2

I am trying to set up Mosquitto using this guide: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-ubuntu-18-04

I am using ubuntu 20.04 but I couldn't find any Focal-specific guides.

When I first install it, I can start and restart the service without issue. However, adding my cofig file seems to break it, specifically the keyfile lines. I have tried Mosquitto both from the Ubuntu repos and from the PPA.

The error appears after I make a conf file, which looks like this:

allow_anonymous false
password_file /etc/mosquitto/pwfile

listener 1883 localhost

listener 8883
certfile /etc/letsencrypt/live/mydomain/cert.pem
cafile /etc/letsencrypt/live/mydomain/chain.pem
keyfile /etc/letsencrypt/live/mydomain/privkey.pem

listener 8083
protocol websockets
certfile /etc/letsencrypt/live/mydomain/cert.pem
cafile /etc/letsencrypt/live/mydomain/chain.pem
keyfile /etc/letsencrypt/live/mydomain/privkey.pem

and when I restart the service after adding the above conf file, it fails and this is what is in journalctl -xe :

-- A start job for unit mosquitto.service has begun execution.
-- 
-- The job identifier is 4722.
Dec 20 06:45:32 thestash mosquitto[10010]: 1608464732: Loading config file /etc/mosquitto/conf.d/default.conf
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- An ExecStart= process belonging to unit mosquitto.service has exited.
-- 
-- The process' exit code is 'exited' and its exit status is 1.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit mosquitto.service has entered the 'failed' state with result 'exit-code'.
Dec 20 06:45:32 thestash systemd[1]: Failed to start Mosquitto MQTT Broker.
-- Subject: A start job for unit mosquitto.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit mosquitto.service has finished with a failure.
-- 
-- The job identifier is 4722 and the job result is failed.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Automatic restarting of the unit mosquitto.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Dec 20 06:45:32 thestash systemd[1]: Stopped Mosquitto MQTT Broker.
-- Subject: A stop job for unit mosquitto.service has finished
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A stop job for unit mosquitto.service has finished.
-- 
-- The job identifier is 4794 and the job result is done.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Start request repeated too quickly.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit mosquitto.service has entered the 'failed' state with result 'exit-code'.
Dec 20 06:45:32 thestash systemd[1]: Failed to start Mosquitto MQTT Broker.
-- Subject: A start job for unit mosquitto.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit mosquitto.service has finished with a failure.
-- 
-- The job identifier is 4794 and the job result is failed.
Dec 20 06:45:34 thestash sudo[10011]: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/nano /etc/mosquitto/conf.d/default.conf
Dec 20 06:45:34 thestash sudo[10011]: pam_unix(sudo:session): session opened for user root by admin(uid=0)
Dec 20 06:45:38 thestash sudo[10011]: pam_unix(sudo:session): session closed for user root
Dec 20 06:45:38 thestash kernel: [UFW BLOCK] IN=eth0 OUT= MAC=d6:32:76:db:0a:3b:18:2a:d3:e0:df:f0:08:00 SRC=45.129.33.168 DST=104.236.7.145 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=11309 PROTO=TCP SPT=59534 DPT=21661 WINDOW=1024 RES=0x00 SYN URGP=0 
Dec 20 06:45:44 thestash sudo[10013]: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/journalctl -xe
Dec 20 06:45:44 thestash sudo[10013]: pam_unix(sudo:session): session opened for user root by admin(uid=0)

If I comment out the keyfile lines in my default.conf, the service restarts without error. The keys are there and do not seem to cause problems for anything else on my server.

And the mosquitto.log file indicates that it is indeed a problem with reading the certificate. A permissions issue seems like a good guess, but I don't see why that would be a problem only for privkey.pem but not the other two files, which also have the same permissions. Also, nginx can use my certificates without owning them.

1608463912: mosquitto version 2.0.3 starting
1608463912: Config loaded from /etc/mosquitto/mosquitto.conf.
1608463912: Opening ipv4 listen socket on port 1883.
1608463912: Opening ipv4 listen socket on port 8883.
1608463912: Opening ipv6 listen socket on port 8883.
1608463912: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/mylittlestashbox.com/chain.pem".
1608463912: Error: Unable to load server certificate "/etc/letsencrypt/live/mylittlestashbox.com/cert.pem". Check certfile.
1608463912: OpenSSL Error[0]: error:0200100D:system library:fopen:Permission denied
1608463912: OpenSSL Error[1]: error:20074002:BIO routines:file_ctrl:system lib
1608463912: OpenSSL Error[2]: error:140DC002:SSL routines:use_certificate_chain_file:system lib
1608464267: mosquitto version 2.0.3 starting
1608464267: Config loaded from /etc/mosquitto/mosquitto.conf.
1608464267: Opening ipv4 listen socket on port 1883.
1608464267: Opening ipv4 listen socket on port 8883.
1608464267: Opening ipv6 listen socket on port 8883.
1608464267: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/mylittlestashbox.com/chain.pem".
/var/log/mosquitto/mosquitto.log
Improve this question
1
  • 1
    It seems the problem was how I generated the certificates. I had created them at an earlier step of my setup, and not in standalone as in the guide I was using. Standalone at first failed because nginx was using port 80, but temporarily stopping it allowed to to get a special certificate for mosquitto. This helped me: advancedweb.hu/… Commented Dec 21, 2020 at 8:28

3 Answers 3

Reset to default
2

Check the permissions to the path of certs. I had the same problem after updating mosquitto server on my pi under debian... I solved the things with:

sudo su
chmod 755 /etc/letsencrypt/archive
chmod 755 /etc/letsencrypt/live
Improve this answer
2
  • I found I had to 644 the privkey as well. Any explanation as to why? I used standalone mode to get my certs Commented Sep 10, 2021 at 21:19
  • 3
    Careful Travis, that means anyone can read your privkey. I suggest 640 and utilizing group ownership/membership if you must. Commented Sep 13, 2021 at 20:41
2

vim /etc/mosquitto/mosquitto.conf

add follow line: user root

Improve this answer
2
  • 1
    After weeks of not being able to get my LetsEncrypt certificates to work under Debian 11 or 12 - this is the one that stopped my permission errors Commented Aug 4, 2024 at 9:42
  • That will run mosquitto as root. One security vulnerability in mosquitto, and your server is thoroughly owned. Terrible advice. Instead, fix the permissions on the certificate files so that mosquitto can read them. Commented Sep 28 at 21:18
0

I had the same issue. I solved it like this:

first I checked the files' default permission(README) in the ca_certificates and certs folder in/etc/mosquitto. It was -rw-r--r-- (644). So I set the all certs files permissions.

sudo chmod 0644 ./ca_certificates/* ./certs/*

and also folders' permissions. they were drwxr-xr-x (755)

sudo chmod 0755 ./ca_certificates ./certs
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.