Emqx: SSL Letsencrypt

Created on 20 Mar 2019  路  10Comments  路  Source: emqx/emqx

  • OS: Ubuntu 18.04
  • EMQ: 3.1

Hello!

How can I add the ssl letsencrypt certificate in EMQX (Websocket and MQTT)?

I've already tried using the tutorial: https://medium.com/@emqtt/using-lets-encrypt-certificates-in-emq-b11e0e57efa6

But I did not succeed since the tutorial is from version 2.3,

Documentation Support

Most helpful comment

Copying the certificate + key to /etc/emqx/certs/ and chown to emqx:emqx solves the error, but of cause creates an issue with the certbot reissue cycle and possible an issue with the privkey.

All 10 comments

Hi @jgustavo99 In principle the TLS configuration of 2.3 and 3.1 is very similar. Could you describe at which step do you have an issue exactly? If you can give us the output on emqx, it could be helpful.

The same problem in v3.1-rc.1. Did exactly what is described in this article, but nothing works - HTTPS dashboard, WSS, TLS.

2019-04-09 10:50:10.193 [error] crasher:
    initial call: emqx_connection:init/1
    pid: <0.1741.0>
    registered_name: []
    exception error: no match of right hand side value {error,
                                                        {ssl_error,
                                                         {options,
                                                          {certfile,
                                                           "/etc/letsencrypt/live/broker.abc.com/fullchain.pem",
                                                           {error,eacces}}}}}
      in function  emqx_connection:init/1 (src/emqx_connection.erl, line 146)
    ancestors: [<0.1618.0>,<0.1617.0>,esockd_sup,<0.1351.0>]
    message_queue_len: 0
    messages: []
    links: [<0.1618.0>]
    dictionary: []
    trap_exit: false
    status: running
    heap_size: 987
    stack_size: 27
    reductions: 5777
  neighbours:
2019-04-09 10:50:10.195 [error] supervisor: 'esockd_connection_sup - <0.1618.0>'
    errorContext: connection_crashed
    reason: {{badmatch,
                 {error,
                     {ssl_error,
                         {options,
                             {certfile,
                                 "/etc/letsencrypt/live/broker.abc.com/fullchain.pem",
                                 {error,eacces}}}}}},
             [{emqx_connection,init,1,
                  [{file,"src/emqx_connection.erl"},{line,146}]},
              {proc_lib,init_p_do_apply,3,
                  [{file,"proc_lib.erl"},{line,249}]}]}
    offender: [{pid,<0.1741.0>},
               {name,connection},
               {mfargs,
                   {emqx_connection,start_link,
                       [[{deflate_options,[]},
                         {max_conn_rate,500},
                         {active_n,100},
                         {zone,external}]]}}]
2019-04-09 10:50:10.278 [error] crasher:
    initial call: emqx_connection:init/1
    pid: <0.1745.0>
    registered_name: []
    exception error: no match of right hand side value {error,
                                                        {ssl_error,
                                                         {options,
                                                          {certfile,
                                                           "/etc/letsencrypt/live/broker.abc.com/fullchain.pem",
                                                           {error,eacces}}}}}
      in function  emqx_connection:init/1 (src/emqx_connection.erl, line 146)
    ancestors: [<0.1618.0>,<0.1617.0>,esockd_sup,<0.1351.0>]
    message_queue_len: 0
    messages: []
    links: [<0.1618.0>]
    dictionary: []
    trap_exit: false
    status: running
    heap_size: 987
    stack_size: 27
    reductions: 5777
  neighbours:
2019-04-09 10:50:10.280 [error] supervisor: 'esockd_connection_sup - <0.1618.0>'
    errorContext: connection_crashed
    reason: {{badmatch,
                 {error,
                     {ssl_error,
                         {options,
                             {certfile,
                                 "/etc/letsencrypt/live/broker.abc.com/fullchain.pem",
                                 {error,eacces}}}}}},
             [{emqx_connection,init,1,
                  [{file,"src/emqx_connection.erl"},{line,146}]},
              {proc_lib,init_p_do_apply,3,
                  [{file,"proc_lib.erl"},{line,249}]}]}
    offender: [{pid,<0.1745.0>},
               {name,connection},
               {mfargs,
                   {emqx_connection,start_link,
                       [[{deflate_options,[]},
                         {max_conn_rate,500},
                         {active_n,100},
                         {zone,external}]]}}]

Copying the certificate + key to /etc/emqx/certs/ and chown to emqx:emqx solves the error, but of cause creates an issue with the certbot reissue cycle and possible an issue with the privkey.

@turtleDeng any progress on this?

Copying the certificate + key to /etc/emqx/certs/ and chown to emqx:emqx solves the error, but of cause creates an issue with the certbot reissue cycle and possible an issue with the privkey.

But then what would be the best way to solve the problem? No problems with certificate renewal, etc.

For renewal, I followed this guide: https://certbot.eff.org/docs/using.html#renewing-certificates and created this post deploy hook.

#!/bin/sh

set -e

for domain in $RENEWED_DOMAINS; do
        case $domain in
        example.com)
                daemon_cert_root=/etc/emqx/certs

                # Make sure the certificate and private key files are
                # never world readable, even just for an instant while
                # we're copying them into daemon_cert_root.
                umask 077

                cp "$RENEWED_LINEAGE/cert.pem" "$daemon_cert_root/cert.pem"
                cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/key.pem"
                cp "$RENEWED_LINEAGE/chain.pem" "$daemon_cert_root/cacert.pem"

                # Apply the proper file ownership and permissions for
                # the daemon to read its certificate and key.
                chown emqx:emqx "$daemon_cert_root/cert.pem" \
                        "$daemon_cert_root/key.pem" \
                        "$daemon_cert_root/cacert.pem"

                chmod 400 "$daemon_cert_root/cert.pem" \
                        "$daemon_cert_root/key.pem" \
                        "$daemon_cert_root/cacert.pem"

                service emqx restart >/dev/null
                ;;
        esac
done

I managed to make it work in a slightly different way.

Use the script from @i906 but comment out the line that copies cacert.pem, then in your emqx.conf set it as following:

#### From letsencrypt
listener.wss.external.keyfile = /etc/emqx/certs/key.pem
listener.wss.external.certfile = /etc/emqx/certs/cert.pem

#### Has to be the one from EMXQ
listener.wss.external.cacertfile = /etc/emqx/certs/cacert.pem

Still waiting for a simple built-in solution.

From the Certbot docs:
https://certbot.eff.org/docs/using.html#where-are-my-certificates

It is OK to:

chmod 0755 /etc/letsencrypt/{live,archive}
chgrp emqx /etc/letsencrypt/live/<domain>/privkey.pem
chgrp emqx /etc/letsencrypt/archive/<domain>/privkey1.pem
chmod 0640 /etc/letsencrypt/live/<domain>/privkey.pem
chmod 0640 /etc/letsencrypt/archive/<domain>/privkey1.pem

If you will never downgrade to an older version of Certbot.

I can confirm that this works on a fresh cert install.
The docs claim that these permissions will be retained across renewals, but I have not tested this yet.

My question is:
Does EMQX cache the cert files and will EMQX need to be restarted in a Certbot post deploy hook?

Hi.
I've been stuck in this problem for two days and I can't quite understand what the procedure is.

I direct the certificate path to live or archive?

Why do we give emqx permissions in the archive folder?

Thank you.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

nerdial picture nerdial  路  3Comments

jbrzozoski picture jbrzozoski  路  4Comments

arnecs-piscada picture arnecs-piscada  路  5Comments

gdillen picture gdillen  路  5Comments

w3yyb picture w3yyb  路  3Comments