All device stopped connecting to MQTT broker

[DonatoD]

PROBLEM DESCRIPTION

I don't now why but all devices (shelly1 and 2) stopped working. Devices are installed in different places with different LAN, internet conenction, ecc. So it must happens something general. I presume after letsencrypt certificate automatic renew. But I don't understand what. it's just a while it happens and I've tryed everithing but nothing, I cannot fix it.

REQUESTED INFORMATION

Configuration

• devices are conencted to mosquitto broker on a remote server
• devices have tasmota version 11.0.0
• mosquitto configuration does not have any TLS configuration
• secure conenction is handled by ngnix
• I use Certbot to renew letsencrypt certificate

A) LOG MESSAGES

1. Firtstly I had:

• tasmota's console
  TLS connection error: 296
  Connection failed to www.mysite.com:2222, rc -2. Retry in 120 sec
• ngnix's error
  [info] 2093274#2093274: *330537 client xxxxxxxxxxx:16496 connected to 0.0.0.0:2222
  [info] 2093274#2093274: *330537 SSL_do_handshake() failed (SSL: error:0A0000C1:SSL routines::no shared cipher) while SSL handshaking, client: xxxxxxxxxxx, server: 0.0.0.0:2222

2. Googling, the problem could be the certificate type (I have some doubt since I didn't change any settings at all). So I forced letsencrypt renew certificate passing from key_type = ECDSA to key_type = rsa. Now this is what I get

• tasmota's console
  TLS connection error: 62
  Connection failed to www.mysite.com:2222, rc -2. Retry in 120 sec
• ngnix's error
  [info] 2159881#2159881: *116021 client xxxxxxxxxxx:16541 connected to 0.0.0.0:63101
  [info] 2159881#2159881: *116021 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: xxxxxxxxxxx, server: 0.0.0.0:63101

B) SETTINGS

• mosquitto:
  listener 1883
  protocol mqtt
  listener 1884
  protocol websockets

• ngnix
  log_format mqtt '$remote_addr [$time_local] $protocol $status $bytes_received '
  '$bytes_sent $upstream_addr';
  upstream msqt_mqtt {
  server 127.0.0.1:1883;
  }
  server {
  listen 2222 ssl;
  proxy_pass msqt_mqtt;
  ssl_preread on;
  ssl_certificate /etc/letsencrypt/live/mysite.it/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mysite.it/privkey.pem;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
  ssl_session_cache shared:mqtt_nginx_SSL:10m;
  ssl_session_timeout 1440m;
  ssl_session_tickets off;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;
  ssl_ciphers 'HIGH:!aNULL:!MD5:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
  access_log /var/log/nginx/mqtt_access.log mqtt;
  error_log /var/log/nginx/mqtt_error.log info;
  }

TO REPRODUCE

I don't know

EXPECTED BEHAVIOUR

devices still get conneted without problems

[barbudor]

Can you connect a computer MQTT client such as MQTT Explorer in the same conditions as a Tasmota ?

[DonatoD]

Yes, they have never stopped working, I'm encountering this problem only on tasmota devices

[s-hadinger]

What are your Tasmota versions?

Letsencrypt changed its CA, you need to update Tasmota if your version is too old

[DonatoD]

My version of Tasmota is 11.0.0

[s-hadinger]

Then you need to update and it will work again

[DonatoD]

Ok thanks. Doy ou know if there is a way to update them without losing all settings? Devices are in different places and just remotely reachable. It will be complicated and painful if I should do it manually one by one and re-enter the correct settings. It's different for each one. Even more if they would change their status into off. They are configured as simple on/off switch.

[sfromis]

In general, OTA upgrade of firmware will not lose settings. Still, to be extra sure, I'd recommend first to try out the steps on your desk.

[dac2020]

[DonatoD]

Could please someone tell me something more about "Enables fingerprint-based validation"? For what I've understood, this is especially for self made sertificates and you have to change it everithing you renew them. So, it won't work with public certificate like letsencript and similar. Is that correct?

[sfromis]

Did you read the Tasmota docs?
https://tasmota.github.io/docs/TLS/#fingerprint-validation

[DonatoD]

Yes, reading it and others info, I've understood that fingerprint has been thought for self signed certificates

[sfromis]

The docs page explicitly describes it as being for more than self-signed.

SetOption132 1: Fingerprint validation. This method works for any server certificate, including self-signed certificates. The server's public key is hashed into a fingerprint and compared to a pre-recorded value. This method is more universal but requires an additional configuration (see below)

[DonatoD]

I have updated to the last version 14.3.0. now the devies are working but after several test it seems that tasmota doesn't support ECDSA certificates but only the RSA ones. Is it correct or maybe there could be something wrong with my configuration?

[Jason2866]

Yes only RSA supported. Size and speed are the reasons.

[s-hadinger]

The only cipher supported is: ECDHE_RSA_WITH_AES_128_GCM_SHA256:

• session establishment using ECDHE with P256 curve
• certificate signed with RSA (2048 or 4096 bits)
• symmetrical encryption using AES 128 bits in GCM mode
• signature using SHA256

This is VERY widely supported cipher and secure enough for most usage. And it's fast for an ESP microcontroller.