Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Support]: MQTT Configuration does not support MQTTS without self-signed certs #2471

Open
Nulifier opened this issue Dec 17, 2021 · 3 comments
Open

[Support]: MQTT Configuration does not support MQTTS without self-signed certs #2471

Nulifier opened this issue Dec 17, 2021 · 3 comments
Labels
enhancement New feature or request pinned

Comments

@Nulifier
Copy link

Describe the problem you are having

I was trying to get Frigate to connect to my MQTT server that uses a certificate from Let's Encrypt (not self signed). When I run Frigate without setting tls_ca_certs, Frigate does not connect to my MQTT server and displays not log output related to MQTT. If I set tls_ca_certs to the default certificate authority file (/etc/ssl/certs/ca-certificates.crt), it connects properly.

I did some digging around the code and found this line that controls enabling SSL/TLS with paho-mqtt. It does not call tls_set unless a value for tls_ca_certs is provided. Referring to the documentation for this function, it states that if you call it without providing a value for ca_certs on Python 3.4+, it will use the default certificate authority of the system.

The configuration should be changed to allow for a secure flag to be set to enable SSL/TLS without providing a certificate authority or updating the documentation to indicate that you need to use a default value of /etc/ssl/certs/ca-certificates.crt (For Ubuntu 20.04)

Version

0.9.4-26ae608

Frigate config file

mqtt:
  host: <removed>
  port: 8883
  user: frigate
  password: <removed>
  # Without this line it doesn't work
  tls_ca_certs: /etc/ssl/certs/ca-certificates.crt

cameras:
  front_door:
    ffmpeg:
      inputs:
        - path: rtsp:https://admin:[email protected]:554/h264Preview_01_sub
          roles:
            - detect
            - rtmp
            - record
    detect:
      width: 640
      height: 480
      fps: 7

Relevant log output

N/A

FFprobe output from your camera

N/A

Frigate stats

N/A

Operating system

Debian

Install method

Docker Compose

Coral version

CPU (no coral)

Network connection

Wired

Camera make and model

Reolink 520

Any other information that may be helpful

Really cool project and just wanted to fix this for anyone else who might have the same problem as I couldn't find anything online.
@blakeblackshear blakeblackshear added enhancement New feature or request pinned and removed support triage labels Dec 18, 2021
@Zen3515
Copy link

Zen3515 commented Dec 25, 2022

I was facing the same problem, for the latest version we need to add two configurations

mqtt:
  ...
  tls_ca_certs: /etc/ssl/certs/ca-certificates.crt
  tls_insecure: false

@jherby2k
Copy link

jherby2k commented Sep 7, 2023

Thanks - got it working finally (HA addon) but i had to set:

mqtt:
  ...
  tls_ca_certs: /etc/ssl/certs/ca-certificates.crt
  tls_insecure: true

tls_insecure has to be true for the add-on, because it's connecting to the IP not the FQDN in the certificate. Just for anyone else reading this thread.

@ve6rah
Copy link

ve6rah commented Sep 20, 2023

tls_insecure has to be true for the add-on, because it's connecting to the IP not the FQDN in the certificate. Just for anyone else reading this thread.

That will depend on your configuration. In my case the host I have set is a FQDN valid in my certificate, and tls_insecure: false works for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request pinned
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@blakeblackshear @Nulifier @Zen3515 @jherby2k @ve6rah