Vince Skahan <[email protected]> writes: > I have not been able to get self-signed certs for a LAN only setup to work. > While I can create the CA and broker files and they pass muster with > openssl (can verify the broker cert is signed by the local CA) > unfortunately Belchertown doesn’t connect and logs show either SSL version, > protocol, or tls version issues. More unfortunately Belchertown provides > zero logging saying ‘why’ it failed to connect. All I see is an immediate > close by the client reported in the mosquitto logs, sometimes. I usually > don’t even see the connect attempt.
Not sure exactly what your setup is, but what are you using for a name with your self-signed CA? Is it a real FQDN, that when it is resolved via DNS, requesters get the (LAN) IP address (dns RPZ?)? Or is it "broker.local"? When connecting via TLS, the normal path is to do pkix validation. This has two parts. One is checking that the name used to start the TLS connection matches the cert, where (more or less) match means it's one of the subject alternative names. The second is that the certificate presented together with the set of configured trust anchors needs to pass validation. So assuming you are running mosquitto, the first thing would be to see if mosquitto_sub and mosquitto_pub work from the host you are trying to use for weewx, and from the browser host. You didn't say what browser, and you didn't say how you configured the browser to add the local CA as a trust anchor. Usually, browsers have their own trust anchor config instead of using the system config. Also some browsers are getting extra strict trying to protect users from themselves. They may be fussier about websockets than https. You could also use a global domain name, get a LE cert, and then use dns response policy zone to get the right addr to the client. -- You received this message because you are subscribed to the Google Groups "weewx-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/weewx-user/rmicy27p2ci.fsf%40s1.lexort.com.
