mosquitto_pub only Error: Problem setting TLS options.

[xenoterracide]

first here's my subscriber, you can see that it works, using mqtt.fx to publish, and it's using the same ca_certificate.pem to publish

Calebs-MBP:predictive-health-gateway calebcushing$ mosquitto_sub -h localhost -p  8883 -t mytopic --debug --insecure -d --tls-version tlsv1.2 --cafile docker/rabbitmq/files/ca_certificate.pem 
Client mosqsub|74467-Calebs-MB sending CONNECT
Client mosqsub|74467-Calebs-MB received CONNACK (0)
Client mosqsub|74467-Calebs-MB sending SUBSCRIBE (Mid: 1, Topic: mytopic, QoS: 0)
Client mosqsub|74467-Calebs-MB received SUBACK
Subscribed (mid: 1): 0
Client mosqsub|74467-Calebs-MB received PUBLISH (d0, q0, r0, m0, 'mytopic', ... (4 bytes))
test

mosquitto_pub also works if I'm not using tls at all.

 mosquitto_pub -h localhost -p  8883 -t mytopic --debug --insecure -d --tls-version tlsv1.2 --cafile docker/rabbitmq/files/ca_certificate.pem -m "test"
Error: Problem setting TLS options.

at the very least this error should be more detailed.

mosquitto_pub version 1.5.8 running on libmosquitto 1.5.8.

installed with brew on OS X.

[ralight]

The only reasons for this error in this case can be "out of memory", or "can't open the cafile". I suspect the latter! I agree the message should be clearer.

[xenoterracide]

I don't believe either of them, unless it's doing something that is preventing it from being read by 2 processes at once (you can see both of my commands reference the same file). Would be good to try to figure out why it can't be read, permissions, no such file, bad format, etc.

[ralight]

This commit gives some better hints when there is an error: cd8f12f

[ralight]

Apologies, it could also be if the tls version string was wrong, or if the client had been compiled without TLS support - but it would have complained about an unknown option in the latter case.

[ralight]

You could try removing --tls-version tlsv1.2 for a start, it's 1.2 by default. Then just check you are in the same directory in both cases so they can see the cafile. All it's doing before that error is just opening the file for read to check that it can, then closing it. No looking at the format.

[joshuatonga]

It's still showing in the version mosquitto_pub version 1.6.4 running on libmosquitto 1.6.4.

[ralight]

Can you provide more details? Are you on Mac as well? What does the exact command look like?

[joshuatonga]

I'm on Linux. I got it working now. I was using a wrong CA certificate. It's just that the message was not clear IMHO.

[ralight]

That's worth sorting then. Is the error if you use -d any clearer?

[joshuatonga]

I was using that. It was still the same.

This is the full command I ran when I encountered the error message.
mosquitto_pub --cafile XXX.cert --cert XXX.crt --key XXX.key -h XXX -p 8883 -q 1 -t test -I client1 -m "Test" -d

[joshijjayesh]

What do you mean by wrong CA file? I am using rootCA.pem but it not working for me it giving error

problem setting TLS options: File not found.

[joshuatonga]

Where did you get that rootCa.pem?

[ralight]

"File not found" seems fairly clear :) You need the appropriate CA certificate for the server certificate of your server. Where to get it from depends on your own situation. If you made your own CA, you have the certificate. If you are using a commercial CA, then your OS may already have the CA cert. Try setting capath to /etc/SSL/certs instead of using cafile.

[rngadam]

Misspelled the --cafile parameter which led to Error: Problem setting TLS options.

Checking and reporting if the file does not exist would be helpful.

[ralight]

@rngadam The error message in this situation is Error: Problem setting TLS options: File not found. since version 1.6.

[jypang86]

I had the same issue and was Google around and found this open issue.... lastly i notice it require sudo for unix, mine is ubuntu18

[mgaugusch]

I had this issue when I inadvertently appended a space to the --cafile option placed in ~/.config/mosquito_pub. I only found out using strace. Maybe trailing space should be trimmed when reading options from this file

[gak]

For me it was because AppArmor was denying access to the file. I had mosquitto installed via snap in Ubuntu.

Mar 07 20:17:39 zse audit[407074]: AVC apparmor="DENIED" operation="open" profile="snap.mosquitto.pub" name="/home/gak/src/mosquitto-test/ca.crt" pid=407074 comm="mosquitto_pub" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

I didn't look into why, but I assume it has to do with it being installed via snap, forcing access only in the snap directories.

Moving the certificate file to /var/snap/mosquitto/common/ca.crt did the trick. 🙃

[liualexiang]

it works for me after run below command

sudo snap connect mosquitto:home snapd:home