Node-Red and Mosquitto MQTT Encryption Clarification

I am running a Mosquitto MQTT that is using TLSV1. I have generated the following files:

  1. ca.crt
  2. ca.key
  4. server.crt
  5. server.csr
  6. server.key

I am able to use just "ca.crt" with MQTT.FX in order to publish and subscribe to a topic with TSLv1 encryption. My issue arises when I try to get Node-Red to communicate with my Mosquitto Broker. The nodes get stuck at "Connecting..."

How can I get Node-Red to communicate securely with my Mosquitto Broker using the files listed above?

Current set up (I have tried a bunch of combinations, though):

Thank you,

Have you tried without verification of the cert first?

Yes, the nodes connect when I have “Verify Server Certificate” unchecked.

OK, so that indicates one of:

  • The CA cert is incorrectly formed or the actual cert is incorrectly formed in regard to the CA cert.
  • Node-RED isn’t picking up the CA cert properly.

Do you get any errors in the Node-RED log?

Do you need to convert them to pem format ? (Sometimes crt == pem - but not always)

So what I figured out playing around is that I am able to get it to work with the "Verify Server Certificate" checked if I do not put the private server key but instead just some random text. If I put the actual server key in the "private key" location then then the nodes will not connect.

Example of it working below with no server key but instead random text:


Hmm, not really. Other than converting to PEM as Dave suggests.

Otherwise, maybe try creating the CA and server certs afresh. I have some instructions on GitHub if you need to do that, might be of help though they are a little dated.

Thanks for the quick responses! I will try your creator and also use the link dceejay suggested to put them into pem format as well and update this thread when I reach a solution that works for me.

Did you ever get this sorted?

I tried converting to a PEM but that made no difference. The MQTT nodes just sit with a "connecting" status and nothing shows up in debug. I have left both "Certificate" and "Private Key" completely blank as I'm not trying to use a client certificate. "CA Certificate" points to a local crt or pem file. If I put a non-existant file in "CA Certificate" I get an error in the debug window, so it appears it is looking at the right file.

I don't know what MQTT port you are using, but have you opened that port in your broker's router, so that the client can connect?
It's not necessary to do the same for the client.

Also check the file ownership of your client CA certificate, if it's root:root, then node-RED may not be able to read it. Try pi:root.