mqtt: fix certfile usage

Use fullchain.pem instead of cert.pem which fixes "certificate signed by unknown authority" problems. Also point cafile to correct root cert.
2024-11-05 14:39:13 +01:00 · 2024-11-05 14:39:13 +01:00 · 0461a8f0b8
commit 0461a8f0b8
parent a858a1973f
2 changed files with 6 additions and 11 deletions
--- a/global/overlay/etc/puppet/modules/cdn/files/mqtt/sunet-cdn-mqtt
+++ b/global/overlay/etc/puppet/modules/cdn/files/mqtt/sunet-cdn-mqtt
@ -9,15 +9,10 @@ set -eu
 le_dir="/etc/letsencrypt/live/$(hostname -f)"
 mosquitto_dir="/etc/mosquitto"

-le_chain="$le_dir/chain.pem"
-mosquitto_chain="$mosquitto_dir/ca_certificates/chain.pem"
-cp "$le_chain" "$mosquitto_chain"
-chown mosquitto:root "$mosquitto_chain"
-
-le_cert="$le_dir/cert.pem"
-mosquitto_cert="$mosquitto_dir/certs/cert.pem"
-cp "$le_cert" "$mosquitto_cert"
-chown mosquitto:root "$mosquitto_cert"
+le_fullchain="$le_dir/fullchain.pem"
+mosquitto_fullchain="$mosquitto_dir/certs/fullchain.pem"
+cp "$le_fullchain" "$mosquitto_fullchain"
+chown mosquitto:root "$mosquitto_fullchain"

 le_key="$le_dir/privkey.pem"
 mosquitto_key="$mosquitto_dir/certs/privkey.pem"
--- a/global/overlay/etc/puppet/modules/cdn/templates/mqtt/cdn.conf.erb
+++ b/global/overlay/etc/puppet/modules/cdn/templates/mqtt/cdn.conf.erb
@ -1,6 +1,6 @@
 listener 8883
-cafile /etc/mosquitto/ca_certificates/chain.pem
-certfile /etc/mosquitto/certs/cert.pem
+cafile /usr/local/share/ca-certificates/step_ca_root.crt
+certfile /etc/mosquitto/certs/fullchain.pem
 keyfile /etc/mosquitto/certs/privkey.pem
 require_certificate true
 use_identity_as_username true