[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[mosquitto-dev] chain certificates?
|
This is sort of a question and maybe sort of a bug report.
After much packaging debugging, I'm setting up an actual mosquitto
instance, and paying attention to TLS, acls, etc.
Reading mosquitto.conf, I see "certfile". But it doesn't address chain
certificates, simply saying "path to the server certificate". If one's
cert is issued directly by an entity that is configured as a trust
anchor, that's fine. However, a typical choice these days is to use
Let's Encrypt, and their root is not in my system's config, but another
CA is. openssl s_client -connect, to another service with a similar
cert, shows
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = server.example.com
verify return:1
Which is all totally ok.
This other server uses the "fullchain" version of the cert file, and
sends both the Let's Encrypt CA cert and the bridge cert.
So, I wonder if mosquitto copes with a fullchain file, and if so then
this is a doc issue, and if not, it seems like a missing necessary
feature.
Is anyone using mosquitto with Let's Encrypt, without manually configure
trust anchors on mqtt clients? Any other advice?
Thanks,
Greg
