Error: unable to get local issuer certificate

jigneshk5 · February 21, 2023, 11:27pm

I’m using EMQ X Broker 4.4.14 zip version in Ubuntu 20.04 . I setup the MQTT TLS setup with these configuration:
listener.ssl.external.keyfile = etc/letsencrypt/privkey.pem
listener.ssl.external.certfile = etc/letsencrypt/fullchain.pem
listener.ssl.external.cacertfile = etc/letsencrypt/ca.pem

privkey and fullchain are copied from /etc/letsencrypt/live/{domain}
ca.pem is merge of ISRG_Root_X1.pem and chain.pem (from letsencrypt)

But I’m getting the following logs in emqx.log.1:
2023-02-21T22:34:21.390149+00:00 [error] supervisor: ‘esockd_connection_sup - <0.1802.0>’, errorContext: connection_shutdown, reason: {ssl_error,{tls_alert,{unknown_ca,“TLS server: In state wait_cert at ssl_handshake.erl:2105 generated SERVER ALERT: Fatal - Unknown CA\n”}}}, offender: [{pid,<0.4875.0>},{name,connection},{mfargs,{emqx_connection,start_link,[[{deflate_options,[]},{crl_options,[{crl_check_enabled,false},{crl_cache_urls,[]}]},{ocsp_options,[{ocsp_stapling_enabled,false},{ocsp_refresh_interval,300000},{ocsp_refresh_http_timeout,15000}]},{max_conn_rate,500},{active_n,100},{zone,external},{proxy_address_header,<<>>},{proxy_port_header,<<>>},{supported_subprotocols,[]}]]}}]

Getting this error added in log every 1 second. Please help me fix this issue.

Maverick · February 22, 2023, 7:11am

You can find an explanation for this error in the FAQ document, which is usually caused by the client’s certificate configuration being incorrect.

Is the cacertfile you configure in EMQX the root CA certificate of the client certificate?