using mqtt-ngx to connet in tls via websocket to a broker

倖福魔咒の 提交于 2021-02-11 13:51:40

问题


I have a remote mosquitto broker (on a aws ec2 instance with windows) and everything is working fine: the ports are accessible and i can publish and subscribe with the rules of my acl. I've limited the publish operation to my .net core server (with identityserver 4), while my angular8 app with ngx-mqtt subscribes.

Now i'm trying to enable tls, but it keep failing on connecting.

main-es2015.42b21e2ecd07be623604.js:1 WebSocket connection to 'wss://myserver/mqtt' failed: Error in connection establishment: net::ERR_CERT_INVALID

My domain has a valid certificate and the angular app connects with https. For mosquitto i have self-signed the ca, server and client certificate following the documentation on mosquitto but still, i cannot figure out what i am missing: should i send the certificate and key to the client atter it has logged? What kind of flow should i implement?

acl:

# This affects access control for clients with no username.
# topic pattern you can subscribe to
topic read $SYS/#

# This only affects clients with username "roger".
user backend-username
topic write stage/#

user backend-username
topic write production/#


# This affects all clients.
pattern write $SYS/broker/connection/%c/state
pattern read stage/%u/openRequests
pattern read production/%u/openRequests

mosquitto.conf

port 1883
listener 8883
protocol websockets

connection_messages true

allow_anonymous false

acl_file C:\Program Files\mosquitto\aclfile.example

cafile C:\Program Files\mosquitto\certs\certificate_authority.crt

# Path to the PEM encoded server certificate.
certfile C:\Program Files\mosquitto\certs\broker.crt

# Path to the PEM encoded keyfile.
keyfile C:\Program Files\mosquitto\certs\broker.key

tls_version tlsv1.2

log_dest file C:\logs_and_keys\mosquitto.log
log_type error
log_type warning
log_type notice
log_type information
log_timestamp true
log_timestamp_format %Y-%m-%dT%H:%M:%S

ngx-mqtt option to connect:

  this.mqttService.connect({
      hostname: environment.mqttHost,
      port: environment.mqttPort,
      path: environment.mqttBasePath,
      protocol: 'wss',
      username: username,
      password: 'useless-password',
      ca: certificate,
      cert: cert.toString(),
      key: key.toString()
    });

While i'm testing i'm also hardcoding the ca.crt, client.crt and client.key

    const certificate = `-----BEGIN CERTIFICATE-----
MIIDPjCCAiagAwIBAgIJALRVA1uL1EqdMA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV
BAYTAklUMQ4wDAYDVQQKDAVTYXJpeDEVMBMGA1UEAwwMZ2V0YXRhYmxlLmV1MB4X
DTE5MTIxNzE0MTc0N1oXDTIwMTIxNjE0MTc0N1owNDELMAkGA1UEBhMCSVQxDjAM
BgNVBAoMBVNhcml4MRUwEwYDVQQDDAxnZXRhdGFibGUuZXUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC48q3wA6gv9apIQnHlQzXcWJCCsdz2bdAsBUsp
H1uIuW7C1Syx4BDRx4gHL5gMP1b0NuN0qwSl7rzDpJwZvNHCW4TKjE2KTHipIr5P
uZqt/1fU1pyraE9T9ULRBOHkMM94GpJNn12pVhu66+qVtqryCuuaplW5tlXmCM+M
4pLdmQws9XllTTaUqyR1WbWIcKhUqyATPKYbl3KqztgR4rUfKN2IpAwfvOit4Riy
ARdV3r0EVel+KFpkelWacy36XRtLTLpIh+6X0PGFVo6/prI5XtIvQEcbsZqbHPgG
+zsNL7o4fPM3Onimz65iukKffCAvjFYVpD2vgRKc50bUAkkFAgMBAAGjUzBRMB0G
A1UdDgQWBBQwBtrjPKRj2l6fxBsBN+jt3CGk6TAfBgNVHSMEGDAWgBQwBtrjPKRj
2l6fxBsBN+jt3CGk6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAuQH7ohstjB7imn2GS7ZhooOabt315+wHiQXQqfINfQqfTqTNs6+qZzCg3fq1T
CQFlrnzYZhLmlvFYNlRrp8aczBb6byu/LeM8RJpkmG0+JtL3qDgsjsWIRnlulVLP
4idSU+whOSw3/mn7foLcw1e23dbOJXDX2aRtM1ax/uTJVXQSGAmisgV9Y9Q24+5J
SOzMKXkTqUkE40J4BVJaNa6mn97I9ygUnOu+TGCZ3EnlgAK5ZUPPafaJAPPPqnE0
cMsep9LlpCyuSXW/BOci8FKbCNtZpalk2/7un3nwpiwQgxu77LXVgWqx3HTRqhrI
FGaN1WaNJW87mI49Jx+/HAJl
-----END CERTIFICATE-----
`;
    const key = `-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A7B0480427C73B4E

iEbs8Zcgjmq/VFj/EnvUAsuqbNjlq2X/n/ofcP7ghNBLvwXPZp7Dy58uwZaKifm1
J/uJGPu6P+AJHfXMAPnBspaxScVUIWGJNBFJftlgm2T46yBjs3yyw1meI4Uq9emF
d5ZI3v94X31ySAm9grQ/SCJL4vEixouRvwn3Qq1Cbd99kH7sgYSLTCI5nF09a/s2
5zc8HI2grr1nsCwJlJPBH4Gx6fYHsaFAMG9eLhru9Evt6xvFqYcCJTYl+RfNuGyh
wavL6EpIJKriKq4rnpci2rdVLjxKC5648OSFR++/m1iFSWKSeS0dEfZwl4RhO3ea
eSvafCfOlK8jcKbGzqYYTNo2v4MK4KBxy/tgbWwpk1RlkcRo3qQYo3FoZVMY+wUh
C3NBlgxXEjBekaPlAd7k3Mzbx69Y++ISMH5b3eknwXJR60cVkvxr0MU6KpoL9ATJ
1oQjbL4FBQVFJwD7awdMiKQ7xeFzgpQ3M+Qy/ButisFQRjHeJm7uOb6x91tVpbXY
MzzAiaQcwdppnLHH/PE8v1bZ338vEpyLmslZKyCpgzI11bHaIvBdkLrRMkbP3tng
b0VcldQMTFMy9trSNHQw4QGE1iaHH8HBOVIqbEuaDbn67KfQHnmR2w9ITdc3ZKis
Ga9bd3gIdvrx2ZDFymBnXPv7eOdp9zq6eZmkRCQpFhuKpexBDVIZKiQtyWaUi9pV
/eXJbEqEM8JL+SGNv03YqbkqYK7ztl4fNZKMMyrm435e90swKP22k2cCWebTbPoH
qTs4c0f7RtijMjBQuI87jyTXOEiMh79aRNr+qrQqcahub5rtM6nQOFWTXRCawNNI
Yj3wowdHoGSpe8/cEkvf3uGHza+K4rzpSnHZDA9GoErFMDlDUq8ZOU+a85G4Zh7V
MgHAQBRHCfebmbEJ2/Uhjt6yZHgZZvtelI8tkbTXl+wVKEH2Qg0VT5WzTNDVUC0+
a+7+PVQyubEWEMytqtWTmp7N+Ev9X6TS2J1EQHJbrr2mpUdlCn9ozN6bZPcZjw4a
ghVPW6T51K6tBkpkBIxACU1Vzj1G/s1jFZsGjHkaNVoZc8yxohRGnENOxzAzsyV8
Khf8Hs87788kZ2WY3ejOBBRKFKcQYfY3TXos7rWg3s//qFB3Ty3p8yXqqhiaakz8
79vAVqS1SkUiT1UOUqdouOOENoOlZ6UAkViiHXI74+BgxBweaylbY6iiwbaz8xGJ
+slBgglFR1w/temT7nxxoz/MmzebPi9omL8msR0miGw5tdCu/6urhS8Q7ZEAhAV/
TYFYa+zB9BrSNOHhlbWwgsLwLza6pT/eocVbhP8JiA3o3mt+DpBBP1RjzSeBEp6B
88+icU15bClEmub6zge3vLTNNOtSxCzDY/Max+typIzPlvR3WkJG8HCXnej2E7kY
Cp647atWEAE6wP+mEGT3lluBJBfhd3HiAzku+/e3Cjmt7WMB6CK1tFgSxxN07cX1
Jn9pd9q1+UAFCZE9FRlNLPYTEK8nku2ylownkBZ2iO+fzRNwlUUqYKFMMJjMGNv7
P5r1as/ukj86BCKooe1fqgxHdi7/0q0iZK2AztlLAuKeFNKTWaoQfaKM8qO8qve/
-----END RSA PRIVATE KEY-----
`;
    const cert = `-----BEGIN CERTIFICATE-----
MIIC9TCCAd0CCQDvMeKoPNMUxDANBgkqhkiG9w0BAQsFADA0MQswCQYDVQQGEwJJ
VDEOMAwGA1UECgwFU2FyaXgxFTATBgNVBAMMDGdldGF0YWJsZS5ldTAeFw0xOTEy
MTcxNTMwMzhaFw0yMDEyMTYxNTMwMzhaMEUxCzAJBgNVBAYTAklUMRMwEQYDVQQI
DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxse2z+BFkfjMYDWc6qOB
VUR6OUuKLFvKYZvXcqbyUKGZhL/xBnHKmwO2ij0Umk1f3Ovd8h4BP6UaPdVILeVG
vBFLxI3vvkWtSHS/SumdVoMQYdwRAiRL3kKb9WtnIaL9lP9cHgBrGu979l4MnwrT
0VRkPDk2d8gpRNr6ezFw1IfpC8ULR0+p8uk8lB6BaGJ1/o9JaVyXHsegPrS04iPk
SVsVak/mxKZm0rlcCvBTzKOnWtIcpc1rfX5yX5bqworz4YtY00LAsCshajPTQTB4
jUG1S2Bpj+7DJcKI+PrJZX1sAAGG6izArEtQlFJHI6Z0/VtuBITEElfKPrnUuLV9
AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJtQK9posyJ9+h8gCb/2RtKo2R75YTb7
VkaiJ1TDmfgLOpcm/1Jshq1CjQWSsTrgpmllHBN6UMEDJn6NsNvFekB/+26nDrRX
266I0tDgRPTA9Fughk0BQx63aRqVRXLasq6I5DhqLNSIcS/7SSZm1S7uG8cVoEqg
qjMCiUZWhe9LKF6PCuUmZQkDv5zpuD6vLUXOvEi1AGInsxtShJBHoxd5slmCOHUT
db3gC8kONOPRuU3F+mGasesbF38c1qx9jcPNC+wSFGIPBBFUCcikUkCnmsOX8NKh
sTne6BiSJ9NsIUb+A3cw9Nnv5wjI1EdICKMAoAMGW2oCUAgcAIbJhLs=
-----END CERTIFICATE-----
`; 

thanks in advance


回答1:


After almost a year lots of changes were made to the project to the point that this is not the same scenario that I described initially. I have now a serveless backend thus mosquitto broker is not hosted by me (so I'm currently using the public broker of mosquitto) and I've upgraded Angular to the 10th version (angular 8 was used at the time).

Now I simply use the below configuration and it just works:

hostname: 'test.mosquitto.org',
port: 8081,
protocol: 'wss',
path: '/mqtt'


来源:https://stackoverflow.com/questions/59379281/using-mqtt-ngx-to-connet-in-tls-via-websocket-to-a-broker

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!