I am configuring emqtt MQTT Broker with SSL/TLS certificates from Digicert. I had done the SSL configuration for the same broker some years back and it was fine. But when I configured the new broker installation with new certificates, I am getting "unknown CA" error.
This is the SSL settings:
mqtt.listener.ssl.keyfile = etc/certs/prod.key
mqtt.listener.ssl.certfile = etc/certs/server.crt
mqtt.listener.ssl.cacertfile = etc/certs/DigiCertCA.crt
And this is the error I saw in the server logs:
[error] <0.27032.0> SSL: certify: ssl_alert.erl:97:Fatal error: unknown ca
Can this be an issue with the new CA certifcate? Maybe it requires more dependent certificates in chain?
UPDATE This appears to be an OS issue.I got the following error when I tested the certificates using "openssl verify" in the server:
error 2 at 1 depth lookup:unable to get issuer certificate
Verify is success on my local PC with the same command and same certificates
I updated the OS root certificates using "yum update ca-certificates", but still I am getting the same error
I found the root cause. Basically I had missed using one of the CA certificates in the chain. The CA certificate I had was not enough. So I appended the missing CA certificate to the CA file I was using. I just used 'cat' command for this.