I have TLS configured and working on my Chariot MQTT server - and can connect to it securely using an MQTTX client without issue. When attempting to do this using the new Chariot MQTT Client - I get the following error:
java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
The dialog doesn’t seem to allow specifying certificates or anything when toggling TLS on. Do these certificates need to be loaded manually for the connection somehow - or am I missing something?
Thank you
Hi,
You may need to manually load your certificate into Chariot’s trust store. See documentation here: Setting up Client based authentication with Client Certificates - Chariot MQTT Server v2 Documentation - Confluence
Let me know if that works or if you have anymore questions.
Thanks,
Chad
I guess that’s the real question… does the Chariot MQTT Client use the local servers client trust store? Would this also work if I was using the client on server A (using As client trust store) to a broker server B?
I wasn’t able to find any documentation specifically for the Chariot MQTT client.
Thanks
Yes, the Chariot MQTT Client uses the Chariot Server’s client trust store. If you were using the client on server A (using As client trust store) you could connect to server B if that server had a certificate that was either signed by a global trusted CA or the server’s certificate was added to server A’s trust store.
Chad,
Thanks for the replies.
It would appear that those instructions are for mTLS (or two way authentication). Is it possible to use standard TLS (one way authentication)? Curious if it’s possible to just use the Server’s public certificate on the client side somehow. Oddly, using MQTTX, I was just able to put the server certificate/key and CA in there, and it works… but I don’t understand why, as I don’t have anything loaded in the MQTT servers client keystore. Is this a supported configuration? If so, how would I achieve the same thing using the Chariot MQTT Client?
Thanks again,
Ryan
Hi Ryan,
Yes you should be able to use the server’s public certificate on the Chariot MQTT Client, like you have done with MQTT.FX. You only need to manually add the server certificate and CA to the Chariot MQTT Client’s trust store (security/clientcerts.jks). While the document I linked above was for setting up client authenticate, the section I linked to was an example of updating the Chariot Server’s trust store.
I hope that helps, let me know if you have further questions.
Thanks,
Chad
Thanks for the clarifications! Much appreciated.
@ryangerken did that work for you?
@chad.kienle will future enhancements come allowing use of the chariot brokers CA? I have two brokers, one that is the actual broker, and one that is just chariot installed on a box to use the thin client. both have the certificate updated and signed by the same CA. odd that this isnt enough to allow the client to connect.
Yes, adding the server and ca certs to the server’s client store allowed me to connect securely to the server using the new Chariot MQTT Client. Both my server and client were installed on the same docker container, I have not tested having chariot client and chariot server installed on separate servers, but I don’t see why that wouldn’t work.