Up front, I will admit that I ran into this error because I did not read the documentation fully. However, in my defense, I feel like the error reporting could be clearer and the imprecise error message caused me to waste a bunch of time looking in the wrong place. Hopefully, this will prevent someone else from wasting their time as well.
Using an SSL/TLS Connection with Mosquitto MQTT
This is not a post about how to setup SSL/TLS on a Mosquitto broker. That has been well covered. Personally I followed the Mosquitto docs for instructions generating the necessary certificates and keys. Since I am using the Home Assistant Mosquitto Add-On I followed it’s instructions for configuring the Mosquitto Broker.
However, when I tried to connect using the
mosquitto_sub command line tool, all I got was this:
Client mosq-WzCVS53wMuaPbU8oNT sending CONNECT Client mosq-WzCVS53wMuaPbU8oNT sending CONNECT Client mosq-WzCVS53wMuaPbU8oNT sending CONNECT
When I checked the logs of the Mosquitto broker, all I saw was this error
Client connection from XXX.XXX.XXX.XXX failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.
So I spent an hour trying different
ciphers with no luck.
You must Specify a
capath to Enable Encryption
It is that easy. If you specify the correct
--cafile or a
--capath in your
mosquitto_sub command, things should work.
I would have expected a better error message from the broker or the client. I also was under the impression that using the
--insecure flag would have allowed testing without the
--cafile. I was wrong.
Of course, in hindsight the documentation clearly notes this requirement.