User by user certificates, or server wide certificates?

[dhitchenor]

Background: I run mosquitto behind traefik, providing an unsecure MQTT broker on port 1883 for users.

Where it concerns certificates, do they have to be distributed on a user by user basis? or can everyone use a 'server wide' certificate, extracted from the traefik produced acme.json file?

[growse]

It depends on what you're trying to do.

TLS uses certificates in multiple ways. The most common is to have a certificate that's presented by the server to connecting clients, which the clients can use to authenticate the server. This is how most websites work.

Some people choose to use "mutual TLS" (or mTLS) where every client identity is also issued a unique certificate for their identity. The server then uses this to authenticate the client.

mTLS is not widely used, pretty complex, has many fun failure modes and is hard to manage. Unless you have a very good reason to take that approach, using server-side TLS with clients simply authenticating with credentials is usually a better option.

If you're using acme (I assume with letsencrypt?) then the signed server certificate should be installed on your traefik instance. You don't need to distribute anything to clients, as they'll get presented that certificate when they connect, I validate it's signature against the device's root cert store (which should include LE).

[dhitchenor]

If you're using acme (I assume with letsencrypt?) then the signed server certificate should be installed on your traefik instance. You don't need to distribute anything to clients, as they'll get presented that certificate when they connect, I validate it's signature against the device's root cert store (which should include LE).

The certs can be pulled ('built from', would be a more apt way to explain it) from the acme.json file, but they don't exist as cert or key files anywhere on my server. (at least, as far as I can tell)

Further clarifying your post, if I used server side TLS via traefik, and when connecting to the mosquitto server through port 8883.. the traffic is encrypted?

[growse]

The certs can be pulled ('built from', would be a more apt way to explain it) from the acme.json file, but they don't exist as cert or key files anywhere on my server. (at least, as far as I can tell)

Hmm, I'm not familiar with traefik, but it's possible it stores the cert/key ephemerally.

Further clarifying your post, if I used server side TLS via traefik, and when connecting to the mosquitto server through port 8883.. the traffic is encrypted?

Correct.

[jpmens]

Then you're going to have to fumble your way into PEM files which you'll have to install on Android. I would avoid doing that if at all possible; it's a pain.

Server-side TLS means traffic will be encrypted. Just as with HTTPS.

[jpmens]

You ought to be able to see the certs from Traefik by running

openssl s_client -connect server:port -showcerts

The resulting lines between -- BEGIN -- and -- END -- are the certificate. Paste those into a file and then run

openssl x509 -in filename -text -noout -issuer

If you see something like let's encrypt then you ought to be able to use MQTT on our Android app without further configuration.

[dhitchenor]

Thanks @jpmens,

I tried the commands you mentioned, I'm not getting any certificates though.

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 325 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

I'm running (all in docker containers):

• mosquitto, ports 8883:1883 (outside:inside)
• traefik as the reverse proxy with dns as the cert resolver

any suggestions? or ideas to put into the docs?

[jpmens]

s_client shows that output when it's talking to a non-TLS endpoint

[dhitchenor]

OK, I've got it working.

Should this be part of the docs/booklet?