| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Ubuntu Linux 22.04.4 |
| Webmin version | 2.105 |
| Usermin version | 2.005 |
| Virtualmin version | 7.9.0 |
| Theme version | 21.09.5 |
| Package updates | All installed packages are up to date |
May I ask for Webmin to support MQTT as an official module ?
We have many clients who wish for us to host MQTT, and whilst we can install this, we would prefer to have this administered, esp the certificates, to an existing cert in Webmin
writeup example here
Anyone at webmin to support the request ?
The basic mosquitto install is easy.
getting stuck integrating with the virtualmin domain SSL, and creating a client SSL
even when moving to a new folder (/etc/mosquitto/certs), setting permissions folder 0755, file 0644
certs need to be owned by mosquitto, and cannot be shared.
so need to make a copy of the certs, and provide correct priv.
suggested to use a script to copy certs automatically when changed
āPlace this script in /etc/letsencrypt/renewal-hooks/deploy/ and make it executable after editing it to your needsā
even upgraded the curl to the latest curl-8.6.0 (did not help)
Current SSL certificate details for the selected domain:
SSL certificate file
/etc/ssl/virtualmin/xyz/ssl.cert
SSL private key file
/etc/ssl/virtualmin/xyz/ssl.key
SSL CA file
/etc/ssl/virtualmin/xyz/ssl.ca
process from here and copy files to /etc/mosquitto/certs
ca.key = domain key = ssl.key (/etc/ssl/virtualmin/domain/)
ca.crt = domain cert = ssl.cert (/etc/ssl/virtualmin/domain/)
error
mosquitto_pub -h localhost -p 8883 --cafile /etc/mosquitto/certs/ssl.ca --cert /etc/mosquitto/certs/client.cert --key /etc/mosquitto/certs/client.key -t test -m āhello tls testā -d
Client (null) sending CONNECT
OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed
Error: A TLS error occurred.
really need an expert here to help with the Webmin/virtualmin SSL setup for mosquitto, and for future proofing on Letās Encrypt renewal and the script to auto copy back on renewal
Webmin/Virtualmin donāt have anything to do with it, as far as I can see?
Thanks Joe. I believe
a) it is the particular location of the SSL within Webmin/Virtualmin that is leading tor the error, , i.e Iām simply using the wrong SSL, as per discussion on location
b) or APACHE2 is not seeing the new mosquito SSL and needs integration
in particular, iām not sure if the ca.key and ca.crt is from /etc/ssl/virtualmin/domain/, or elsewhereā¦
as whilst the client cert builds ok, it cannot be found, hence its a webmin + Apache2 issue
errors including: āError: Unable to load client certificate ā/etc/mosquitto/certs/client.certāā
p.s conf file is:
cafile /etc/mosquitto/certs/ssl.ca
certfile /etc/mosquitto/certs/ssl.cert
keyfile /etc/mosquitto/certs/ssl.key
To check Lets encrypt certificates, type command: certbot certificates
Certificate Path: /etc/letsencrypt/live/xyz.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/xyz.com/privkey.pem
To view all files in the .pem file:
while openssl x509 -noout -text; do :; done < fullchain.pem
but, so many other files:
a) /etc/webmin/ has the main domain cert ?
main.com.ca, main.com.cert, main.com.key
server.main.com.ca, server.main.com.cert, server.main.com.key
b) From here, /etc/letsencrypt/live/main.com
fullchain.pem, /privkey.pem
c) /etc/letsencrypt/live/xyz.com (for each virtualmin domain)
cert.pem, chain.pem, fullchain.pem, privkey.pem
d) /etc/ssl/virtualmin/123456789/ (for each domain) ā note Manage Virtual-Server ā Setup SSL Certificate ->CA certificate says this is the CA cert, and ->current Certificate, says ssl.cert and ssl.key the cert & priv key
ssl.ca, ssl.cert, ssl.combined, ssl.everything, ssl.key
from this forum , we see: argh!!!
i) Letās Encrypt documentation expresses that Apache needs the full path to the /etc/letsencrypt/live/ā¦/fullchain.pem file to satisfy the SSLCertificateKeyFile directive
ii) yet in the virtual serverās apache *.conf file, the directive points to the other folders (/home//domains/ā¦/ssl.cert).
Copy to working folder for mosquitto use: (afterwards we can work on a script to cover lets encrypt renewals)
/etc/mosquitto/certs is the working folder (or /etc/mosquitto/ca_certificates ?)
for mosquito, we need
openssl x509 -req -in client.csr -CA /etc/ssl/certs/ISRG_Root_X1.pem -CAkey /etc/letsencrypt/live/xyz.com/privkey.pem -CAcreateserial -out client.crt -days 3650
this fails with CA certificate and CA private key do not match
so where is the private key for the root CA ??
i really need help, iāve tried all combinations
i have found successfully that the local copy (/etc/ssl/certs/) of the files works for mosquitto, and all files have to be 0644:
with a conf file:
cafile /etc/ssl/certs/ISRG_Root_X1.pem
certfile /etc/mosquitto/certs/fullchain.pem
keyfile /etc/mosquitto/certs/privkey.pem
I can create a client cert:
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
then the following, all 3 ways works for the client.crt:
WORKS! Certificate request self-signature ok
but fails later on the pub! get : OpenSSL Error[0]: error:0A000418:SSL routines::tlsv1 alert unknown ca
WORKS: Certificate request self-signature ok
openssl x509 -req -in client.csr -CA fullchain.pem -CAkey ssl.key -CAcreateserial -out client.crt -days 3650
but fails later on the pub!, get OpenSSL Error[0]: error:0A000438:SSL routines::tlsv1 alert internal error
works: Certificate request self-signature ok
openssl x509 -req -in client.csr -CA ssl.cert -CAkey ssl.key -CAcreateserial -out client.crt -days 3650
but fails later on the pub!, get OpenSSL Error[0]: error:0A000438:SSL routines::tlsv1 alert internal error
FAIL !! OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed
all 3 enter ok, but all 3 tests fail:
mosquitto_pub -h localhost -p 8883 --cafile ISRG_Root_X1.pem --cert client.crt --key client.key -t test -m āhello tlsā -d
mosquitto_pub -h localhost -p 8883 --cafile fullchain.pem --cert client.crt --key client.key -t test -m āhello tlsā -d
mosquitto_pub -h localhost -p 8883 --cafile ssl.cert --cert client.crt --key client.key -t test -m āhello tlsā -d
faisl with
anyone ?? pleaseā¦
is this an open ssl bug ? or ubuntu 22.04 and openssl 3.0.2
i run : openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
iām running PHP 8.1.2
Joe, can you help with how to update Ubuntu 22.04 w/ OpenSSL 3.0.2 to latest ? and please (please) would you help here with the Mosquitto install ?
I answer when I can. Iām not ignoring you, I just donāt have any answers.
I appreciate your confidence in my abilities, but none of this is Webmin or Virtualmin-related, and I have literally no idea whatās wrong or how to fix it. Iāve never used mosquito and I donāt have any Ubuntu 22.04 systems, other than our Virtualmin testing systems (and those systems work for our test cases, so I havenāt need to try to do anything unusual with OpenSSL). I wish I could help, but Iād just be googling mostly aimlessly, too.
If an upgrade of OpenSSL can fix the problem, you may be able to find a newer package in 23.04, but I would probably recommend rebuilding the source deb on a 22.04 build system, just to make sure it doesnāt cause any weirdness. (That may or may not matter, just depends on the dependencies of the packages and what has changed between 22.04 and 23.04).
But, Iām guessing. This isnāt my area. You may find some community related to mosquito will be more helpful.
I appreciate all the help, thank you
Since i only have a live server, think you could test the OpenSSL upgrade from 3.0.2 to 3.1 ?
example here for 3.07 (please use the latest) here
ā¦and send the recipe if it works ?
why not setup a virtualbox instance on your home pc & do it yourself ?
Sure, my contract rate is $150/hour. Seems like a couple hours of work, most likely.