MQTT ERROR Unrecognised command 16

litronics · September 18, 2023, 4:14pm

Hi,

I am new to HA and try to get my existing MQTT broker connected to HA.

When I install the MQTT Integration I always the the error message that the connection failed and in the logs I find the entry:

ERROR (Thread-15 (_thread_main)) [paho.mqtt.client] Error: Unrecognised command 16

I did some research and found that my broker seems to send an irregular connect message.

My broker is a up to date Mosquitto container running the version “mosquitto version 2.0.17”
The configuration is straight forward:

persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log

listener 1883 0.0.0.0
cafile /mosquitto/config/ssl/....
certfile /mosquitto/config/ssl/....
keyfile /mosquitto/config/ssl/....
dhparamfile /mosquitto/config/ssl/dhparam.pem
tls_version tlsv1.3
password_file /mosquitto/config/passwd_file
allow_anonymous false

Using MQTT Explorer I am able to connect to my broker - but HA does not

Any ideas what’s wrong with my configuration?
Thanks
Stefan

krskrab · September 18, 2023, 4:20pm

Mosquitto broker - Current version: 6.3.1

francisp · September 18, 2023, 4:34pm

Latest version is 2.0.17

https://mosquitto.org/blog/categories/releases/

The version of the add-on has nothing to do with the version of the mosquitto packaged inside.

litronics · September 18, 2023, 6:43pm

I also looked at the mosquitto logs and found an interesting error:

Client connection from 192.168.178.xx failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version.

I thought that would be easily solved by configuring the required tls version down to tls1.1 - but this doesn’t solve the issue.

Error messages on both sides don’t change. Are there any possibilities to doublecheck if HA would generally be able to connect to my tls encrypted mqtt broker?

litronics · September 19, 2023, 2:21pm

I finally found the issue and for those stumbling upon this issue, here the solution.

The error messages on both sides are really irritating, because they have nothing to do with the real issue.

Basically the issue is related to the certificates used for TLS encryption and not the used TLS version. To be more precise - the certificate provided by the MQTT server is signed by my intermediate CA which is trusted by the underlying OS in the HA container as well as HA (certify). However this is not enough for the MQTT integration and the connection has been denied due to validation issues.

Activating “Ignore broker certificate validation” didn’t made any difference. I assumed that this would just ignore any validation issues with the certificate and even would accept self-signe ssl certs. But it didn’t

To finally establish the connection to my MQTT broker I had to configure the “Broker certificate validation” to “Custom” and upload my intermediate CA certificate from the trust chain.

I don’t know what error message is provided by the used TLS library - but it would have been much easier to get a meaningful error message like: “There was an error verifying the certificate” and not “Unrecognized command 16”.