+- Hilscher Community Forum (https://forum.hilscher.com)
+-- Forum: netPI 3 - Docker featuring Industrial Raspberry Pi 3 platform (https://forum.hilscher.com/forum-1.html)
+--- Forum: Software (https://forum.hilscher.com/forum-5.html)
+--- Thread: Node-Red MQTT with SSL/TLS can't connect to broker (/thread-176.html)
Answer - BFH_SAM2 - May-15th-2018
hey there
i'm trying to connect my node-red flow to our MQTT-Broker with a secure TLS connection (Port 8883). I have the same node-red flow on a normal raspberry pi and it works without a problem. Within the "hilschernetpi/netpi-nodered-fieldbus" docker container, it just can't connect. i checked the port with nmap within the docker container, and it says "8883/tcp open secure-mqtt" which should be allright.
I can connect to the MQTT-Broker without TLS (Port 1883) without any problems, but thats not secure enough for our application.
Do you have any ideas what to try next?
Thank you for your answer!
Answer - Armin@netPI - May-15th-2018
The main question I have is what happens if you install "Docker" on your Rpi and let then run the same container there. I just want to exclude that this problem is in any relation to netPI plattform itself.
I think you might have recognize that netPI is just a Docker host and not designed to make any in-deep developments and debugging tasks. For netPI a Raspberry Pi 3 is the cheapest development platform you can think of. So please try to run the container on your Rpi3 first and check if it works.
Then a word to the secured communication. Your referenced container "hilschernetpi/netpi-nodered-fieldbus" has no TLS respectively openssl installed by default. Hence no client certificates have been generated in accordance with your secured MQTT broker. Have you uploaded those certificates in your MQTT node-red node correctly?
Answer - Armin@netPI - May-15th-2018
Meanwhile I made tests across the web site https://test.mosquitto.org/ which hosts a secured and public MQTT server for everybody that can be used for test purposes.
In accordance with the description provided on this page I configured my MQTT node-red node that comes in the "hilschernetpi/netpi-nodered-fieldbus" by default. I generated a client.key file on my windows machine as described using openssl and I used it on the web page to generate the certificate file "client.crt" and I was using the provided CA certificate "mosquitto.org.crt" as well and inserted all 3 files in the upload dialog and configured the server as "test.mosquitto.org:8883"
Immediately after deploy the node-red MQTT output node goes into connected state. I also configured a input node as well and send data to a topic "test" which I was receiving back to my flow in this input node when I injected a test pattern.
So I cannot confirm what you are seeing.
Answer - BFH_SAM2 - May-18th-2018
387 Wrote:The main question I have is what happens if you install "Docker" on your Rpi and let then run the same container there. I just want to exclude that this problem is in any relation to netPI plattform itself.
unfortunately i can't get the docker running on my RPi3, propably due to the missing hat...
i get following error messages :
SPIHWIFInit: Failed to read from serial DPM. Incorrect DPM status of SPI device '/dev/spidev0.0' (0x0).
SPIHWIFInit: Check the SPI connection and the serial DPM configuration of the device connected on '/dev/spidev0.0'.
Error adding plugin (netx-spm.so) device 0@0x0. (Status=0x800A0009)
unknown hardware detected, cannot start
so i can't verify the behaviour on a normal RPi
Answer - Armin@netPI - May-18th-2018
Yes if you use the "hilschernetpi/netpi-nodered-fieldbus" image as it comes and you have no HAT on your Rpi it will indeed report this error.
You could start the container differently on your Rpi with different parameters in order not to start the default script file which is looking for netPI or HAT:
docker run -it -p 1880:1880 -p 9000:9000 --device=/dev/spidev0.0 -e "FIELD=pns"--restart=always --network=host --entrypoint=/bin/bash hilschernetpi/netpi-nodered-fieldbus
Use this command line above to jump into the container and suppress starting the default start script file. No error will arise then.
After the container is now started, then please enter the command node-red which starts now node-red manually. There will be some warnings that can be ignored, node-red will start anyway and also the MQTT node can be used.
By this procedure you can use the fieldbus container and test MQTT. Of course the fieldbus node cannot be used in this constellation but this is not matter of this topic. You just want to test MQTT connectivity, right?
Thanks
Answer - BFH_SAM2 - May-18th-2018
I was able to solve the problem. You can consider the thread as SOLVED. thank you for your help.
we are using server side certificates only.
i tested the certificate with openssl in the docker console :
openssl s_client -showcerts -servername [server] --connect [server]:8883
and saw that the certificate wasn't accepted.
Issue was a faulty system-time. i connected the module through the webinterface to a ntp-server and now everything works fine.
Answer - Armin@netPI - May-18th-2018
Thanks for letting me know. Indeed setting the system time is the first thing to be done on netPI to get proper operation.