Error testing SSL/TLS configuration

Hi everyone,

I’m new on this community and with the EMQX soft :slight_smile:

I’m trying to build an EMQX configuration with SSL/TLS.

Actually, EMQX is up and running through a docker image with this emqx.conf :

node {
  name = "emqx@127.0.0.1"
  cookie = "secretCookie"
  data_dir = "data"
}

cluster {
  name = emqxcl
  discovery_strategy = manual
}

listeners.tcp.default {
  bind = "0.0.0.0:1883"
  max_connections = 1024000
}

listeners.ssl.default {
  bind = "0.0.0.0:8883"
  max_connections = 1024000
  ssl_options {
    cacertfile = "/opt/emqx/etc/certs/rootCA.crt"
    certfile = "/opt/emqx/etc/certs/server.crt"
    keyfile = "/opt/emqx/etc/certs/server.key"
    verify = verify_peer
    fail_if_no_peer_cert = true
  }
}
log {
     file {
                 enable = true
                 formatter = text
                 level = info
                 path = "/opt/emqx/log/emqx.log"
                 rotation_count = 10
                 rotation_size = 50MB
                 time_offset = system
                 timestamp_format = auto
     }
     console {
         level = info
         enable = true
         formatter = json
         time_offset = system
         timestamp_format = auto
     }
}
dashboard {
    listeners.http {
        bind = 18083
    }
}
authorization {
  deny_action = ignore
  no_match = allow
  sources = [
    {
      type = file
      enable = true
      path = "/opt/emqx/etc/acl.conf"
    }
  ]
}

All the certificates, certfile and keyfile have geen generated following this documentations :

All the certificates have different CNs and I don’t use intermediate CA!

The docker image is correctly started with this configuration. No error in the logs.
Here the starting command (I redirect the 8884 port to the 8883) :

docker run --rm -d\
  -e EMQX_DEFAULT_LOG_HANDLER=file \
  -p 1883:1883 -p 8884:8883 \
  -p 18083:18083 \
  -v /data/emqx/etc:/opt/emqx/etc \
  -v /data/emqx/data:/opt/emqx/data \
  -v /data/emqx/log:/opt/emqx/log \
  654654543983.dkr.ecr.us-east-2.amazonaws.com/emqx:latest

In an other docker image, I have installed the mosquitto_sub and the mosquitto_pub clients.
I succeeded to publish and subscribe message with the TCP listener with those commands :

mosquitto_pub -h VM_IPAddress -p 1883 -q 0 -t clients/hello/world -m "Hello"
mosquitto_sub -h VM_IPAddress -p 1883 -q 0 -t clients/hello/world/#

However, when I’m trying to do the same with the TCL Listener, I have some errors :
The mosquitto_sub command (in debug) :

mosquitto_sub -d -h VM_IPAddress -p 8884 -q 0 -t clients/+/hello/world --cafile rootCA.crt --cert device.crt --key device.key
Client (null) sending CONNECT
Error: host name verification failed.
OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed
Error: A TLS error occurred.

The EMQX logs show this error :

2024-06-25T15:42:55.943476+00:00 [notice] TLS server: In state wait_cert at tls_record_1_3.erl:213 generated SERVER ALERT: Fatal - Bad Record MAC, - {record_type_mismatch,21}
2024-06-25T15:42:55.943872+00:00 [notice] supervisor: {esockd_connection_sup,<0.3262.0>}, errorContext: ssl_error, reason: {tls_alert,{bad_record_mac,"TLS server: In state wait_cert at tls_record_1_3.erl:213 generated SERVER ALERT: Fatal - Bad Record MAC\n {record_type_mismatch,21}"}}, offender: [{pid,<0.3262.0>},{name,connection},{mfargs,{emqx_connection,start_link,[#{listener => {ssl,default},limiter => undefined,zone => default,enable_authn => true}]}}]

Can you please help me about it ?

If you need more informations, ask me :slight_smile:

Thank you in advance