VQAABAMARzBFAiBNuWX3MM+hrmEQ6aRyf9sQFlQ1KnmU6puu
KP4qlQ2GCgIhAIcCa78R190TwFbL/jJeXxXlkpVguLgH0Ym7ec3FgCCIAHcAb1N2
rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAF71hQ5ZwAABAMASDBGAiEA
sQiLS9uO6DqCJVGlw+9/gA6BkdFXPgiCshnuocj4olcCIQDkWceCUfQbhj2xHBbo
pCwMxsgCexWWIyzXtSBQM8SJMzANBgkqhkiG9w0BAQsFAAOCAQEAC40VanfjRXqq
oeUU5XQaEC6siicqGpoARRKO3YYCOza4D2Gnmj1/xzjZXDYiucsbwsRJPdS4fikN
ZLnaY/3ClYBkwmUeY3kwqpYN6TPpgw+p1kCNnvlrdAoAEf1ck5Elw7/F+fXfqn8p
4gBGyiwiBrKvitaVXO1c7mo3S13k0SPOaqIQs5yNOCMSm7yLtWKfCHd18KEVmLve
3oJYgL2n+rIqo2N76QZf6/5AO1ApNsLABXqxgyu3uNPxwEhbQreu4uaYdKIDwXxm
o60kKu7z1T93v5M0x9lUZ+yd+3rze4c+cN0YKcKwjm1+FzHl/0wKvsNUz3IIlSj0
AQ/GVCr/6Q==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.s1.eu.hivemq.cloud

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4523 bytes and written 446 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: EDB58E8122AD1ABE255C0B749109DC39A78E64F39CD7DFBB5B0D9A00F1BF9E3E
    Session-ID-ctx: 
    Master-Key: 593903E42623BE6D61970B66AB97A94F2228E63D6A36CAC76C8D6BCD61E33C11102DAA816DE4964202DB11B371B13252
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1633173235
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

HiveMQ says this:

Which gives me:
mosquitto_pub version 2.0.11 running on libmosquitto 2.0.11.
but the LOG from Hassio when I start the addon shows me:
mosquitto version 1.6.12 starting

HiveMQ also:

koying · October 2, 2021, 11:50am

And the “you can download the cert from here” is the one you specify on the mosquitto config?
Is that HiveMQ page public?

If you don’t point to HiveMQ via a “*.s1.eu.hivemq.cloud” [address], you’ll also have to add bridge_insecure true

naitsimp · October 2, 2021, 1:34pm

Yes. Thats the cert I specified in the config file.
I think this HiveMQ page is only accessable when logged in but here is the page:

I use this in my config:
[address].s1.eu.hivemq.cloud:8883

koying · October 2, 2021, 2:53pm

I might be wrong, but the “X3” certificate you have might be the one that famously expired on 30 sep.
You can try with letsencrypt own root certificate: https://letsencrypt.org/certs/isrgrootx1.pem

naitsimp · October 2, 2021, 3:00pm

You saved me. It is working. Amazing.
I would have never solved this.
How often do those certs expire?

koying · October 2, 2021, 3:19pm

Not sure if there are absolute rules, but that one is good until 2035

$ openssl x509 -in isrgrootx1.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Jun  4 11:04:38 2015 GMT
            Not After : Jun  4 11:04:38 2035 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1

BTW, if HiveMQ is actually still proposing the expired one, it might be worth telling them