You are not logged in.

Pages: 1

#1 2023-08-29 08:01:50

schef
Member
Registered: 2009-04-16
Posts: 71

Systemd dynamic user and permissions (mosquitto)

Hi guys,
I'm heaving trouble setting up mosquitto with Let’s Encrypt. I have been following setup from Docker + Free SSL/TLS Certs (Let’s Encrypt) successfully.

I have added following lines to:

#/etc/mosquitto/mosquitto.conf
listener 8883
cafile /root/nginx/letsencrypt/live/server.ecfarma.hr/fullchain.pem
certfile /root/nginx/letsencrypt/live/server.ecfarma.hr/cert.pem
keyfile /root/nginx/letsencrypt/live/server.ecfarma.hr/privkey.pem

When i run the setup through command line with sudo like 

sudo mosquitto -c /etc/mosquitto/mosquitto.conf

it works as expected. But when i run it through systemd like 

sudo systemctl start mosquitto

i get the following error:

Aug 28 17:17:55.832386 archleft systemd[1]: Starting Mosquitto MQTT Broker daemon...
Aug 28 17:17:55.845128 archleft mosquitto[2778]: 1693235875: mosquitto version 2.0.16 starting
Aug 28 17:17:55.845128 archleft mosquitto[2778]: 1693235875: Config loaded from /etc/mosquitto/mosquitto.conf.
Aug 28 17:17:55.845128 archleft mosquitto[2778]: 1693235875: Warning: File /etc/mosquitto/aclfile has world readable permissions. Future versions will refuse to load this file.
Aug 28 17:17:55.845420 archleft mosquitto[2778]: 1693235875: Opening ipv4 listen socket on port 1883.
Aug 28 17:17:55.845420 archleft mosquitto[2778]: 1693235875: Opening ipv6 listen socket on port 1883.
Aug 28 17:17:55.845420 archleft mosquitto[2778]: 1693235875: Opening ipv4 listen socket on port 8883.
Aug 28 17:17:55.845420 archleft mosquitto[2778]: 1693235875: Opening ipv6 listen socket on port 8883.
Aug 28 17:17:55.846886 archleft mosquitto[2778]: 1693235875: Error: Unable to load CA certificates. Check cafile "/root/nginx/letsencrypt/live/server.ecfarma.hr/fullchain.pem".
Aug 28 17:17:55.846886 archleft mosquitto[2778]: 1693235875: OpenSSL Error[0]: error:8000000D:system library::Permission denied
Aug 28 17:17:55.846886 archleft mosquitto[2778]: 1693235875: OpenSSL Error[1]: error:10080002:BIO routines::system lib
Aug 28 17:17:55.846886 archleft mosquitto[2778]: 1693235875: OpenSSL Error[2]: error:05880002:x509 certificate routines::system lib
Aug 28 17:17:55.847601 archleft systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE
Aug 28 17:17:55.847737 archleft systemd[1]: mosquitto.service: Failed with result 'exit-code'.
Aug 28 17:17:55.858578 archleft systemd[1]: Failed to start Mosquitto MQTT Broker daemon.

I tried all kind of stuff including adding a group or 

sudo setfacl -R -m "u:mosquitto:rwx" /root

without success.
Is there any way to debug and find a solution for this issue.

Thanks.

Offline

#2 2023-08-29 10:21:03

-thc
Member
Registered: 2017-03-15
Posts: 775

Re: Systemd dynamic user and permissions (mosquitto)

The "fullchain.crt" is not a "cafile", but the let's encrypt certificate concatenated with the necessary intermediate certificate(s) and the root certificate.

Try removing the "cafile" option.

If you get an error that the certificate cannot be verified, replace "cert.pem" with "fullchain.pem" in the "certfile" option.

Offline

#3 2023-08-29 11:04:11

schef
Member
Registered: 2009-04-16
Posts: 71

Re: Systemd dynamic user and permissions (mosquitto)

Hi,
when i remove "cafile" line, i get:

Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: mosquitto version 2.0.16 starting
Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: Config loaded from /etc/mosquitto/mosquitto.conf.
Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: Warning: File /etc/mosquitto/aclfile has world readable permissions. Future versions will refuse to load this file.
Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: Opening ipv4 listen socket on port 1883.
Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: Opening ipv6 listen socket on port 1883.
Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: Opening ipv4 listen socket on port 8883.
Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: Opening ipv6 listen socket on port 8883.
Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: Error: Unable to load server certificate "/root/nginx/letsencrypt/live/server.ecfarma.hr/cert.pem". Check certfile.
Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: OpenSSL Error[0]: error:8000000D:system library::Permission denied
Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: OpenSSL Error[1]: error:10080002:BIO routines::system lib
Aug 29 13:00:57 archleft mosquitto[38656]: 1693306857: OpenSSL Error[2]: error:0A080002:SSL routines::system lib
Aug 29 13:00:57 archleft systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE

and when i rename "certfile" from "cert.pem" to "fullchain.pem" i get:

Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: mosquitto version 2.0.16 starting
Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: Config loaded from /etc/mosquitto/mosquitto.conf.
Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: Warning: File /etc/mosquitto/aclfile has world readable permissions. Future versions will refuse to load this file.
Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: Opening ipv4 listen socket on port 1883.
Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: Opening ipv6 listen socket on port 1883.
Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: Opening ipv4 listen socket on port 8883.
Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: Opening ipv6 listen socket on port 8883.
Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: Error: Unable to load server certificate "/root/nginx/letsencrypt/live/server.ecfarma.hr/fullchain.pem". Check certfile.
Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: OpenSSL Error[0]: error:8000000D:system library::Permission denied
Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: OpenSSL Error[1]: error:10080002:BIO routines::system lib
Aug 29 13:01:37 archleft mosquitto[38711]: 1693306897: OpenSSL Error[2]: error:0A080002:SSL routines::system lib
Aug 29 13:01:37 archleft systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE

Offline

#4 2023-08-29 11:51:38

-thc
Member
Registered: 2017-03-15
Posts: 775

Re: Systemd dynamic user and permissions (mosquitto)

O.K. - the permission error simply stops at the first failed read regardless of the file.

Try moving the certificate files to "/etc/mosquitto/certs" (must be created) or "/etc/mosquitto" and changing the parameters accordingly.

Offline

#5 2023-08-29 14:19:06

schef
Member
Registered: 2009-04-16
Posts: 71

Re: Systemd dynamic user and permissions (mosquitto)

-thc wrote:

Try moving the certificate files to "/etc/mosquitto/certs"

does help! I tried to "ln -s" the same files but it does not work. What is happening here? Is it possible to fix this without copy pasting the files around? I will have to do this on every renewal of certificates (every 3 months).

Offline

#6 2023-08-29 16:03:48

-thc
Member
Registered: 2017-03-15
Posts: 775

Re: Systemd dynamic user and permissions (mosquitto)

schef wrote:
-thc wrote:

Try moving the certificate files to "/etc/mosquitto/certs"

does help! I tried to "ln -s" the same files but it does not work. What is happening here? Is it possible to fix this without copy pasting the files around? I will have to do this on every renewal of certificates (every 3 months).

The "/root" directory is the home for the user "root" and IMHO should not be used for anything else.

The primary destination for certificates and keys is "/etc/ssl" - but some daemons require that their certificates and keys are inside their own /etc sub-directory. If I remember that correctly from my own setup it's the latter for mosquitto (I tried "/etc/ssl" and it failed).

Can you setup your certificate renewal routine with the destination "/etc/mosquitto/certs"?

Offline

Pages: 1

Board footer

Powered by FluxBB