[solved] Connect HA to mqtt broker with tls / ca.crt?

Hi everybody,

I finally made the switch to an mqtt broker with self-signed certificates. Tried multiple times before without success, this tutorial finally got me through it.
Here is my little test environment

  • my pc running mosquitto
  • nodeMCU with tasmota and MQTT_TLS enabled
  • Home Assistant running on my pc in a venv
  • MQTTExplorer for testing my connection

I can connect to my mqtt broker from my computer using the ca.crt. I used tasmota-fingerprint to calculate the checksum of the ca.crt file; when I build the tasmota binary, I added the fingerprint to the my_user_config.h file. After compiling and flashing it, it would, indeed, connect to my mqtt broker. So the fingerprint, and therefore the ca.crt file must be able to connect to my mqtt broker.

Same with MQTTExplorer; it will take the ca.crt and then successfully connect to my broker.

As the nodeMCU (tasmota) is connected via wifi, I also know that accessing the mqtt broker from a device other than my pc is possible (which shouldn’t really matter as Home Assistant is running in a virtual environment on that very pc, just thought I’d mention it anyway).

My configuration.yaml contains this

# (...)
  broker: <my-ip>
  port: 8883
  username: very_user
  password: much_secret
  certificate: /home/me/.homeassistant/cert/ca.crt
  discovery: true
  discovery_prefix: homeassistant
# (...)

    - /home/me/.homeassistant/cert

I don’t believe the whitelist_external_dirs is necessary at all! I added it later to see whether it would make a difference… but it didn’t!

When I check my config, it finds the ca.crt. When I spell it incorrectly on purpose (i.e. /home/me/.homeassistant/cert/caaaa.crt), it will throw an error. When it is spelled correctly, I don’t get an error about my config, so it seems to be able to locate and use the file as well.

However, when I (re)start Home Assistant, I will get this in my mosquitto output

New connection from <my-ip> on port 8883.
OpenSSL Error: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
Socket error on client <unknown>, disconnecting.

I took me quite a while to get this working, so I am sure I just missed a little thing and Home Assistant will accept the ca.crt - or there will be another way to connect it to my broker. But right now I cannot figure it out.

I tried creating client_key and client_cert files as well (as suggested here), but it did not make a difference. While it would accept those files, it would still not connect to the mqtt broker using them.

When I tried connecting to my broker via MQTTExplorer before, the broker would throw errors as well. That was because I had to specifically tell it to use tls_version tlsv1.2 in the /etc/mosquitto/mosquitto.conf file. After adding that line, MQTTExplorer was able to connect; I don’t know if tasmota would have worked without it, as I flashed the nodeMCU after being able to connect to the broker.

Any help is greatly appreciated :slight_smile: I finally want to secure my Home Assistant (and all the services we use locally) as much as possible. Perhaps I can finally open up some ports to the internet then, so that people in this household other than myself can control things without having to use a VPN server, which seems to be such a hassle to some :wink:

Thank you for your ideas :slight_smile:

Solved. I had to add

tls_insecure: true
tls_version: "1.2"

to my config. Before this it would not accept the mqtt server, as it was an IP address (not a tld). Now it works.

1 Like