모기는 LetsEncrypt 인증서를 사용할 수 없습니다

이 가이드를 사용하여 Mosquitto를 설정하려고 합니다. https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-ubuntu-18-04

우분투 20.04를 사용하고 있는데 Focal 관련 가이드를 찾을 수 없습니다.

처음 설치했을 때 아무런 문제 없이 서비스를 시작하고 다시 시작할 수 있었습니다. 그러나 cofig 파일을 추가하면 특히 키 파일 라인이 손상되는 것 같습니다. Ubuntu 저장소와 PPA에서 Mosquitto를 사용해 보았습니다.

conf 파일을 생성한 후 다음과 같은 오류가 발생했습니다.

allow_anonymous false
password_file /etc/mosquitto/pwfile

listener 1883 localhost

listener 8883
certfile /etc/letsencrypt/live/mydomain/cert.pem
cafile /etc/letsencrypt/live/mydomain/chain.pem
keyfile /etc/letsencrypt/live/mydomain/privkey.pem

listener 8083
protocol websockets
certfile /etc/letsencrypt/live/mydomain/cert.pem
cafile /etc/letsencrypt/live/mydomain/chain.pem
keyfile /etc/letsencrypt/live/mydomain/privkey.pem

위의 conf 파일을 추가한 후 서비스를 다시 시작하면 다음과 같이 실패합니다 journalctl -xe.

-- A start job for unit mosquitto.service has begun execution.
-- 
-- The job identifier is 4722.
Dec 20 06:45:32 thestash mosquitto[10010]: 1608464732: Loading config file /etc/mosquitto/conf.d/default.conf
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- An ExecStart= process belonging to unit mosquitto.service has exited.
-- 
-- The process' exit code is 'exited' and its exit status is 1.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit mosquitto.service has entered the 'failed' state with result 'exit-code'.
Dec 20 06:45:32 thestash systemd[1]: Failed to start Mosquitto MQTT Broker.
-- Subject: A start job for unit mosquitto.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit mosquitto.service has finished with a failure.
-- 
-- The job identifier is 4722 and the job result is failed.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Automatic restarting of the unit mosquitto.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Dec 20 06:45:32 thestash systemd[1]: Stopped Mosquitto MQTT Broker.
-- Subject: A stop job for unit mosquitto.service has finished
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A stop job for unit mosquitto.service has finished.
-- 
-- The job identifier is 4794 and the job result is done.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Start request repeated too quickly.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit mosquitto.service has entered the 'failed' state with result 'exit-code'.
Dec 20 06:45:32 thestash systemd[1]: Failed to start Mosquitto MQTT Broker.
-- Subject: A start job for unit mosquitto.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit mosquitto.service has finished with a failure.
-- 
-- The job identifier is 4794 and the job result is failed.
Dec 20 06:45:34 thestash sudo[10011]: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/nano /etc/mosquitto/conf.d/default.conf
Dec 20 06:45:34 thestash sudo[10011]: pam_unix(sudo:session): session opened for user root by admin(uid=0)
Dec 20 06:45:38 thestash sudo[10011]: pam_unix(sudo:session): session closed for user root
Dec 20 06:45:38 thestash kernel: [UFW BLOCK] IN=eth0 OUT= MAC=d6:32:76:db:0a:3b:18:2a:d3:e0:df:f0:08:00 SRC=45.129.33.168 DST=104.236.7.145 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=11309 PROTO=TCP SPT=59534 DPT=21661 WINDOW=1024 RES=0x00 SYN URGP=0 
Dec 20 06:45:44 thestash sudo[10013]: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/journalctl -xe
Dec 20 06:45:44 thestash sudo[10013]: pam_unix(sudo:session): session opened for user root by admin(uid=0)

default.conf에서 해당 행을 주석 처리하면 keyfile서비스가 오류 없이 다시 시작됩니다. 열쇠는 거기에 있고 내 서버의 다른 어떤 것에도 문제를 일으키지 않는 것 같습니다.

그리고 mosquitto.log 파일은 실제로 인증서를 읽는 데 문제가 있음을 보여줍니다. 권한 문제는 좋은 추측인 것 같지만 이것이 privkey.pem동일한 권한을 가진 다른 두 파일에만 문제가 되는 이유를 이해할 수 없습니다. 또한 nginx는 인증서가 없어도 내 인증서를 사용할 수 있습니다.

1608463912: mosquitto version 2.0.3 starting
1608463912: Config loaded from /etc/mosquitto/mosquitto.conf.
1608463912: Opening ipv4 listen socket on port 1883.
1608463912: Opening ipv4 listen socket on port 8883.
1608463912: Opening ipv6 listen socket on port 8883.
1608463912: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/mylittlestashbox.com/chain.pem".
1608463912: Error: Unable to load server certificate "/etc/letsencrypt/live/mylittlestashbox.com/cert.pem". Check certfile.
1608463912: OpenSSL Error[0]: error:0200100D:system library:fopen:Permission denied
1608463912: OpenSSL Error[1]: error:20074002:BIO routines:file_ctrl:system lib
1608463912: OpenSSL Error[2]: error:140DC002:SSL routines:use_certificate_chain_file:system lib
1608464267: mosquitto version 2.0.3 starting
1608464267: Config loaded from /etc/mosquitto/mosquitto.conf.
1608464267: Opening ipv4 listen socket on port 1883.
1608464267: Opening ipv4 listen socket on port 8883.
1608464267: Opening ipv6 listen socket on port 8883.
1608464267: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/mylittlestashbox.com/chain.pem".
/var/log/mosquitto/mosquitto.log