Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client certificate authentication without username/password not working #2750

Closed
mortencombat opened this issue Nov 18, 2022 · 2 comments
Closed

Client certificate authentication without username/password not working #2750

mortencombat opened this issue Nov 18, 2022 · 2 comments
Labels
stale

Comments

@mortencombat
Copy link

Describe the issue you are experiencing

I'm using a client certificate to publish to Mosquitto, with use_identity_as_username true so I shouldn't need to enter a username and password (eg. can just use certificate authentication).

This works fine when I setup and test just locally. I cannot get it to work with the Mosquitto broker add-on in Home Assistant.

It works with the Mosquitto add-on, if I specify the username and password of a valid user, but this should not be necessary. When I test locally (setting up a local mosquitto broker), it works fine (eg. authenticating using just the client certificate/key, username/password is not necessary). As best as I can see, the use_identity_as_username true setting is not effectuated.

Using mosquitto_pub with -d option, I get the following output:

Client null sending CONNECT
Client null received CONNACK (5)
Connection error: Connection Refused: not authorised.
Error: The connection was refused.

On the Mosquitto add-on logs I see this (full log below):

2022-11-18 13:21:28: New connection from 10.0.20.82:50311 on port 8883.
error: received null username or password for unpwd check

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Mosquitto broker

What is the version of the add-on?

6.1.3

Steps to reproduce the issue

  1. Create a set of CA, server and client certificates/keys
  2. Configure the add-on: set require_certificate: true, customize.active: true and specify ca_file, cert_file and key_file
  3. In /share/mosquitto place a custom configuration file eg. mosquitto.conf with use_identity_as_username true
  4. Restart add-on
  5. Use mosquitto_pub --cafile ca.crt --cert client.crt --key client.key -d -h <hostname> -p 8883 -t test -m "hello there"

System Health information

System Information

version core-2022.11.3
installation_type Home Assistant OS
dev false
hassio true
docker true
user root
virtualenv false
python_version 3.10.7
os_name Linux
os_version 5.15.74
arch x86_64
timezone Europe/Copenhagen
config_dir /config
Home Assistant Community Store
GitHub API ok
GitHub Content ok
GitHub Web ok
GitHub API Calls Remaining 4985
Installed Version 1.28.3
Stage running
Available Repositories 1142
Downloaded Repositories 2
Home Assistant Cloud
logged_in false
can_reach_cert_server ok
can_reach_cloud_auth ok
can_reach_cloud ok
Home Assistant Supervisor
host_os Home Assistant OS 9.3
update_channel stable
supervisor_version supervisor-2022.10.2
agent_version 1.4.1
docker_version 20.10.18
disk_total 30.8 GB
disk_used 4.8 GB
healthy true
supported true
board ova
supervisor_api ok
version_api ok
installed_addons Let's Encrypt (4.12.7), Studio Code Server (5.4.1), Terminal & SSH (9.6.1), Mosquitto broker (6.1.3)
Dashboards
dashboards 1
resources 0
mode auto-gen
Recorder
oldest_recorder_run November 11, 2022 at 16:31
current_recorder_run November 18, 2022 at 11:18
estimated_db_size 35.93 MiB
database_engine sqlite
database_version 3.38.5

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/mosquitto.sh
[13:21:18] INFO: Setting up user ams
[13:21:18] INFO: Certificates found: SSL is available
cont-init: info: /etc/cont-init.d/mosquitto.sh exited 0
cont-init: info: running /etc/cont-init.d/nginx.sh
cont-init: info: /etc/cont-init.d/nginx.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun mosquitto (no readiness notification)
services-up: info: copying legacy longrun nginx (no readiness notification)
[13:21:18] INFO: Starting NGINX for authentication handling...
s6-rc: info: service legacy-services successfully started
[13:21:18] INFO: Starting mosquitto MQTT broker...
1668774078: Loading config file /share/mosquitto/mosquitto.conf
2022-11-18 13:21:18: Warning: Mosquitto should not be run as root/administrator.
time="2022-11-18T13:21:18+01:00" level=debug msg="got 3 users from passwords file"
time="2022-11-18T13:21:18+01:00" level=debug msg="got 0 lines from acl file"
time="2022-11-18T13:21:18+01:00" level=info msg="Backend registered: Files"
time="2022-11-18T13:21:18+01:00" level=debug msg="new hasher: pbkdf2"
time="2022-11-18T13:21:18+01:00" level=info msg="Backend registered: HTTP"
time="2022-11-18T13:21:18+01:00" level=info msg="registered acl checker: files"
time="2022-11-18T13:21:18+01:00" level=info msg="registered user checker: files"
time="2022-11-18T13:21:18+01:00" level=info msg="registered superuser checker: files"
time="2022-11-18T13:21:18+01:00" level=info msg="registered acl checker: http"
time="2022-11-18T13:21:18+01:00" level=info msg="registered user checker: http"
time="2022-11-18T13:21:18+01:00" level=info msg="registered superuser checker: http"
time="2022-11-18T13:21:18+01:00" level=info msg="redisCache activated"
time="2022-11-18T13:21:18+01:00" level=info msg="started go-cache"
[13:21:19] INFO: Successfully send discovery information to Home Assistant.
[13:21:19] INFO: Successfully send service information to the Supervisor.
2022-11-18 13:21:18: mosquitto version 2.0.11 starting
2022-11-18 13:21:18: Config loaded from /etc/mosquitto/mosquitto.conf.
2022-11-18 13:21:18: Loading plugin: /usr/share/mosquitto/go-auth.so
2022-11-18 13:21:18:  ├── Username/password checking enabled.
2022-11-18 13:21:18:  ├── TLS-PSK checking enabled.
2022-11-18 13:21:18:  └── Extended authentication not enabled.
2022-11-18 13:21:18: Opening ipv4 listen socket on port 8885.
2022-11-18 13:21:18: Opening ipv4 listen socket on port 1883.
2022-11-18 13:21:18: Opening ipv6 listen socket on port 1883.
2022-11-18 13:21:18: Opening websockets listen socket on port 1884.
2022-11-18 13:21:18: Opening ipv4 listen socket on port 8883.
2022-11-18 13:21:18: Opening ipv6 listen socket on port 8883.
2022-11-18 13:21:18: Opening websockets listen socket on port 8884.
2022-11-18 13:21:18: mosquitto version 2.0.11 running
2022-11-18 13:21:18: New connection from 127.0.0.1:39048 on port 1883.
2022-11-18 13:21:18: Client <unknown> closed its connection.
2022-11-18 13:21:28: New connection from 10.0.20.82:50311 on port 8883.
error: received null username or password for unpwd check

Additional information

No response
@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale label Dec 18, 2022
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 25, 2022
@pruwait
Copy link

pruwait commented Jun 18, 2024

Is there any solution?
I need use_identity_as_username true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mortencombat @pruwait