auth.server.cafile property specified in config.properties is not working

[dlowrey]

Expected behavior

When config.properties contains valid values for:

auth.server.cafile
auth.client.cert
auth.client.key

I should be able to do operations like con, pub, sub without having to specify certificate information.

Actual behavior

When attempting to do a con via the interactive shell (started via mqtt sh), I only get:

No trusted certificate found

My colleagues and I have troubleshooted this all day (on Mac OSX and Windows), and we discovered that if we specify the --ca-cert option (con --ca-cert ...) everything works fine, and the other client certificate values get picked up from the config.properties files correctly.

To Reproduce

Must have a MQTT broker set up for mTLS.

Steps

Specify the below keys with valid values in your config.properties file:

auth.server.cafile
auth.client.cert
auth.client.key

Then start interactive shell

mqtt sh

And try to connect to a broker

con -i myIdentifier

Reproducer code

Details

I think a similar issue was opened previously: #125, and we had some MacOSX users who had no issue with this using 4.13.0, but once they upgraded to 4.29.0 it broke.

• Affected MQTT CLI version(s): 4.29.0
• Used JVM version: 11, 23

[LukasBrand]

Hi @dlowrey,
thank you for using the mqtt-cli!

This behavior is quite strange as both the properties configuration as well as the command line options use the same logic to setup mTLS..

Could you please give more details about the used formats and encryption algorithms used in your certificates and private key as well as your TLS properties file setup?

For reference, here are the supported TLS configurations and setup possibilities: https://hivemq.github.io/mqtt-cli/docs/tls
A possible issue could be:
In order to use TLS with your default values inside the properties configuration file, simply add -s or --secure.

---

More details:

The keystore loading uses a natural hierarchy to determine precedence over the security provider possibilities.

• A keystore provided as input parameter
• A private key and related certificate provided as input parameter
• A keystore provided as default option inside the cli configuration file
• A private key and related certificate provided as default option inside the cli configuration file

---

Since #125 we created system tests that include multiple tests for TLS and mTLS.
For example:
src/systemTest/java/com/hivemq/cli/commands/cli/publish/PublishConnectMTlsST.java

@CartesianTest
    @Timeout(value = 3, unit = TimeUnit.MINUTES)
    void test_properties_encrypted_pem_private_keys_mutualTls(
            @CartesianTest.Values(chars = {'3', '5'}) final char mqttVersion,
            @CartesianTest.Enum final @NotNull TlsVersion tlsVersion,
            @CartesianTest.Values(strings = {
                    "pkcs1.aes256.pem",
                    //"pkcs1.camellia256.pem",
                    //"pkcs1.des.pem",
                    "pkcs1.des3.pem", "pkcs8.aes256.pem",
                    //"pkcs8.camellia256.pem",
                    //"pkcs8.des.pem",
                    "pkcs8.des3.pem"}) final @NotNull String clientKeyType) throws Exception {
        final String certificateAuthorityPublicKey = Resources.getResource("tls/certificateAuthority/ca.pem").getPath();
        final String clientPublicKey = Resources.getResource("tls/client/client-cert.pem").getPath();
        final String clientPrivateKey = Resources.getResource("tls/client/client-key." + clientKeyType).getPath();

        final Map<String, String> properties = Map.of("auth.client.cert",
                clientPublicKey,
                "auth.client.key",
                clientPrivateKey,
                "auth.server.cafile",
                certificateAuthorityPublicKey,
                "auth.client.key.password",
                "clientKeyPassword");

        final List<String> publishCommand = List.of("pub",
                "-h",
                hivemq.getHost(),
                "-p",
                String.valueOf(hivemq.getMqttTlsPort()),
                "-V",
                String.valueOf(mqttVersion),
                "-i",
                "cliTest",
                "-t",
                "test",
                "-m",
                "message",
                "-s",
                "--tls-version",
                tlsVersion.toString(),
                "-d");

        final ExecutionResultAsync executionResult = mqttCli.executeAsync(publishCommand, Map.of(), properties);
        executionResult.awaitStdOut("finish PUBLISH");
        assertConnectPacket(hivemq.getConnectPackets().get(0),
                connectAssertion -> connectAssertion.setMqttVersion(MqttVersionConverter.toExtensionSdkVersion(
                        mqttVersion)));

        assertPublishPacket(hivemq.getPublishPackets().get(0), publishAssertion -> {
            publishAssertion.setTopic("test");
            publishAssertion.setPayload(ByteBuffer.wrap("message".getBytes(StandardCharsets.UTF_8)));
        });
    }

[LukasBrand]

https://hivemq.kanbanize.com/ctrl_board/22/cards/23977/details/

[LukasBrand]

I am closing this issue for now. Feel free to reopen anytime if the issue still persists after applying my proposed solution.

[dlowrey]

Apologies @LukasBrand, just getting back to this.

> mqtt --version
4.37.0
Picocli 4.7.6
JVM: 21.0.6 (Homebrew OpenJDK 64-Bit Server VM 21.0.6)
OS: Mac OS X 14.7.3 aarch64

The certificate and keys all use sha256WithRSAEncryption.

I am still having the same issues as described above. When I use this ~/.mqtt-cli/config.properties file:

mqtt.version=5
mqtt.host=my-secure-broker.com
mqtt.port=8883
auth.server.cafile=/Users/dlowrey/.tsp/mqtt/qa/ca.crt
auth.client.cert=/Users/dlowrey/.tsp/mqtt/qa/client.crt
auth.client.key=/Users/dlowrey/.tsp/mqtt/qa/client.key
logfile.level=trace
logfile.path=/Users/dlowrey/.mqtt-cli/logs

and attempt to do

> mqtt sh -l
mqtt> con -i MyClientId --tls-version 'TLSv1.3'`

Unable to connect. Reason: 'No trusted certificate found'

Additionally I see this in the log file, seemingly indicating I have no certs:

tlsOptions=TlsOptions{useSsl=false, serverCertificates=null, serverCertificatesFromDir=null, cipherSuites=null, supportedTLSVersions=[TLSv1.3], clientCertificates=null, clientPrivateKey=null}

However when I simply specify the --ca-cert option, everything works as expected:

> mqtt sh -l
mqtt> con -i MyClientId --tls-version 'TLSv1.3' --ca-cert /Users/dlowrey/.tsp/mqtt/qa/ca.crt
MyClientId@my-secure-broker.com>

I can even disconnect, and then reconnect without specifying --ca-cert option after that, so long as I am in the same interactive mqtt sh session:

> mqtt sh -l
mqtt> con -i MyClientId --tls-version 'TLSv1.3' --ca-cert /Users/dlowrey/.tsp/mqtt/qa/ca.crt
MyClientId@my-secure-broker.com> exit
mqtt> con -i MyClientId --tls-version 'TLSv1.3'
MyClientId@my-secure-broker.com>

I did try various usages of the -s and --secure flags during my con commands, but I just get the same response back. If I remove the --tls-version TLSv1.3 I get a different error:

Unable to connect. Reason: 'Received fatal alert: protocol_version'

Which seems like it is from my broker, I assume rejecting mqtt-cli's default TLSv1.2.

Would really like some help in figuring this out. I need to be able to perform interactive pub/sub sessions with the same ClientID. Let me know if you'd like me to try anything else or get any more info.