I'm still struggling with setting up TLS with the node-RED MQTT node.....
Broker
My broker is a Mosquitto server running on a Raspberry Pi at home. I've added a Mosquitto config file linking to the broker's Letsencrypt certs, as per @TotallyInformation's draft guide, and restarted the server.
The config contains -
# Local MQTT
listener 1883
# Secure MQTT
listener 8883
## This is standard and should always be this
cafile /etc/ssl/certs/DST_Root_CA_X3.pem
## These are from your installation of LE
certfile /home/pi/.node-red/certs/fullchain.pem
keyfile /home/pi/.node-red/certs/privkey.pem
## Forces use of modern version of TLS to avoid security issues
tls_version tlsv1.2
## Force all clients in this listener to provide a valid certificate, change the node config to allow this from NR
#require_certificate true
..and netstat then shows the following -
pi@raspberrypi:~/.node-red $ sudo netstat -lptu | grep mosquitto
tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN 396/mosquitto
tcp 0 0 0.0.0.0:8883 0.0.0.0:* LISTEN 396/mosquitto
tcp6 0 0 [::]:1883 [::]:* LISTEN 396/mosquitto
tcp6 0 0 [::]:8883 [::]:* LISTEN 396/mosquitto
Client
The client is node-RED running in a Oracle instance, and the connection is configured -
The TLS config is -
That seems to work, makes a connection to the broker, and I can subscribe to messages on the broker. BUT 2 problems...
- If I change the node's Server IP address to
mqtts://mydomain.co.uk
or evenmqtts://mydomain.co.uk:8883
the node disconnects from the broker, and will not reconnect. - If I select 'Verify server certificate' then again the node disconnects from the broker.
I'm aware of this git issue & pull request that @skleeschulte raised, but not sure if it applies here.
I am not now using Cloudflare.