I have the following setup:
- Consul service registry
- Mosquitto docker container registered on Consul running with default not secured listener on port 1883
- Traefik v2 registered on Consul running as reverse proxy. There is a public domain address.
Mosquitto runs on private network interface, it is not exposed to public network.
I have the following tags for Treafik in the mosquitto service:
tags = [ "traefik.enable=true", "traefik.tcp.routers.mqtt-tcp.entrypoints=mqtt-tcp", "traefik.tcp.routers.mqtt-tcp.rule=HostSNI(`*`)", "traefik.tcp.routers.mqtt-tcp.service=mqtt", "traefik.tcp.routers.mqtt-tls-tcp.entrypoints=mqtt-tls-tcp", "traefik.tcp.routers.mqtt-tls-tcp.rule=HostSNI(`*`)", "traefik.tcp.routers.mqtt-tls-tcp.service=mqtt", "traefik.tcp.routers.mqtt-tls-tcp.tls.options=mqttOptions@file" ]
Just for a test I put port 1883 (
mqtt-tcp) and 8883 (
dynamic_conf.yml configuration for the
mqttOptions options are:
tls: options: mqttOptions: clientAuth: caFiles: - /home/root-cacert.pem clientAuthType: RequireAndVerifyClientCert default: minVersion: VersionTLS12
When I deploy this I test mqtt with mosquitto_sub I can connect and subscribe without problems to broker on port 1883 by using
mosquitto_sub -t "#" -h my-broker.mydomain.com
I see the data flowing and everything is good.
But when I try the same on port 8883 with TLS it fails:
mosquitto_sub -t "#" -h my-broker.mydomain.com -p 8883 --cafile root-cacert.pem --cert server-cert.pem --key server.key --insecure -v Error: Connection refused
My certificates are self signed.
root-cacert.pem is the same file as i put in volume
/home/root-cacert.pem inside Traefik's docker container.
The router for 8883 is summarized in Traefik dashboard without any errors:
Could somebody help me exaplin what is wrong with my configuration?
Thank you in advance!