Steps to enable SSL/TLS for emqx

Dear Team,

We have ssl.crt and ssl.key to enable SSL/TLS for Emqx Mqtt broker using docker

below is the emqx.conf file

cat emqx.conf

node {
name = “emqx@127.0.0.1”
cookie = “emqxsecretcookie”
data_dir = “data”
}

cluster {
name = emqxcl
discovery_strategy = manual
}

dashboard {
listeners.http {
bind = 18083
}
}

listener.tcp.external.allow_anonymous = false
listener.tcp.external.credential.username = “abc”
listener.tcp.external.credential.password = “abc@123”

listener.wss.external = 8084
listener.wss.external.certfile = “etc/certs/ssl.crt”
listener.wss.external.keyfile = “etc/certs/ssl.key”

However, i am able to connect on port 1883 with username and password but unable to connect with option mqtts on port 8083 or 8084 , please sugguest

Dear Team,

Please help in enable SSL/TLS for emqx

Dear team,

Please help in enablin SSL/TLS configuration of Emqx mqtt broker

In order to do anything, we need logs from the broker and the client side.

Dear Team,

Below are the docker logs for emqx

docker logs emqx8
WARNING: Default (insecure) Erlang cookie is in use.
WARNING: Configure node.cookie in /opt/emqx/etc/emqx.conf or override from environment variable EMQX_NODE__COOKIE
WARNING: NOTE: Use the same cookie for all nodes in the cluster.
EMQX_RPC__PORT_DISCOVERY [rpc.port_discovery]: manual
EMQX_NODE__NAME [node.name]: emqx@172.17.0.2
Listener ssl:default on 0.0.0.0:8883 started.
Listener tcp:default on 0.0.0.0:1883 started.
Listener ws:default on 0.0.0.0:8083 started.
Listener wss:default on 0.0.0.0:8084 started.
Listener http:dashboard on :18083 started.
EMQX 5.3.1 is running now!
Received terminate signal, shutting down now
Stop listener http:dashboard on :18083 successfully.
Listener ssl:default on 0.0.0.0:8883 stopped.
Listener tcp:default on 0.0.0.0:1883 stopped.
Listener ws:default on 0.0.0.0:8083 stopped.
Listener wss:default on 0.0.0.0:8084 stopped.
WARNING: Default (insecure) Erlang cookie is in use.
WARNING: Configure node.cookie in /opt/emqx/etc/emqx.conf or override from environment variable EMQX_NODE__COOKIE
WARNING: NOTE: Use the same cookie for all nodes in the cluster.
EMQX_RPC__PORT_DISCOVERY [rpc.port_discovery]: manual
EMQX_NODE__NAME [node.name]: emqx@172.17.0.2
2024-04-30T07:00:01.768546+00:00 [warning] msg: config_key_not_recognized, mfa: emqx_config:warning_deprecated_root_key/1(827), unknown_config_keys: listener
Listener ssl:default on 0.0.0.0:8883 started.
Listener tcp:default on 0.0.0.0:1883 started.
Listener ws:default on 0.0.0.0:8083 started.
Listener wss:default on 0.0.0.0:8084 started.
Listener http:dashboard on :18083 started.
EMQX 5.3.1 is running now!
2024-04-30T09:09:52.072770+00:00 [warning] msg: authorization_permission_denied, mfa: emqx_authz:authorize_non_superuser/5(489), peername: 205.210.31.85:60812, clientid: test, topic: $SYS/#, ipaddr: {205,210,31,85}, source: file, username: undefined
2024-04-30T09:09:52.073479+00:00 [warning] msg: authorization_permission_denied, mfa: emqx_authz:authorize_non_superuser/5(489), peername: 205.210.31.85:60812, clientid: test, topic: #, ipaddr: {205,210,31,85}, source: file, username: undefined

docker exec -it emqx8 bash
emqx@967c120efb68:/opt/emqx$ ls
bin data erts-13.2.2 etc lib log plugins releases
emqx@967c120efb68:/opt/emqx$ cd log/
emqx@967c120efb68:/opt/emqx/log$ ls -ltr
total 0

whereas in log directory , there are no logs present

Dear Team,

Do i have rename the ssl.crt and ssl.key to emqx.crt and emqx.key or no need. Please help me in configuring it

Dear Team,

We also want to move from open source to enterprise.

could you please ask someone from team to contact us : +971565977445

Thanks & Regards,
Mohammed.Raheem

Dear Team,

Could you please help.

Dear Team,

Could you please update

Dear Team,

Could you please update.

Dear Team,

Could you please help in configuring SSL/TLS for emqx mqtt broker. i am waiting for your inputs

Dear Team,

Could you please update?

Hi Team,

Please update.

Dear team,

Could you please respond

Dear Team,

I am eagerly waiting for your inputs, as i need to enable ssl/tls for emqx mqtt broker.

please help me

Dear Team,

Could someone please respond, it is very important.

Hello,

This forum is for community members to help each other, so it’s not the best way to gain attention from the dev team, since we don’t monitor it 24/7. Generally, asking for help in emqx/emqx · Discussions · GitHub will get a faster response.

Regarding your issue, have you checked this instruction Listener Configuration | EMQX Documentation ? To configure any TLS listener you need three files: certfile (certificate), keyfile (private key) and cacertfile (Certification Authority certificate). cacertfile is missing in your config, this could be the reason for the problem.
But to eliminate the guesswork, we need to see the logs and/or raw tcpdump traces from the client side that contain the reason why the connection did not succeed, as well as debug traces from the broker side. It could be for a multitude of reason, e.g. improperly configured load balancer or firewall.

Dear Team,

But i have two files : ssl.crt and ssl.key files only but i dont have cacertfile.

How to generate cacertfile , please help me to generate it.

in the log file , we have below error

cat emqx.log.1
2024-05-03T14:12:46.528795+03:00 [warning] msg: config_key_not_recognized, unknown_config_keys: listener
2024-05-03T14:17:01.860921+03:00 [warning] msg: config_key_not_recognized, unknown_config_keys: listener

i dont have any log files apart from this. no log files are generated

This warning is telling that the config is incorrect:
It’s listeners.wss…, not listener.wss.

How to generate cacertfile , please help me to generate it.

It’s the certificate of the certificate authority that issued your server certificate (certfile). The procedure for obtaining it differs by provider, so you should consult your certificate provider for the details.

If you use a self signed certificate, then the cacertfile is the rootCA.crt certificate created at the first step.