MQTT TLS on ESP8266 on personal server

[pkkrusty]

Looked at documentation and a few discussion threads, and came up with a solution that works for my setup.

Server: Running Ubuntu 22.04 with Caddy managing Let's Encrypt certificates/renewals (for all my services) and Mosquitto as broker.

Install Caddy with the following JSON config. Requires changing the service to load a JSON file vs the default Caddyfile. To do this, edit /lib/systemd/system/caddy.service and change the following lines:

ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force

to

ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/caddy.json
ExecReload=/usr/bin/caddy reload --config /etc/caddy/caddy.json --force

or whatever location you want to store your Caddy JSON config.

Need to sudo systemctl daemon-reload at this point

Caddy JSON config should have the following to allow it to request the right certs from Let's Encrypt:

{
    "apps": {
        "http": {
            "servers": {
                "srv0": {
                    "listen": [
                        ":443"
                    ],
                    "tls_connection_policies": [
                        {
                            "cipher_suites": [
                                "ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                            ]
                        }
                    ]
                    
                }
            }
        },
        "tls": {
			"certificates": {
				"automate": [
					"mqtt.example.com"
				]
			},
			"automation": {
				"policies": [
					{
						"issuers": [{
							"module": "acme",
							"email": "[email protected]"
						}],
                        "key_type": "rsa2048"
					}
				]
			}
		}
    }
}

Restart caddy service with sudo systemctl restart caddy

Tasmota can only deal with ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher by default, and to force Caddy to generate certificates with the smaller 2048-bit RSA, need to specify key_type of rsa2048.

Once certificates are requested, they are stored in /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mqtt.example.com/mqtt.example.com.crt /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mqtt.example.com/mqtt.example.com.json /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mqtt.example.com/mqtt.example.com.key
Up to the user how to access those certificates with Mosquitto. I changed group ownership of the directories and added the mosquitto user to a group with caddy so both services could access the directories/files. Certificates need to have read/execute privileges by mosquitto, and directories need read/write/execute (I think). Could copy the certificates to /etc/mosquitto/certs/ but I think you'd have to do that manually every three months.

Check out caddy cert request logs at sudo journalctl -xeu caddy.service

Mosquitto config (/etc/mosquitto/conf.d/default.conf) should have the following:

listener 8883 0.0.0.0
protocol mqtt
certfile /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mqtt.example.com/mqtt.example.com.crt
cafile /usr/local/share/ca-certificates/lets-encrypt-r3.crt
keyfile /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mqtt.example.com/mqtt.example.com.key

#if you want to force users to authenticate on a public facing server, will require using the passwd file in mosquitto folder
allow_anonymous false 

Guide to username/password on Mosquitto.

Note that the R3 Let's Encrypt Certificate Authority hangs out in the default Ubuntu folder above. Need to adjust permissions so mosquitto user has read/execute authority for it. Or just copy the CA file to the mosquitto directory. Can download it from lets-encrypt and rename to lets-encrypt-r3.crt.

Save and restart mosquitto service sudo systemctl restart mosquitto

Errors usually have to do with Mosquitto accessing the certificate files.

Once mosquitto is running, check that the ciphers/algorithm are correct by issuing the following command with a computer with nmap installed: nmap --script ssl-enum-ciphers -p 8883 mqtt.example.com

Should see an entry for TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) which is just what Tasmota wants.

Compile tasmota with the following #defines:

#define MQTT_HOST              "mqtt.example.com"                // [MqttHost]
#define MQTT_FINGERPRINT1      0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00  // [MqttFingerprint1] (auto-learn)
#define MQTT_PORT              8883              // [MqttPort]
#define MQTT_USER              "user"       // [MqttUser] MQTT user
#define MQTT_PASS              "password"       // [MqttPassword] MQTT password
#define USE_MQTT_TLS
#define MQTT_TLS_ENABLED       true             // [SetOption103] Enable TLS mode (requires TLS version)
 #define MQTT_TLS_FINGERPRINT   true             // [SetOption132] Force TLS fingerprint validation instead of CA (requires TLS version)

Note in documentation, the following statement:

Ensure that for the environment you have selected, lib/lib_ssl is included on platformio_tasmota_env.ini :[~](https://tasmota.github.io/docs/#ensure-that-for-the-environment-you-have-selected-liblib_ssl-is-included-on-platformio_tasmota_env.ini)

lib_extra_dirs          = lib/lib_ssl

This seems to not be necessary, and introduces compile errors.

[Noschvie]

You doesn't use Caddy and Mosquitto as Docker container ?

[pkkrusty]

no. docker confuses me. whole other layer of network and config that needs to be routed correctly. Plus redundant dependencies. maybe some day I'll jump on board.

[sfromis]

I find the setup much easier to manage with Docker containers. No messing around with dependencies, even when having multiple versions of something.

[GasTurbineMan]

Good write up! I have yet to enable TLS on my Tasmota devices because I never could understand how it all worked. I am running my Mosquitto broker on a Raspberry Pi 4. I have a spare Pi - so I may have to give this a go.

Thanks for putting this together.

[GasTurbineMan]

@pkkrusty , one thing I was wondering is if I could just have a select few Tasmota (and phone/tablets) that would require TLS access with all other intranet Tasmota devices running non-TLS. What do you mean by "bridging" local and remote ? Sounds like what I want to do as well.
Are you running 2 separate mosquitto broker's?

[pkkrusty]

Yes. I have a local instance, and an instance on a VPS with Oracle. From my limited reading it should be possible to pass all or a portion of topics between the two brokers so devices can connect to either and everyone would stay up to date. But I haven't tried to make it happen yet.

[pkkrusty]

But you can restrict the 1883 to just local IPs and open the 8883 port to the internet and connect your few remote devices to that. Easier than running two brokers and two servers. As long as you aren't behind CGNAT.

[barbudor]

From my limited reading it should be possible to pass all or a portion of topics between the two brokers

That's probably what you are looking for : http://www.steves-internet-guide.com/mosquitto-bridge-configuration/

I'm doing something similar between a on prem mosquitto and cloud-based Flespi.io but using NodeRED, not bridging

• Main site has a server with mosquitto, node-red, influxdb, grafana
• Remote site with only 4 tasmotas and no local server are connected to Flepsi
• My NodeRed running on-prem
  • transfer SENSOR messages from main site to Flespi so I can read status on my mobile using MQTT IoT Panel (I can also read SENSOR from remote site)
  • read SENSOR messages from remote site on Flepsi to push them to main-site's influxdb

I could also use bridging but haven't been there yet.
I may investigate that on the idea of resilience in order to have 2 mqtt broker and setup my devices so they can switch to one or the other mqtt broker transparently

[pkkrusty]

I got bridging to work between my remote mosquitto and local. Works well, and very handy for setting up remote tasmota devices (on a friend's wifi, for example) and I can still see data produced. For now, I'm replicating all topics between both brokers, but may try to limit it to just the remote topics eventually.

Adjust the mosquitto.conf file on the local server to include:

# connection <name>
connection bridge-01
address mqtt.example.com:1883

topic # both 0

try_private true
remote_username loginuser
remote_password loginpassword
remote_clientid raspimosquitto
local_username locallogin
local_password localpassword
start_type automatic

Obviously that's not a secure link, that's an effort for another day.

[GasTurbineMan]

I am really struggling to put this puzzle together. Using my Raspberry Pi as my "server", I did get Caddy installed and believe I got the needed directories created. Changed users, groups and permissions - that is a whole other can of worms. Added the info to Mosquitto local.conf but when I restart Mosquitto it fails, log says missing CA file. I went to LetsEncrypt and that is where I started being instructed to install Apache2 and Certbot. Am I trying to install too many pieces?

[pkkrusty]

But otherwise, sounds like you're thinking about it correctly.

[GasTurbineMan]

When you say "open up 8883 as well for TLS", you are talking about Port Forwarding on the Router, correct? I have 8883 added to my Mosquitto local.conf as well as the other lines you show.

[GasTurbineMan]

I believe I have everything set up. Here is what Mosquitto.log is showing:
2023-04-24T07:35:32: mosquitto version 2.0.11 starting
2023-04-24T07:35:32: Config loaded from /etc/mosquitto/mosquitto.conf.
2023-04-24T07:35:32: Opening ipv4 listen socket on port 1883.
2023-04-24T07:35:32: Opening ipv6 listen socket on port 1883.
2023-04-24T07:35:32: Opening ipv4 listen socket on port 8883.
2023-04-24T07:35:32: Error: Unable to load server certificate "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz.crt". Check certfile.
2023-04-24T07:35:32: OpenSSL Error[0]: error:02001002:system library:fopen:No such file or directory
2023-04-24T07:35:32: OpenSSL Error[1]: error:20074002:BIO routines:file_ctrl:system lib
2023-04-24T07:35:32: OpenSSL Error[2]: error:140DC002:SSL routines:use_certificate_chain_file:system lib

[pkkrusty]

When you say "open up 8883 as well for TLS", you are talking about Port Forwarding on the Router, correct? I have 8883 added to my Mosquitto local.conf as well as the other lines you show.

Yes port forwarding.

[pkkrusty]

I believe I have everything set up. Here is what Mosquitto.log is showing:

2023-04-24T07:35:32: mosquitto version 2.0.11 starting

2023-04-24T07:35:32: Config loaded from /etc/mosquitto/mosquitto.conf.

2023-04-24T07:35:32: Opening ipv4 listen socket on port 1883.

2023-04-24T07:35:32: Opening ipv6 listen socket on port 1883.

2023-04-24T07:35:32: Opening ipv4 listen socket on port 8883.

2023-04-24T07:35:32: Error: Unable to load server certificate "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz.crt". Check certfile.

2023-04-24T07:35:32: OpenSSL Error[0]: error:02001002:system library:fopen:No such file or directory

2023-04-24T07:35:32: OpenSSL Error[1]: error:20074002:BIO routines:file_ctrl:system lib

2023-04-24T07:35:32: OpenSSL Error[2]: error:140DC002:SSL routines:use_certificate_chain_file:system lib

Looks like mosquitto can't access your crt file. Probably a directory permissions issue. Need to make .local and further down rwx for mosquitto user.

[GasTurbineMan]

Not sure if this helps, but I installed acme.sh on my RaspPi and ran comment to get certs for my site. See log file below. Seemed to run without issue until time 09:02:53 "verify error"?

nam@GaragePi3B-Plus:/var/lib/caddy $ acme.sh --issue -d xyz.660p.cz -w /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz --debug
[Mon Apr 24 09:02:28 CDT 2023] Lets find script dir.
[Mon Apr 24 09:02:28 CDT 2023] SCRIPT='/home/nam/.acme.sh/acme.sh'
[Mon Apr 24 09:02:28 CDT 2023] _script='/home/nam/.acme.sh/acme.sh'
[Mon Apr 24 09:02:28 CDT 2023] _script_home='/home/nam/.acme.sh'
[Mon Apr 24 09:02:28 CDT 2023] Using config home:/home/nam/.acme.sh
https://github.com/acmesh-official/acme.sh
v3.0.6
[Mon Apr 24 09:02:28 CDT 2023] Running cmd: issue
[Mon Apr 24 09:02:28 CDT 2023] _main_domain='xyz.660p.cz'
[Mon Apr 24 09:02:28 CDT 2023] _alt_domains='no'
[Mon Apr 24 09:02:28 CDT 2023] Using config home:/home/nam/.acme.sh
[Mon Apr 24 09:02:28 CDT 2023] default_acme_server
[Mon Apr 24 09:02:28 CDT 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Mon Apr 24 09:02:28 CDT 2023] DOMAIN_PATH='/home/nam/.acme.sh/xyz.660p.cz_ecc'
[Mon Apr 24 09:02:28 CDT 2023] Le_NextRenewTime
[Mon Apr 24 09:02:28 CDT 2023] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
[Mon Apr 24 09:02:28 CDT 2023] _init api for server: https://acme.zerossl.com/v2/DV90
[Mon Apr 24 09:02:28 CDT 2023] GET
[Mon Apr 24 09:02:28 CDT 2023] url='https://acme.zerossl.com/v2/DV90'
[Mon Apr 24 09:02:28 CDT 2023] timeout=
[Mon Apr 24 09:02:28 CDT 2023] _CURL='curl --silent --dump-header /home/nam/.acme.sh/http.header -L -g '
[Mon Apr 24 09:02:29 CDT 2023] ret='0'
[Mon Apr 24 09:02:29 CDT 2023] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
[Mon Apr 24 09:02:29 CDT 2023] ACME_NEW_AUTHZ
[Mon Apr 24 09:02:29 CDT 2023] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
[Mon Apr 24 09:02:29 CDT 2023] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
[Mon Apr 24 09:02:29 CDT 2023] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
[Mon Apr 24 09:02:29 CDT 2023] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20221001_Certificate_Subscriber_Agreement_v_2_5_click.pdf'
[Mon Apr 24 09:02:29 CDT 2023] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
[Mon Apr 24 09:02:31 CDT 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Apr 24 09:02:31 CDT 2023] _on_before_issue
[Mon Apr 24 09:02:31 CDT 2023] _chk_main_domain='xyz.660p.cz'
[Mon Apr 24 09:02:31 CDT 2023] _chk_alt_domains
[Mon Apr 24 09:02:31 CDT 2023] Le_LocalAddress
[Mon Apr 24 09:02:31 CDT 2023] d='xyz.660p.cz'
[Mon Apr 24 09:02:31 CDT 2023] Check for domain='xyz.660p.cz'
[Mon Apr 24 09:02:31 CDT 2023] _currentRoot='/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz'
[Mon Apr 24 09:02:31 CDT 2023] d
[Mon Apr 24 09:02:31 CDT 2023] _saved_account_key_hash is not changed, skip register account.
[Mon Apr 24 09:02:31 CDT 2023] Read key length:ec-256
[Mon Apr 24 09:02:31 CDT 2023] _createcsr
[Mon Apr 24 09:02:31 CDT 2023] Single domain='xyz.660p.cz'
[Mon Apr 24 09:02:31 CDT 2023] Getting domain auth token for each domain
[Mon Apr 24 09:02:32 CDT 2023] d
[Mon Apr 24 09:02:32 CDT 2023] url='https://acme.zerossl.com/v2/DV90/newOrder'
[Mon Apr 24 09:02:32 CDT 2023] payload='{"identifiers": [{"type":"dns","value":"xyz.660p.cz"}]}'
[Mon Apr 24 09:02:32 CDT 2023] EC key
[Mon Apr 24 09:02:32 CDT 2023] HEAD
[Mon Apr 24 09:02:32 CDT 2023] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Mon Apr 24 09:02:32 CDT 2023] _CURL='curl --silent --dump-header /home/nam/.acme.sh/http.header -L -g -I '
[Mon Apr 24 09:02:33 CDT 2023] _ret='0'
[Mon Apr 24 09:02:33 CDT 2023] POST
[Mon Apr 24 09:02:33 CDT 2023] _post_url='https://acme.zerossl.com/v2/DV90/newOrder'
[Mon Apr 24 09:02:33 CDT 2023] _CURL='curl --silent --dump-header /home/nam/.acme.sh/http.header -L -g '
[Mon Apr 24 09:02:36 CDT 2023] _ret='0'
[Mon Apr 24 09:02:36 CDT 2023] code='201'
[Mon Apr 24 09:02:36 CDT 2023] Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/oooooooooooooooooooooooo'
[Mon Apr 24 09:02:36 CDT 2023] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/oooooooooooooooooooooo/finalize'
[Mon Apr 24 09:02:36 CDT 2023] url='https://acme.zerossl.com/v2/DV90/authz/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
[Mon Apr 24 09:02:36 CDT 2023] payload
[Mon Apr 24 09:02:36 CDT 2023] POST
[Mon Apr 24 09:02:36 CDT 2023] _post_url='https://acme.zerossl.com/v2/DV90/authz/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
[Mon Apr 24 09:02:36 CDT 2023] _CURL='curl --silent --dump-header /home/nam/.acme.sh/http.header -L -g '
[Mon Apr 24 09:02:38 CDT 2023] _ret='0'
[Mon Apr 24 09:02:38 CDT 2023] code='200'
[Mon Apr 24 09:02:38 CDT 2023] d='xyz.660p.cz'
[Mon Apr 24 09:02:38 CDT 2023] Getting webroot for domain='xyz.660p.cz'
[Mon Apr 24 09:02:38 CDT 2023] _w='/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz'
[Mon Apr 24 09:02:38 CDT 2023] _currentRoot='/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz'
[Mon Apr 24 09:02:38 CDT 2023] entry='"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxx","status":"pending","token":"ttttttttttttttttttttttttttt"'
[Mon Apr 24 09:02:38 CDT 2023] token='tttttttttttttttttttttttttttttttttw'
[Mon Apr 24 09:02:38 CDT 2023] uri='https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:38 CDT 2023] keyauthorization='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:38 CDT 2023] dvlist='xyz.660p.cz#xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQvgxnYHLY#https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxx#http-01#/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz'
[Mon Apr 24 09:02:38 CDT 2023] d
[Mon Apr 24 09:02:38 CDT 2023] vlist='xyz.660p.cz#xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx#https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxw#http-01#/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz,'
[Mon Apr 24 09:02:38 CDT 2023] d='xyz.660p.cz'
[Mon Apr 24 09:02:38 CDT 2023] ok, let's start to verify
[Mon Apr 24 09:02:38 CDT 2023] Verifying: xyz.660p.cz
[Mon Apr 24 09:02:38 CDT 2023] d='xyz.660p.cz'
[Mon Apr 24 09:02:38 CDT 2023] keyauthorization='kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk'
[Mon Apr 24 09:02:38 CDT 2023] uri='https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:38 CDT 2023] _currentRoot='/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz'
[Mon Apr 24 09:02:38 CDT 2023] wellknown_path='/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz/.well-known/acme-challenge'
[Mon Apr 24 09:02:38 CDT 2023] writing token:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz/.well-known/acme-challenge/ccccccccccccccccccccccccccccccccccccWw
[Mon Apr 24 09:02:38 CDT 2023] Changing owner/group of .well-known to nam:nam
[Mon Apr 24 09:02:38 CDT 2023] url='https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:38 CDT 2023] payload='{}'
[Mon Apr 24 09:02:39 CDT 2023] POST
[Mon Apr 24 09:02:39 CDT 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:39 CDT 2023] _CURL='curl --silent --dump-header /home/nam/.acme.sh/http.header -L -g '
[Mon Apr 24 09:02:39 CDT 2023] _ret='0'
[Mon Apr 24 09:02:40 CDT 2023] code='200'
[Mon Apr 24 09:02:40 CDT 2023] trigger validation code: 200
[Mon Apr 24 09:02:40 CDT 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Mon Apr 24 09:02:40 CDT 2023] sleep 2 secs to verify again
[Mon Apr 24 09:02:43 CDT 2023] checking
[Mon Apr 24 09:02:43 CDT 2023] url='https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:43 CDT 2023] payload
[Mon Apr 24 09:02:43 CDT 2023] POST
[Mon Apr 24 09:02:43 CDT 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:43 CDT 2023] _CURL='curl --silent --dump-header /home/nam/.acme.sh/http.header -L -g '
[Mon Apr 24 09:02:44 CDT 2023] _ret='0'
[Mon Apr 24 09:02:44 CDT 2023] code='200'
[Mon Apr 24 09:02:44 CDT 2023] Processing, The CA is processing your order, please just wait. (2/30)
[Mon Apr 24 09:02:44 CDT 2023] sleep 2 secs to verify again
[Mon Apr 24 09:02:47 CDT 2023] checking
[Mon Apr 24 09:02:47 CDT 2023] url='https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:48 CDT 2023] payload
[Mon Apr 24 09:02:48 CDT 2023] POST
[Mon Apr 24 09:02:48 CDT 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:48 CDT 2023] _CURL='curl --silent --dump-header /home/nam/.acme.sh/http.header -L -g '
[Mon Apr 24 09:02:49 CDT 2023] _ret='0'
[Mon Apr 24 09:02:49 CDT 2023] code='200'
[Mon Apr 24 09:02:49 CDT 2023] Processing, The CA is processing your order, please just wait. (3/30)
[Mon Apr 24 09:02:49 CDT 2023] sleep 2 secs to verify again
[Mon Apr 24 09:02:52 CDT 2023] checking
[Mon Apr 24 09:02:52 CDT 2023] url='https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:52 CDT 2023] payload
[Mon Apr 24 09:02:52 CDT 2023] POST
[Mon Apr 24 09:02:52 CDT 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw'
[Mon Apr 24 09:02:52 CDT 2023] _CURL='curl --silent --dump-header /home/nam/.acme.sh/http.header -L -g '
[Mon Apr 24 09:02:53 CDT 2023] _ret='0'
[Mon Apr 24 09:02:53 CDT 2023] code='200'
[Mon Apr 24 09:02:53 CDT 2023] xyz.660p.cz:Verify error:"error":{
[Mon Apr 24 09:02:53 CDT 2023] Debug: get token url.
[Mon Apr 24 09:02:53 CDT 2023] GET
[Mon Apr 24 09:02:53 CDT 2023] url='http://xyz.660p.cz/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:53 CDT 2023] timeout=1
[Mon Apr 24 09:02:53 CDT 2023] _CURL='curl --silent --dump-header /home/nam/.acme.sh/http.header -L -g --connect-timeout 1'
[Mon Apr 24 09:02:54 CDT 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
[Mon Apr 24 09:02:54 CDT 2023] ret='7'
[Mon Apr 24 09:02:54 CDT 2023] Debugging, skip removing: /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/xyz.660p.cz/.well-known
[Mon Apr 24 09:02:54 CDT 2023] pid
[Mon Apr 24 09:02:54 CDT 2023] No need to restore nginx, skip.
[Mon Apr 24 09:02:54 CDT 2023] _clearupdns
[Mon Apr 24 09:02:54 CDT 2023] dns_entries
[Mon Apr 24 09:02:54 CDT 2023] skip dns.
[Mon Apr 24 09:02:54 CDT 2023] _on_issue_err
[Mon Apr 24 09:02:54 CDT 2023] Please check log file for more details: /home/nam/.acme.sh/acme.sh.log
[Mon Apr 24 09:02:54 CDT 2023] url='https://acme.zerossl.com/v2/DV90/chall/cccccccccccccccccccccccccc'
[Mon Apr 24 09:02:54 CDT 2023] payload='{}'
[Mon Apr 24 09:02:54 CDT 2023] POST
[Mon Apr 24 09:02:54 CDT 2023] _post_url='https://acme.zerossl.com/v2/DV90/chall/txxxxxxxxxxxxxxxxxxx'
[Mon Apr 24 09:02:55 CDT 2023] _CURL='curl --silent --dump-header /home/nam/.acme.sh/http.header -L -g '
[Mon Apr 24 09:02:55 CDT 2023] _ret='0'
[Mon Apr 24 09:02:55 CDT 2023] code='200'
[Mon Apr 24 09:02:55 CDT 2023] socat doesn't exist.
[Mon Apr 24 09:02:55 CDT 2023] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1n 15 Mar 2022
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:

[GasTurbineMan]

@pkkrusty , I do no mean to take up your time. While I have installed Caddy and Mosquitto and have permissions set correctly , it appears that the Caddy.Service is failing to start? I have checked and rechecked caddy.json, but still no joy.

Apr 26 16:38:37 raspberrypi caddy[9424]: JOURNAL_STREAM=8:111236
Apr 26 16:38:37 raspberrypi caddy[9424]: {"level":"info","ts":1682545117.746227,"msg":"using provided configuration","config_file":"/etc/caddy/caddy.json",">
Apr 26 16:38:37 raspberrypi caddy[9424]: Error: loading initial config: loading new config: starting caddy administration endpoint: listen tcp 127.0.0.1:201>
Apr 26 16:38:37 raspberrypi systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Apr 26 16:38:37 raspberrypi systemd[1]: caddy.service: Failed with result 'exit-code'.
Apr 26 16:38:37 raspberrypi systemd[1]: Failed to start Caddy.

With that said, I did prove out SSL and Mosquitto be generating some Self Signed Certs and pointing Mosquitto to those files. Tasmota and TLS work as expected. I will give Caddy another try tomorrow. Thanks

[pkkrusty]

What's your caddy.json look like?

[GasTurbineMan]

caddy.json is:
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"tls_connection_policies": [{
"cipher_suites": [
"ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
}
]

            }
        }
    },
    "tls": {
        "certificates": {
            "automate": [
                "my.webdns.cx"
            ]
        },
        "automation": {
            "policies": [{
                    "issuers": [{
                            "module": "acme",
                            "email": "[email protected]"
                        }
                    ],
                    "key_type": "rsa2048"
                }
            ]
        }
    }
}

}

[GasTurbineMan]

@pkkrusty , I ended up using CERTBOT instead of CADDY, but thanks to your initial nudge and help, I do believe I have TLS with renewable CA certs up and running on my Raspberry Pi system. Many thanks!!!

[pkkrusty]

Nice. Yeah I think certbot is probably just as good, I already had caddy running certs for my Jellyfin server, so stuck with that.