问题描述
我有一个远程蚊帐代理(在带有Windows的aws ec2实例上),并且一切正常:端口可以访问,我可以按照我的acl规则进行发布和订阅.我已将发布操作限制在.net核心服务器(使用Identityserver 4)上,而我的具有ngx-mqtt的angular8应用程序进行了订阅.
I have a remote mosquitto broker (on a aws ec2 instance with windows) and everything is working fine: the ports are accessible and i can publish and subscribe with the rules of my acl.I've limited the publish operation to my .net core server (with identityserver 4), while my angular8 app with ngx-mqtt subscribes.
现在,我正在尝试启用tls,但是在连接方面一直失败.
Now i'm trying to enable tls, but it keep failing on connecting.
main-es2015.42b21e2ecd07be623604.js:1 WebSocket connection to 'wss://myserver/mqtt' failed: Error in connection establishment: net::ERR_CERT_INVALID
我的域具有有效的证书,Angular应用程序通过https连接.对于mosquitto,我已经按照mosquitto上的文档对ca,服务器和客户端证书进行了自签名,但是仍然无法弄清丢失的内容:我应该将证书和密钥发送给已记录的客户端吗?我应该执行哪种流程?
My domain has a valid certificate and the angular app connects with https.For mosquitto i have self-signed the ca, server and client certificate following the documentation on mosquitto but still, i cannot figure out what i am missing: should i send the certificate and key to the client atter it has logged? What kind of flow should i implement?
acl:
# This affects access control for clients with no username.
# topic pattern you can subscribe to
topic read $SYS/#
# This only affects clients with username "roger".
user backend-username
topic write stage/#
user backend-username
topic write production/#
# This affects all clients.
pattern write $SYS/broker/connection/%c/state
pattern read stage/%u/openRequests
pattern read production/%u/openRequests
mosquitto.conf
mosquitto.conf
port 1883
listener 8883
protocol websockets
connection_messages true
allow_anonymous false
acl_file C:\Program Files\mosquitto\aclfile.example
cafile C:\Program Files\mosquitto\certs\certificate_authority.crt
# Path to the PEM encoded server certificate.
certfile C:\Program Files\mosquitto\certs\broker.crt
# Path to the PEM encoded keyfile.
keyfile C:\Program Files\mosquitto\certs\broker.key
tls_version tlsv1.2
log_dest file C:\logs_and_keys\mosquitto.log
log_type error
log_type warning
log_type notice
log_type information
log_timestamp true
log_timestamp_format %Y-%m-%dT%H:%M:%S
要连接的ngx-mqtt选项:
ngx-mqtt option to connect:
this.mqttService.connect({
hostname: environment.mqttHost,
port: environment.mqttPort,
path: environment.mqttBasePath,
protocol: 'wss',
username: username,
password: 'useless-password',
ca: certificate,
cert: cert.toString(),
key: key.toString()
});
在测试的同时,我也在对ca.crt,client.crt和client.key进行硬编码
While i'm testing i'm also hardcoding the ca.crt, client.crt and client.key
const certificate = `-----BEGIN CERTIFICATE-----
MIIDPjCCAiagAwIBAgIJALRVA1uL1EqdMA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV
BAYTAklUMQ4wDAYDVQQKDAVTYXJpeDEVMBMGA1UEAwwMZ2V0YXRhYmxlLmV1MB4X
DTE5MTIxNzE0MTc0N1oXDTIwMTIxNjE0MTc0N1owNDELMAkGA1UEBhMCSVQxDjAM
BgNVBAoMBVNhcml4MRUwEwYDVQQDDAxnZXRhdGFibGUuZXUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC48q3wA6gv9apIQnHlQzXcWJCCsdz2bdAsBUsp
H1uIuW7C1Syx4BDRx4gHL5gMP1b0NuN0qwSl7rzDpJwZvNHCW4TKjE2KTHipIr5P
uZqt/1fU1pyraE9T9ULRBOHkMM94GpJNn12pVhu66+qVtqryCuuaplW5tlXmCM+M
4pLdmQws9XllTTaUqyR1WbWIcKhUqyATPKYbl3KqztgR4rUfKN2IpAwfvOit4Riy
ARdV3r0EVel+KFpkelWacy36XRtLTLpIh+6X0PGFVo6/prI5XtIvQEcbsZqbHPgG
+zsNL7o4fPM3Onimz65iukKffCAvjFYVpD2vgRKc50bUAkkFAgMBAAGjUzBRMB0G
A1UdDgQWBBQwBtrjPKRj2l6fxBsBN+jt3CGk6TAfBgNVHSMEGDAWgBQwBtrjPKRj
2l6fxBsBN+jt3CGk6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAuQH7ohstjB7imn2GS7ZhooOabt315+wHiQXQqfINfQqfTqTNs6+qZzCg3fq1T
CQFlrnzYZhLmlvFYNlRrp8aczBb6byu/LeM8RJpkmG0+JtL3qDgsjsWIRnlulVLP
4idSU+whOSw3/mn7foLcw1e23dbOJXDX2aRtM1ax/uTJVXQSGAmisgV9Y9Q24+5J
SOzMKXkTqUkE40J4BVJaNa6mn97I9ygUnOu+TGCZ3EnlgAK5ZUPPafaJAPPPqnE0
cMsep9LlpCyuSXW/BOci8FKbCNtZpalk2/7un3nwpiwQgxu77LXVgWqx3HTRqhrI
FGaN1WaNJW87mI49Jx+/HAJl
-----END CERTIFICATE-----
`;
const key = `-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A7B0480427C73B4E
iEbs8Zcgjmq/VFj/EnvUAsuqbNjlq2X/n/ofcP7ghNBLvwXPZp7Dy58uwZaKifm1
J/uJGPu6P+AJHfXMAPnBspaxScVUIWGJNBFJftlgm2T46yBjs3yyw1meI4Uq9emF
d5ZI3v94X31ySAm9grQ/SCJL4vEixouRvwn3Qq1Cbd99kH7sgYSLTCI5nF09a/s2
5zc8HI2grr1nsCwJlJPBH4Gx6fYHsaFAMG9eLhru9Evt6xvFqYcCJTYl+RfNuGyh
wavL6EpIJKriKq4rnpci2rdVLjxKC5648OSFR++/m1iFSWKSeS0dEfZwl4RhO3ea
eSvafCfOlK8jcKbGzqYYTNo2v4MK4KBxy/tgbWwpk1RlkcRo3qQYo3FoZVMY+wUh
C3NBlgxXEjBekaPlAd7k3Mzbx69Y++ISMH5b3eknwXJR60cVkvxr0MU6KpoL9ATJ
1oQjbL4FBQVFJwD7awdMiKQ7xeFzgpQ3M+Qy/ButisFQRjHeJm7uOb6x91tVpbXY
MzzAiaQcwdppnLHH/PE8v1bZ338vEpyLmslZKyCpgzI11bHaIvBdkLrRMkbP3tng
b0VcldQMTFMy9trSNHQw4QGE1iaHH8HBOVIqbEuaDbn67KfQHnmR2w9ITdc3ZKis
Ga9bd3gIdvrx2ZDFymBnXPv7eOdp9zq6eZmkRCQpFhuKpexBDVIZKiQtyWaUi9pV
/eXJbEqEM8JL+SGNv03YqbkqYK7ztl4fNZKMMyrm435e90swKP22k2cCWebTbPoH
qTs4c0f7RtijMjBQuI87jyTXOEiMh79aRNr+qrQqcahub5rtM6nQOFWTXRCawNNI
Yj3wowdHoGSpe8/cEkvf3uGHza+K4rzpSnHZDA9GoErFMDlDUq8ZOU+a85G4Zh7V
MgHAQBRHCfebmbEJ2/Uhjt6yZHgZZvtelI8tkbTXl+wVKEH2Qg0VT5WzTNDVUC0+
a+7+PVQyubEWEMytqtWTmp7N+Ev9X6TS2J1EQHJbrr2mpUdlCn9ozN6bZPcZjw4a
ghVPW6T51K6tBkpkBIxACU1Vzj1G/s1jFZsGjHkaNVoZc8yxohRGnENOxzAzsyV8
Khf8Hs87788kZ2WY3ejOBBRKFKcQYfY3TXos7rWg3s//qFB3Ty3p8yXqqhiaakz8
79vAVqS1SkUiT1UOUqdouOOENoOlZ6UAkViiHXI74+BgxBweaylbY6iiwbaz8xGJ
+slBgglFR1w/temT7nxxoz/MmzebPi9omL8msR0miGw5tdCu/6urhS8Q7ZEAhAV/
TYFYa+zB9BrSNOHhlbWwgsLwLza6pT/eocVbhP8JiA3o3mt+DpBBP1RjzSeBEp6B
88+icU15bClEmub6zge3vLTNNOtSxCzDY/Max+typIzPlvR3WkJG8HCXnej2E7kY
Cp647atWEAE6wP+mEGT3lluBJBfhd3HiAzku+/e3Cjmt7WMB6CK1tFgSxxN07cX1
Jn9pd9q1+UAFCZE9FRlNLPYTEK8nku2ylownkBZ2iO+fzRNwlUUqYKFMMJjMGNv7
P5r1as/ukj86BCKooe1fqgxHdi7/0q0iZK2AztlLAuKeFNKTWaoQfaKM8qO8qve/
-----END RSA PRIVATE KEY-----
`;
const cert = `-----BEGIN CERTIFICATE-----
MIIC9TCCAd0CCQDvMeKoPNMUxDANBgkqhkiG9w0BAQsFADA0MQswCQYDVQQGEwJJ
VDEOMAwGA1UECgwFU2FyaXgxFTATBgNVBAMMDGdldGF0YWJsZS5ldTAeFw0xOTEy
MTcxNTMwMzhaFw0yMDEyMTYxNTMwMzhaMEUxCzAJBgNVBAYTAklUMRMwEQYDVQQI
DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxse2z+BFkfjMYDWc6qOB
VUR6OUuKLFvKYZvXcqbyUKGZhL/xBnHKmwO2ij0Umk1f3Ovd8h4BP6UaPdVILeVG
vBFLxI3vvkWtSHS/SumdVoMQYdwRAiRL3kKb9WtnIaL9lP9cHgBrGu979l4MnwrT
0VRkPDk2d8gpRNr6ezFw1IfpC8ULR0+p8uk8lB6BaGJ1/o9JaVyXHsegPrS04iPk
SVsVak/mxKZm0rlcCvBTzKOnWtIcpc1rfX5yX5bqworz4YtY00LAsCshajPTQTB4
jUG1S2Bpj+7DJcKI+PrJZX1sAAGG6izArEtQlFJHI6Z0/VtuBITEElfKPrnUuLV9
AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJtQK9posyJ9+h8gCb/2RtKo2R75YTb7
VkaiJ1TDmfgLOpcm/1Jshq1CjQWSsTrgpmllHBN6UMEDJn6NsNvFekB/+26nDrRX
266I0tDgRPTA9Fughk0BQx63aRqVRXLasq6I5DhqLNSIcS/7SSZm1S7uG8cVoEqg
qjMCiUZWhe9LKF6PCuUmZQkDv5zpuD6vLUXOvEi1AGInsxtShJBHoxd5slmCOHUT
db3gC8kONOPRuU3F+mGasesbF38c1qx9jcPNC+wSFGIPBBFUCcikUkCnmsOX8NKh
sTne6BiSJ9NsIUb+A3cw9Nnv5wjI1EdICKMAoAMGW2oCUAgcAIbJhLs=
-----END CERTIFICATE-----
`;
预先感谢
推荐答案
对项目进行了近一年的更改,以至于这与我最初描述的场景不同.我现在有一个无用的后端,因此我不托管mosquitto经纪人(因此我目前正在使用mosquitto的公共经纪人),并且我已经将Angular升级到了第10版(当时使用了Angular 8).
After almost a year lots of changes were made to the project to the point that this is not the same scenario that I described initially.I have now a serveless backend thus mosquitto broker is not hosted by me (so I'm currently using the public broker of mosquitto) and I've upgraded Angular to the 10th version (angular 8 was used at the time).
现在,我仅使用以下配置即可使用:
Now I simply use the below configuration and it just works:
hostname: 'test.mosquitto.org',
port: 8081,
protocol: 'wss',
path: '/mqtt'
这篇关于使用mqtt-ngx通过websocket在tls中连接到代理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!