java - can't connect to mqtt broker via ssl

Question

I have a raspberry running a mqtt broker and a java backend. I can't establish a connection from backend to broker since I've implemented ssl. I can connect the backend to the broker on raspberry from my IDE running on my MacBook like:

client = new MqttAsyncClient(
            "ssl://my-domain.com:1883", "backend");

if the backend is on the raspberry I tried:

client = new MqttAsyncClient(
            "ssl://localhost:1883", "backend");


client = new MqttAsyncClient(
            "ssl://127.0.0.1:1883", "backend");

No success. I′ve never used a ssl connection in this context. did I oversee something?

Error:

Exception in thread "main" No connection to client (32104)
    at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:31)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms.sendNoWait(ClientComms.java:143)
    at org.eclipse.paho.client.mqttv3.MqttAsyncClient.subscribe(MqttAsyncClient.java:721)
    at org.eclipse.paho.client.mqttv3.MqttAsyncClient.subscribe(MqttAsyncClient.java:681)
    at com.cdh.Service.mqttManager.subscribe(mqttManager.java:243)
    at com.cdh.main.main(main.java:14)

EDIT:

I changed the port to 8883. It works if I run the backend on an other device but not if the broker and the backend are on the raspberry. I also tried to use the domain name from my cert.

question from:https://stackoverflow.com/questions/65942596/cant-connect-to-mqtt-broker-via-ssl

Answer 1

The hostname you use to connect needs to match the CN or SAN entries in the certificate presented by the broker or else it will fail validation.

Unless you included 127.0.0.1 or localhost in the certificate the the client will reject the connection because the certificate doesn't validate for that address.

p.s. you should probably use a different port for MQTT of TLS rather than 1883 as that is the standard port for MQTT without TLS.