MQTT node - can't use domain name

I'm still struggling with setting up TLS with the node-RED MQTT node.....

Broker
My broker is a Mosquitto server running on a Raspberry Pi at home. I've added a Mosquitto config file linking to the broker's Letsencrypt certs, as per @TotallyInformation's draft guide, and restarted the server.
The config contains -

# Local MQTT
listener 1883
# Secure MQTT
listener 8883
## This is standard and should always be this
cafile   /etc/ssl/certs/DST_Root_CA_X3.pem
## These are from your installation of LE
certfile /home/pi/.node-red/certs/fullchain.pem
keyfile  /home/pi/.node-red/certs/privkey.pem
## Forces use of modern version of TLS to avoid security issues
tls_version tlsv1.2
## Force all clients in this listener to provide a valid certificate, change the node config to allow this from NR
#require_certificate true

..and netstat then shows the following -

pi@raspberrypi:~/.node-red $ sudo netstat -lptu | grep mosquitto
tcp        0      0 0.0.0.0:1883            0.0.0.0:*               LISTEN      396/mosquitto
tcp        0      0 0.0.0.0:8883            0.0.0.0:*               LISTEN      396/mosquitto
tcp6       0      0 [::]:1883               [::]:*                  LISTEN      396/mosquitto
tcp6       0      0 [::]:8883               [::]:*                  LISTEN      396/mosquitto

Client
The client is node-RED running in a Oracle instance, and the connection is configured -

mqtt-conf

The TLS config is -

mqtt-conf

That seems to work, makes a connection to the broker, and I can subscribe to messages on the broker. BUT 2 problems...

  1. If I change the node's Server IP address to mqtts://mydomain.co.uk or even mqtts://mydomain.co.uk:8883 the node disconnects from the broker, and will not reconnect.
  2. If I select 'Verify server certificate' then again the node disconnects from the broker.

I'm aware of this git issue & pull request that @skleeschulte raised, but not sure if it applies here.

I am not now using Cloudflare.

Why are you trying mqtts://mydomain.co.uk why not just mydomain.co.uk ?

I've tried - mydomain.co.uk & https://mydomain.co.uk and neither allows the client to connect to the broker.

I've just read the instructions so I see why your trying them

From them, mqtts://mydomain.co.uk:8883 is the one Julian says to use so I'd just stick at trying that one so you don't get a double fault situation

1 Like

What's more puzzling is how you've managed to get it to work with the IP address as the instructions explicitly say that that LE certs need a domain name

Gonna need @TotallyInformation to help you out I think

Thanks Simon, yes I had the same thoughts about using the IP address....
I don't know who originally published the MQTT node, but it would be great to get some clarity about how it should be configured, or at least some meaningful documentation.

Now sorted (at last!)
The clue was in the last line of my initial thread post, because earlier that day I had moved over from my old server - which used Cloudflare as a proxy, and made my new local server live.
This meant changing the DNS settings to point to my server, instead of Cloudflare.
Later in the day, it appeared that the new DNS settings had propagated as I could then access the server. But it may have been that it had not propagated fully, and therefore upsetting the TLS connection.
This morning, the connection is rock solid, and I have been able to fully add security to the settings.

Nick & Dave I think.

I thought I'd done that :wink:

It can take quite a while for DNS changes to propagate - up to 48Hrs in some extreme cases.

Not quite! It only covers setting up the broker, and not the client.
Also there are some other broker related issues that need adding.
I'm going to update my earlier thread about setting up TLS with some more information later.