2

I try to secure-connect to mosquitto with MQTT.js (https://www.npmjs.com/package/mqtt) and I always get the following error:

node.js

Error: self-signed certificate in certificate chain
    at TLSSocket.onConnectSecure (node:_tls_wrap:1677:34)
    at TLSSocket.emit (node:events:518:28)
    at TLSSocket._finishInit (node:_tls_wrap:1076:8)
    at ssl.onhandshakedone (node:_tls_wrap:862:12) {
  code: 'SELF_SIGNED_CERT_IN_CHAIN'
}

mosquitto

1749810067: New connection from 127.0.0.1:52519 on port 8883.
1749810067: OpenSSL Error[0]: error:0A000126:SSL routines::unexpected eof while reading
1749810067: Client <unknown> disconnected: protocol error.

It is somehow clear that there's a self-signed certificate in the chain - the root-CA - so I find that error message weird...

Maybe I understand something wrong?

I created a own certificate chain which I also verified via openSSL. Also two-way TLS connecting using MQTTX (https://mqttx.app/) works without any problem so I guess my certificates + chain is fine.

Configuration

Certificate-chain structure

  • ca.crt (Root CA)
    • intermediate.crt (intermediate CA)
      • server.crt (mosquitto)
      • client.crt (localhost)

Verified with openSSL and working great when using MQTTX.

mosquitto.conf

For mosquitto I combined the intermediate.crt and the ca.crt to one ca_all.crt.

listener 8883
protocol mqtt    
cafile ca_all.crt
certfile server.crt
keyfile server.key
allow_anonymous true
require_certificate true

MQTT.js

this._mqttClient = await mqtt.connectAsync(
  'mqtts://localhost:8883',
  {
    protocol: 'mqtts',
    caPaths: 'ca_all.crt',
    certPath: 'client.crt',
    keyPath: 'client.key',
  });

What I already tried

  • connect via MQTTX -> OK
  • caPath variants
    • use [intermediate.crt,ca.crt] as sting[] -> NOK
    • use ca_all.crt as string -> NOK
  • add NODE_EXTRA_CA_CERTS as system variable pointing to ca_all -> NOK

I'm happy for every hint which could make this work! Thanks in advance.

2025-06-16 Update

Similar issue nodejs - error self signed certificate in certificate chain

This issue seems to be similar but the solutions are not applicable for my use case.

  • Option 1: No, I cannot do that
  • Option 2: I cannot do that as I use MQTT.
  • Option 3: My certificates are good - verified by openSSL and other Mqtt clients.

2025-06-16 Solution

The files must be read and then passed to ca, cert and key of the options.

Improve this question
4
  • This question is similar to: nodejs - error self signed certificate in certificate chain. If you believe it’s different, please edit the question, make it clear how it’s different and/or how the answers on that question are not helpful for your problem. Commented Jun 13 at 10:35
  • Imo all of the options in the other issue don't help in my use case - see 2025-06-16 UPDATE. Commented Jun 16 at 6:17
  • Well, I think option 3 is the way to go. I'm not saying your cert is invalid. Your cert is good, but it is in fact SELF-SIGNED, right? Yeah, OpenSSL and other clients give it a pass, but that's just what those particular impl choose to do. In the same manner, that specific "http" impl in Node.js chooses to NOT allow self-signed cert by default, as it's clearly stated in the error message. It's a matter of choice, not right or wrong. Commented Jun 16 at 8:11
  • root CAs are always self-signed so I don't understand why it would be better if an external CA would be used Commented Jun 16 at 10:34

1 Answer 1

Reset to default
2

NodeJS does not take paths to certificates or keys, you need to pass the actual content e.g.

const { readFileSync } = require('node:fs');

this._mqttClient = await mqtt.connectAsync(
  'mqtts://localhost:8883',
  {
    protocol: 'mqtts',
    ca: [readFileSync('ca_all.crt')],
    cert: readFileSync('client.crt'),
    key: readFileSync('client.key'),
  });

Also NODE_EXTRA_CA_CERTS needs to be a Environment variable in scope for the process, it is only read once at startup, so you can not set it using process.env.NODE_EXTRA_CA_CERTS='/path/to/file.crt'

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hello, doesn't work - still get 'Error: self-signed certificate in certificate chain' - no difference. But anyway, as I get this error it seems, at least to me, that the certificates are read. If they would not have been read, I guess I also wouldn't get this error, right? Yes, NODE_EXTRA_CA_CERTS is an env variable on my system.
What order are there inter, root certs in the ca_alo.crt? The inter needs to be first. And no the error does not imply the certs are being read. Simplify the problem, remove the client certificates first
somehow it seems I mixed up some things but your suggestion to read the files in advance worked - thanks a lot

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.