Letsencrypt certificates no longer trusted

[shaman79]

On 26.6.2024 Letsencrypt certificates stopped working for me. MQTT TLS returns error 62 which translates to "X509 not trusted, the server certificate is not signed by the CA (AWS IoT or LetsEncrypt)". The certificates are surely signed by LetsEncrypt and issued using certbot.

This happened on HiveMQ, but also on my local instance. Unfortunately I lost also access to all my devices.

Is there a way to fix this?

[s-hadinger]

What version are you using? It is supposed to be fixed by #21352

[shaman79]

I have 13.1.0, was build on 8.4.2024. I guess I missed the update...

[s-hadinger]

Please test the latest and report if it solves the problem

[shaman79]

Upgrade to 14.1.0 fixed the issue.

[arendst]

As he stated: you have to execute command weblog 3 and provide the restart logging.

[RepiZoli]

Hi I run the weblog 3 but not much change . Here I share the result:

00:00:00.002 HDW: ESP8285N08
00:00:00.054 CFG: Loaded from flash at F7, Count 1486
00:00:00.060 QPC: Count 1
00:00:00.072 Project tasmota - Tasmota Version 14.1.0(release-tasmota)-2_7_6(2024-06-03T11:53:14)
00:00:01.169 WIF: Connecting to AP1 Vodafone-51ED Channel 13 BSSId 28:F5:D1:60:15:65 in mode 11n as Kapcsolo-4955...
00:00:04.006 WIF: Connected
00:00:04.258 HTP: Web server active on Kapcsolo-4955 with IP address 192.168.0.136
04:49:15.296 MQT: Attempting connection...
04:49:19.387 MQT: Connect failed to XXXX.s1.eu.hivemq.cloud:8883, rc -4. Retry in 10 sec
04:49:20.541 QPC: Reset
04:49:30.141 MQT: Attempting connection...
04:49:34.211 MQT: Connect failed to XXXX.s1.eu.hivemq.cloud:8883, rc -4. Retry in 20 sec
04:49:54.981 MQT: Attempting connection...
04:49:59.047 MQT: Connect failed to XXXX.s1.eu.hivemq.cloud:8883, rc -4. Retry in 30 sec
04:50:29.822 MQT: Attempting connection...
04:50:33.915 MQT: Connect failed to XXXX.s1.eu.hivemq.cloud:8883, rc -4. Retry in 40 sec
04:51:14.732 MQT: Attempting connection...
04:51:18.794 MQT: Connect failed to XXXX.s1.eu.hivemq.cloud:8883, rc -4. Retry in 50 sec
04:51:56.672 CMD: weblog 3
04:51:56.677 RSL: RESULT = {"WebLog":3}
04:51:57.294 CFG: Saved to flash at F4, Count 1489, Bytes 4096
04:52:09.579 MQT: Attempting connection...
04:52:13.718 MQT: Connect failed to XXXX.s1.eu.hivemq.cloud:8883, rc -4. Retry in 60 sec
04:53:14.550 MQT: Attempting connection...
04:53:18.662 MQT: Connect failed to XXXX.s1.eu.hivemq.cloud:8883, rc -4. Retry in 70 sec
04:54:29.467 MQT: Attempting connection...
04:54:33.578 MQT: Connect failed to XXXX.s1.eu.hivemq.cloud:8883, rc -4. Retry in 80 sec
04:54:45.621 RSL: STATE = {"Time":"2024-07-18T04:54:45","Uptime":"0T00:05:36","UptimeSec":336,"Heap":25,"SleepMode":"Dynamic","Sleep":50,"LoadAvg":19,"MqttCount":0,"POWER":"OFF","Wifi":{"AP":1,"SSId":"Vodafone-51ED","BSSId":"28:F5:D1:60:15:65","Channel":11,"Mode":"11n","RSSI":88,"Signal":-56,"LinkCount":1,"Downtime":"0T00:00:05"}}
04:55:48.294 CMD: weblog 3
04:55:48.296 SRC: WebConsole from 192.168.0.XXX
04:55:48.298 CMD: Grp 0, Cmd 'WEBLOG', Idx 1, Len 1, Pld 3, Data '3'
04:55:48.301 RSL: RESULT = {"WebLog":3}
04:55:54.400 MQT: Attempting connection...
04:55:58.512 MQT: Connect failed to XXXX.s1.eu.hivemq.cloud:8883, rc -4. Retry in 90 sec
04:56:05.630 CMD: weblog 3
04:56:05.632 SRC: WebConsole from 192.168.0.XXX
04:56:05.634 CMD: Grp 0, Cmd 'WEBLOG', Idx 1, Len 1, Pld 3, Data '3'
04:56:05.638 RSL: RESULT = {"WebLog":3}
04:56:18.796 CMD: weblog 3
04:56:18.798 SRC: WebConsole from 192.168.0.XXX
04:56:18.801 CMD: Grp 0, Cmd 'WEBLOG', Idx 1, Len 1, Pld 3, Data '3'
04:56:18.804 RSL: RESULT = {"WebLog":3}

Any Idea?

[s-hadinger]

This is a different error code. rc -4 simply means that the MQTT endpoint is not reachable, I.e. Tcp connection refused.

Nothing to do with TLS

[RepiZoli]

Thanks, my question how we can go deeper in this question. how we can check: I.e. Tcp connection refused.??

[s-hadinger]

Your question is getting off topic. If Tasmota can't reach the MQTT endpoint, that's a basic tcp issue. Please test first with a PC if you get any connection. And switch to a new discussion, your problem is not TLS for now

[shaman79]

Yes, it solves the problem. Dne po 15. 7. 2024 13:36 uživatel RepiZoli ***@***.***> napsal:

…

Hi I faced the same problem: with ONLINE HiveMQ, yesterday. If I understand it right from Tasmota 13.1.0, to 14.1.0? Thanks in advance — Reply to this email directly, view it on GitHub <#21712 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIRVDB2MUYXRFILFKV7BVJDZMOX23AVCNFSM6AAAAABKE7H7PSVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMBVGAZDEMA> . You are receiving this because you modified the open/close state.Message ID: ***@***.***>

[RepiZoli]

Thanks