我正在尝试使用 Mosquitto 将 Raspberry pi 3B 设置为 mqtt 服务器。我正在关注本教程:https://forums.raspberrypi.com/viewtopic.php?t=287326
我已经读到页面一半了:“现在证书已就位,可以在指向代理时使用它们调用订阅客户端。代理将位于同一 LAN 上的 192.168.1.140。”我尝试通过 TLS 连接订阅者,但连接被拒绝,并显示消息“连接错误:连接被拒绝:未授权。”
我为服务器和客户端使用了私有IP 192.168.2.215。这可能吗?
我的conf文件分为两个文件:
身份验证.conf:
allow_anonymous false
password_file /etc/mosquitto/passwd
加密.conf:
listener 8883
cafile /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
keyfile /etc/mosquitto/certs/mqtt-server.key
certfile /etc/mosquitto/certs/mqtt-server.crt
tls_version tlsv1.2
据我了解,所有密钥和证书都已创建。到目前为止所有步骤都已成功。
我假设服务器正在运行,因为“systemctl status mosquitto”在最后一行返回“...Started Mosquitto MQTT Broker”。
这是我的启动日志:
1689408731: mosquitto version 2.0.11 terminating
1689408731: Saving in-memory database to /var/lib/mosquitto//mosquitto.db.
1689408731: mosquitto version 2.0.11 starting
1689408731: Config loaded from /etc/mosquitto/mosquitto.conf.
1689408731: Opening ipv4 listen socket on port 8883.
1689408731: Opening ipv6 listen socket on port 8883.
1689408731: Opening ipv4 listen socket on port 1883.
1689408731: Opening ipv6 listen socket on port 1883.
1689408731: mosquitto version 2.0.11 running
1689408760: New connection from 192.168.2.215:46250 on port 8883.
1689408760: Client <unknown> disconnected: Protocol error.
运行后日志:
sudo mosquitto_sub -v -h 192.168.2.215 -u xxx -P 'yyy' --key /etc/mosquitto/certs/listener03-client.crt --cert /etc/mosquitto/certs/listener03-client.crt --cafile /etc/mosquitto/certs/mqtt-server.crt -t 'temperatures' -p 8883 --tls-version tlsv1.2 -i listener03
Unable to connect (A TLS error occurred.).
将 -d 添加到客户端命令后,我得到:
sudo mosquitto_sub -v -d -h 192.168.2.215 -u xxx -P 'yyy' --key /etc/mosquitto/certs/listener03-client.crt --cert /etc/mosquitto/certs/listener03-client.crt --cafile /etc/mosquitto/certs/mqtt-server.crt -t 'temperatures' -p 8883 --tls-version tlsv1.2 -i listener03
In terminal:
Error: Unable to load client key file "/etc/mosquitto/certs/listener03-client.crt".
OpenSSL Error[0]: error:0909006C:PEM routines:get_name:no start line
OpenSSL Error[1]: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Unable to connect (A TLS error occurred.).
Added to /var/lib/mosquitto/mosquitto.log:
1689518781: New connection from 192.168.2.215:45280 on port 8883.
1689518781: Client <unknown> disconnected: Protocol error.
listener03-client.crt 文件权限如下:
-rw-r--r-- 1 root root 1099 14 jul 10.41 listener03-client.crt
证书!=密钥
mosquitto_sub -v -d -h 192.168.2.215 -u xxx -P 'yyy' \
--key /etc/mosquitto/certs/listener03-client.crt \
--cert /etc/mosquitto/certs/listener03-client.crt \
--cafile /etc/mosquitto/certs/mqtt-server.crt \
-t 'temperatures' -p 8883 --tls-version tlsv1.2 -i listener03
您已为
--cert--key密钥文件应该是私钥
listener03-client.keylistener03-client.crt我成功测试了教程中的步骤 2,并仔细检查了步骤 3(TLS 客户端)是否具有相同的用户/密码。不要以为我的用户/密码错误。
我重新创建了listener03-client.crt文件并成功签署了密钥:
xxx@raspberrypi:/etc/mosquitto/certs $ sudo su -c
'openssl x509
-req
-days 3650
-CA /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
-CAkey /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.key
-CAcreateserial
-in listener03-client.csr
-out listener03-client.crt
-extfile <(printf "subjectAltName=IP:192.168.2.215")'
在终端(其中国家/地区代码是其他内容):
Signature ok
subject=C = COUNTRY CODE, CN = 192.168.2.215
Getting CA Private Key
Enter pass phrase for /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.key:
xxx@raspberrypi:/etc/mosquitto/certs $
并尝试连接客户端:
sudo mosquitto_sub -v -d
-h 192.168.2.215
-u xxx -P 'yyy'
--key /etc/mosquitto/certs/listener03-client.key
--cert /etc/mosquitto/certs/listener03-client.crt
--cafile /etc/mosquitto/certs/mqtt-server.crt -t 'temperatures' -p 8883
--tls-version tlsv1.2 -i listener03
Client listener03 sending CONNECT
Client listener03 received CONNACK (5)
Connection error: Connection Refused: not authorised.
Client listener03 sending DISCONNECT
我知道来自服务器的 CONNACK 不接受我的客户端连接。我将从头开始在 Raspberry Pi 上重新安装所有内容并返回结果,可能需要一段时间。
我又回来尝试让它启动并运行。 我在 Raspberry Pi 上重新安装了 Raspian,并按照步骤 (https://forums.raspberrypi.com/viewtopic.php?t=287326) 进行操作,步骤 1 + 2 运行良好。当我尝试实施步骤 3 (TLS) 时,我遇到了问题。服务器未启动。见下图:
步骤1
sudo apt update && sudo apt upgrade
sudo apt-get install mosquitto
sudo apt-get install mosquitto-clients
sudo systemctl enable mosquitto.service
systemctl status mosquitto
journalctl -u mosquitto
sudo tail -f /var/log/mosquitto/mosquitto.log
mosquitto_sub -v -h 127.0.0.1 -t 'temperatures' -p 1883 -i locallistener
mosquitto_pub -h 127.0.0.1 -t 'temperatures' -p 1883 -i localpub01 -m $(date +"%T")
第2步
cat << EOC | sudo tee /etc/mosquitto/conf.d/authentication.conf
password_file /etc/mosquitto/passwd
allow_anonymous false
EOC
sudo mosquitto_passwd -c /etc/mosquitto/passwd user_name
sudo systemctl restart mosquitto
mosquitto_sub -v -h 127.0.0.1 -t 'temperatures' -p 1883 -i locallistener -P password -u user_name
mosquitto_pub -h 127.0.0.1 -t 'temperatures' -p 1883 -i localpub01 -P password -u user_name -m $(date +"%T")
第3步
cd /etc/mosquitto/ca_certificates/
sudo openssl req \
-new \
-x509 \
-days 3650 \
-extensions v3_ca \
-subj '/C=MY_COUNTRY_CODE/L=Sin City/CN=192.168.2.215' \
-keyout mosquitto-certificate-authority.key \
-out mosquitto-certificate-authority.crt
Response in terminal:
Generating a RSA private key
....................................................................................+++++
..........................................................+++++
writing new private key to 'mosquitto-certificate-authority.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
cd /etc/mosquitto/certs/
sudo openssl genrsa \
-out mqtt-server.key \
2048
Response in terminal:
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
..................................................................+++++
e is 65537 (0x010001)
sudo openssl req \
-new \
-out mqtt-server.csr \
-key mqtt-server.key \
-subj '/C=MY_COUNTRY_CODE/L=Sin City/CN=192.168.2.215'
sudo su -c 'openssl x509 \
-req \
-days 3650 \
-CA ../ca_certificates/mosquitto-certificate-authority.crt \
-CAkey ../ca_certificates/mosquitto-certificate-authority.key \
-CAcreateserial \
-in mqtt-server.csr \
-out mqtt-server.crt \
-extfile <(printf "subjectAltName=IP:192.168.2.215")'
Response in terminal:
Signature ok
subject=C = MY_COUNTRY_CODE, L = Sin City, CN = 192.168.2.215
Getting CA Private Key
Enter pass phrase for ../ca_certificates/mosquitto-certificate-authority.key:
cat << EOC | sudo tee /etc/mosquitto/conf.d/encryption.conf
port 8883
cafile /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
keyfile /etc/mosquitto/certs/mqtt-server.key
certfile /etc/mosquitto/certs/mqtt-server.crt
tls_version tlsv1.2
EOC
Response in terminal:
port 8883
cafile /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
keyfile /etc/mosquitto/certs/mqtt-server.key
certfile /etc/mosquitto/certs/mqtt-server.crt
tls_version tlsv1.2
这是我的问题首次出现的地方
sudo systemctl restart mosquitto
Response in terminal:
Job for mosquitto.service failed because the control process exited with error code.
See "systemctl status mosquitto.service" and "journalctl -xe" for details.
systemctl status mosquitto.service
Response in terminal:
● mosquitto.service - Mosquitto MQTT Broker
Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2023-08-10 09:32:18 CEST; 1min 17s ago
Docs: man:mosquitto.conf(5)
man:mosquitto(8)
Process: 1427 ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto (code=exited, status=0/SUCCESS)
Process: 1428 ExecStartPre=/bin/chown mosquitto /var/log/mosquitto (code=exited, status=0/SUCCESS)
Process: 1429 ExecStartPre=/bin/mkdir -m 740 -p /run/mosquitto (code=exited, status=0/SUCCESS)
Process: 1430 ExecStartPre=/bin/chown mosquitto /run/mosquitto (code=exited, status=0/SUCCESS)
Process: 1431 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf (code=exited, status=1/FAILURE)
Main PID: 1431 (code=exited, status=1/FAILURE)
CPU: 59ms
Aug 10 09:32:18 user_name systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.
Aug 10 09:32:18 user_name systemd[1]: Stopped Mosquitto MQTT Broker.
Aug 10 09:32:18 user_name systemd[1]: mosquitto.service: Start request repeated too quickly.
Aug 10 09:32:18 user_name systemd[1]: mosquitto.service: Failed with result 'exit-code'.
Aug 10 09:32:18 user_name systemd[1]: Failed to start Mosquitto MQTT Broker.
journalctl -xe
Response in terminal:
Aug 10 09:35:58 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:36:08 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:36:19 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:36:29 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:36:39 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:36:49 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:36:58 user_name dhcpcd[469]: eth0: Router Advertisement from fe80::202:61ff:fec7:f7ba
Aug 10 09:36:58 user_name dhcpcd[469]: eth0: no global addresses for default route
Aug 10 09:37:00 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:37:10 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:37:20 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:37:30 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:37:41 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:37:51 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
Aug 10 09:38:01 user_name kernel: EDID block 0 (tag 0x00) checksum is invalid, remainder is 26
lines 3392-3406/3406 (END)
我之前以某种方式设法解决了这个问题,但不知道我做了什么。这次我尝试按如下方式重新排列conf文件:
/etc/mosquitto/mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
per_listener_settings true
pid_file /run/mosquitto/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
/etc/mosquitto/conf.d/authentication.conf
allow_anonymous false
password_file /etc/mosquitto/passwd
/etc/mosquitto/conf.d/加密.conf
listener 8883
cafile /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
keyfile /etc/mosquitto/certs/mqtt-server.key
certfile /etc/mosquitto/certs/mqtt-server.crt
tls_version tlsv1.2
但是我无法克服“服务器未启动”的问题。尝试将“listener 8883”放置在三个conf文件中的各种位置......
有什么想法吗?