我为客户端设置了带有TLS身份验证的VerneMQ,并有以下配置。
DOCKER_VERNEMQ_ACCEPT_EULA = "yes"
DOCKER_VERNEMQ_LISTENER__TCP__ALLOWED_PROTOCOL_VERSIONS = "3,4,5"
DOCKER_VERNEMQ_ALLOW_ANONYMOUS = "on"
DOCKER_VERNEMQ_KUBERNETES_INSECURE = "1"
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT = "0.0.0.0:8883"
DOCKER_VERNEMQ_LISTENER__SSL__REQUIRE_CERTIFICATE = "on"
DOCKER_VERNEMQ_LISTENER__SSL__USE_IDENTITY_AS_USERNAME = "on"
DOCKER_VERNEMQ_LISTENER__SSL__CAFILE = "/vernemq/cert/ca.crt"
DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE = "/vernemq/cert/server.crt"
DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE = "/vernemq/cert/server.key"
DOCKER_VERNEMQ_VMQ_ACL__ACL_FILE = "/vernemq/acl/vmq.acl"
使用此配置,客户端能够使用TLS证书进行连接。
使用admin-cli,我可以看到使用TLS证书连接的客户端作为匿名连接
$ vmq-admin session show
+-----------------------------------+-----------+------------+-------------+-----------+-------------------------+
| client_id | is_online | mountpoint | peer_host | peer_port | user |
+-----------------------------------+-----------+------------+-------------+-----------+-------------------------+
| anon-Y9WGxgX01b2gDk/D2rDENwpY7JI= | true | | #.#.#.144 | 25064 | *.example.com |
+-----------------------------------+-----------+------------+-------------+-----------+-------------------------+
如果我设置了DOCKER_VERNEMQ_ALLOW_ANONYMOUS = "off",则客户端无法连接到代理,并出现错误Connection error: Connection Refused: not authorised.。
在MQTT方面,我看到以下错误
14:20:05.039 [debug] Replica meta9: Can't initialize AE exchange due to no peer available
14:20:09.409 [warning] can't authenticate client {[],<<"anon-jIvdbHkbISRjo6dEzFqLxUwfEa4=">>} from x.x.x.x:3340 due to plugin_chain_exhausted
14:20:09.409 [debug] session normally stopped
我的配置出了什么问题?
我在VerneMQ用户谷歌小组中给出了解释:https://groups.google.com/g/vernemq-users/c/jFTuXzDUAdA