MQTT on Webmin as standard package

SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.4
Webmin version 2.105
Usermin version 2.005
Virtualmin version 7.9.0
Theme version 21.09.5
Package updates All installed packages are up to date

May I ask for Webmin to support MQTT as an official module ?
We have many clients who wish for us to host MQTT, and whilst we can install this, we would prefer to have this administered, esp the certificates, to an existing cert in Webmin

writeup example here

Anyone at webmin to support the request ?

The basic mosquitto install is easy.
getting stuck integrating with the virtualmin domain SSL, and creating a client SSL
even when moving to a new folder (/etc/mosquitto/certs), setting permissions folder 0755, file 0644

certs need to be owned by mosquitto, and cannot be shared.
so need to make a copy of the certs, and provide correct priv.
suggested to use a script to copy certs automatically when changed
“Place this script in /etc/letsencrypt/renewal-hooks/deploy/ and make it executable after editing it to your needs”

even upgraded the curl to the latest curl-8.6.0 (did not help)

Current SSL certificate details for the selected domain:
SSL certificate file
/etc/ssl/virtualmin/xyz/ssl.cert
SSL private key file
/etc/ssl/virtualmin/xyz/ssl.key
SSL CA file
/etc/ssl/virtualmin/xyz/ssl.ca

process from here and copy files to /etc/mosquitto/certs

  1. cd /etc/ssl/virtualmin/‘domain’/
  2. openssl genrsa -out client.key 2048
    #ensure common name different
  3. openssl req -new -key client.key -out client.csr
  4. openssl x509 -req -in client.csr -CA ssl.cert -CAkey ssl.key -CAcreateserial -out client.cert -days 2048

ca.key = domain key = ssl.key (/etc/ssl/virtualmin/domain/)
ca.crt = domain cert = ssl.cert (/etc/ssl/virtualmin/domain/)

error
mosquitto_pub -h localhost -p 8883 --cafile /etc/mosquitto/certs/ssl.ca --cert /etc/mosquitto/certs/client.cert --key /etc/mosquitto/certs/client.key -t test -m “hello tls test” -d
Client (null) sending CONNECT
OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed
Error: A TLS error occurred.

really need an expert here to help with the Webmin/virtualmin SSL setup for mosquitto, and for future proofing on Let’s Encrypt renewal and the script to auto copy back on renewal

Webmin/Virtualmin don’t have anything to do with it, as far as I can see?

Thanks Joe. I believe
a) it is the particular location of the SSL within Webmin/Virtualmin that is leading tor the error, , i.e I’m simply using the wrong SSL, as per discussion on location
b) or APACHE2 is not seeing the new mosquito SSL and needs integration

in particular, i’m not sure if the ca.key and ca.crt is from /etc/ssl/virtualmin/domain/, or elsewhere…
as whilst the client cert builds ok, it cannot be found, hence its a webmin + Apache2 issue

errors including: ‘Error: Unable to load client certificate “/etc/mosquitto/certs/client.cert”’

p.s conf file is:
cafile /etc/mosquitto/certs/ssl.ca
certfile /etc/mosquitto/certs/ssl.cert
keyfile /etc/mosquitto/certs/ssl.key

To check Lets encrypt certificates, type command: certbot certificates
Certificate Path: /etc/letsencrypt/live/xyz.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/xyz.com/privkey.pem

To view all files in the .pem file:
while openssl x509 -noout -text; do :; done < fullchain.pem

but, so many other files:
a) /etc/webmin/ has the main domain cert ?
main.com.ca, main.com.cert, main.com.key
server.main.com.ca, server.main.com.cert, server.main.com.key
b) From here, /etc/letsencrypt/live/main.com
fullchain.pem, /privkey.pem
c) /etc/letsencrypt/live/xyz.com (for each virtualmin domain)
cert.pem, chain.pem, fullchain.pem, privkey.pem
d) /etc/ssl/virtualmin/123456789/ (for each domain) – note Manage Virtual-Server → Setup SSL Certificate ->CA certificate says this is the CA cert, and ->current Certificate, says ssl.cert and ssl.key the cert & priv key
ssl.ca, ssl.cert, ssl.combined, ssl.everything, ssl.key

from this forum , we see: argh!!!
i) Let’s Encrypt documentation expresses that Apache needs the full path to the /etc/letsencrypt/live/…/fullchain.pem file to satisfy the SSLCertificateKeyFile directive
ii) yet in the virtual server’s apache *.conf file, the directive points to the other folders (/home//domains/…/ssl.cert).

Copy to working folder for mosquitto use: (afterwards we can work on a script to cover lets encrypt renewals)
/etc/mosquitto/certs is the working folder (or /etc/mosquitto/ca_certificates ?)

for mosquito, we need

  1. the root ca.key, and ca.crt – which is ?
  2. the domain.key, domain.csr, comain.crt (created using root ca.key, and ca.crt – which is a,b,c,d?)
  3. make a client.key, client.csr, client.key, (created using root ca.key, and ca.crt – which is a,b,c,d ?)
    I tried with ssl.ca and ssl.key, but rejects. Will try again with main.com.ca and main.com.key to create mosquito ssl…

i think i found my answer, here, will try !

openssl x509 -req -in client.csr -CA /etc/ssl/certs/ISRG_Root_X1.pem -CAkey /etc/letsencrypt/live/xyz.com/privkey.pem -CAcreateserial -out client.crt -days 3650

this fails with CA certificate and CA private key do not match
so where is the private key for the root CA ??

i really need help, i’ve tried all combinations

i have found successfully that the local copy (/etc/ssl/certs/) of the files works for mosquitto, and all files have to be 0644:
with a conf file:
cafile /etc/ssl/certs/ISRG_Root_X1.pem
certfile /etc/mosquitto/certs/fullchain.pem
keyfile /etc/mosquitto/certs/privkey.pem

I can create a client cert:
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
then the following, all 3 ways works for the client.crt:

WORKS! Certificate request self-signature ok

  1. openssl x509 -req -in client.csr -CA fullchain.pem -CAkey privkey.pem -CAcreateserial -out client.crt -days 3650

but fails later on the pub! get : OpenSSL Error[0]: error:0A000418:SSL routines::tlsv1 alert unknown ca

WORKS: Certificate request self-signature ok

openssl x509 -req -in client.csr -CA fullchain.pem -CAkey ssl.key -CAcreateserial -out client.crt -days 3650

but fails later on the pub!, get OpenSSL Error[0]: error:0A000438:SSL routines::tlsv1 alert internal error

works: Certificate request self-signature ok

openssl x509 -req -in client.csr -CA ssl.cert -CAkey ssl.key -CAcreateserial -out client.crt -days 3650

but fails later on the pub!, get OpenSSL Error[0]: error:0A000438:SSL routines::tlsv1 alert internal error

FAIL !! OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed

all 3 enter ok, but all 3 tests fail:

mosquitto_pub -h localhost -p 8883 --cafile ISRG_Root_X1.pem --cert client.crt --key client.key -t test -m “hello tls” -d

mosquitto_pub -h localhost -p 8883 --cafile fullchain.pem --cert client.crt --key client.key -t test -m “hello tls” -d

mosquitto_pub -h localhost -p 8883 --cafile ssl.cert --cert client.crt --key client.key -t test -m “hello tls” -d

faisl with

  1. OpenSSL Error[0]: error:0A000438:SSL routines::tlsv1 alert internal error
    or
  2. OpenSSL Error[0]: error:0A000418:SSL routines::tlsv1 alert unknown ca

anyone ?? please…

is this an open ssl bug ? or ubuntu 22.04 and openssl 3.0.2

i run : openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

i’m running PHP 8.1.2

Joe, can you help with how to update Ubuntu 22.04 w/ OpenSSL 3.0.2 to latest ? and please (please) would you help here with the Mosquitto install ?

I answer when I can. I’m not ignoring you, I just don’t have any answers.

I appreciate your confidence in my abilities, but none of this is Webmin or Virtualmin-related, and I have literally no idea what’s wrong or how to fix it. I’ve never used mosquito and I don’t have any Ubuntu 22.04 systems, other than our Virtualmin testing systems (and those systems work for our test cases, so I haven’t need to try to do anything unusual with OpenSSL). I wish I could help, but I’d just be googling mostly aimlessly, too.

If an upgrade of OpenSSL can fix the problem, you may be able to find a newer package in 23.04, but I would probably recommend rebuilding the source deb on a 22.04 build system, just to make sure it doesn’t cause any weirdness. (That may or may not matter, just depends on the dependencies of the packages and what has changed between 22.04 and 23.04).

But, I’m guessing. This isn’t my area. You may find some community related to mosquito will be more helpful.

1 Like

I appreciate all the help, thank you
Since i only have a live server, think you could test the OpenSSL upgrade from 3.0.2 to 3.1 ?
example here for 3.07 (please use the latest) here
…and send the recipe if it works ?

why not setup a virtualbox instance on your home pc & do it yourself ?

2 Likes

Sure, my contract rate is $150/hour. Seems like a couple hours of work, most likely.

2 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.