Where to get CA certificate for Venus SSL self-signed certificate

I am excited that in Venus firmware 3.50, there is finally password-protection for MQTT and other LAN services, including SSL. I definitelly appreciate the good job from Victron team.

Unfortunatelly, I am unable to integrate with Home Assistant, due to SSL verification failure of HA Mosquitto broker. I need to provide HA with CA certificate so it validates the SSL certificate serverd by Venus (Cerbo GX in my case).

I found some outdated version, which obviously is not the one which signed the venus.local SSL certificate included in fw 3.50:
https://github.com/victronenergy/dbus-mqtt/blob/master/venus-ca.crt

Does anyone know where to obtain the CA/root certificate?

:+1: I’ll find out and revert

1 Like

The certificate is self signed so there is no CA as such.

You should be able to import the venus.local certificate from your Cerbo into the store on your HA machine (/usr/lib/ssl/certs/) which will imply it’s a trusted CA.

Screenshots attached demonstrate there is no certificate chain with the venus.local cert.


2 Likes

Thanks for your response, actually, this is what I already tried - without luck, prior submitting this thread.

I’ve also tried CLI tools to extract CA certificate from the CRT, which gave me the same result - they output just the CRT itself. So using this cerrtificate did not help.

Connecting to Cerbo using MQTT explorer, with TLS:on, Verify:off and using username/password works perfectly.

This is the bridge config I use in Home Assistant, you can also see the commented options, which I tried in endless combinations. I have also tried the bridge_insecure option, which should enable use of self-signed certificates, but with no luck:

connection victron

address 192.168.1.15:8883
#address 192.168.1.15:1883

remote username victron 
remote_password **************

bridge_insecure true

#bridge_cafile /share/mosquitto/certs/venus-ca.crt
#bridge_certfile /share/mosquitto/certs/venus-ca.crt
#bridge_capath /etc/ssl/certs
#bridge_tls_version tlsv1.3
#bridge_protocol_version mqttv311

topic N/# in 0 victron/ 
#topic R/# out 0 victron/ 
#topic W/# out 0 victron/
#topic # both 0

Edit: this is what i get as response in mosquitto:

2024-11-02 17:26:18: Connecting bridge victron (192.168.1.15:8883)
2024-11-02 17:26:18: OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2024-11-02 17:26:18: Client local.core-mosquitto.victron disconnected: Protocol error.

I’ve spend many hours with that already, looking through forums, Victron repositories, Home Assistant forums, Mosquitto Add-on docs, and I feel lost. I put all my hope in the long-awaited MQTT/SSL/auth feature of Victron, but when it finally come, can’t make it work :frowning:

Since you tell me that there is no CA for this SSL (although it is possible to generate self-signed certificate with own self-created-CA), I should maybe direct my questions to Mosquitto/Home Assistant forums, since it seems Venus SSL works at its own (with verify:off for SSL)…

Hi, if you find the answer, pls post here as well!

Then I can document it somewhere.

And I’l unmark that one answer as the solution.

1 Like

I will definitely post solution once resolved, thanks everyone for your time.

I’ve also edited the message above and added the error output from Mosquitto bridge initialization.

I’ve been playing around with mosquitto_sub and as you suggest, there seems to be no way to work around the self-signed certificate from the VenusOS broker. The “–insecure” flag only bypasses hostname validation.

Importing the self-signed certificate into the CA store doesn’t work. I’m guessing as it’s not actually a CA certificate, just a certificate signed with it’s own key.

You would need to mess around with the certificate used by the VenusOS broker (flashmq) to get this working. That would involve creating a CA cert, sign a cert with the CA, then use the cert chain and private key in the flashmq config file. Then copy the CA cert over to your HA instance.

A suggestion to Victron devs would be to have VenusOS create a CA cert locally, sign the cert used by the MQTT broker and web service so folk can grab a copy and use on integrated systems.

That said, unless you have the CN in the cert and DNS locally all setup properly the certificate will never pass hostname validation. So you will have to bypass validation checks anyway. Kinda begs the question as to why bother with TLS if this is over a local network that (I assume) you trust.

Thanks for your response and investigation. I was pretty sure that I tried everything possible, and that reason of failure is CA/trust-related stuff.

You described it perfectly - in ideal world, Venus device would sign the certificate with CA. Or, I believe that enough would be (without having the device to sign the certificate, as I expect the certificate is fixed and distributed the same for all venus devices):

  1. Victron devs create CA certificate
  2. sign the certificate bundled in the device
  3. provide the CA certificate publicly somewhere

I know the state in which the OS v3.50 is now is amazing, so much perfect stuff done on the Victron side (many thanks to Matthijs Vader), so I feel embarassed to ask for even more… but THAT would make the security thing much more complete.

Otherwise, even if all this great stuff were made, I have to stick with plain/no-SSL settings, and not utilizing the security features Victron made.

I’ve been watching and asking for that since this thread: :slight_smile:
https://communityarchive.victronenergy.com/questions/177520/victron-mqtt-broker-how-to-set-password.html

Re: your question about trusted network and why bother with TLS:
To be honest, the only reason is a paranoia, since I consider PV system a critical infrastructure even in home environment :slight_smile:

My trust in my (although I hope well-managed) LAN is limited. My metallic LAN is connected to wifi, so if there is any breach to my LAN (either by compromised IoT device, cracked PSK), then the attacker can listen to the unencrypted traffic, get the MQTT password and use it to send commands to Venus.

I know that for home evnironment, this might be overkill and paranoid approach, but when the TLS feature is there, I just want to utilize it…

What is the username supposed to be for MQTT Explorer when you have secured your cerbo? I’ve tried “victron” as the username and it doesn’t work, I just get a “Disconnected from server” error.

I’m also interested in the cert for HA as all of my components froze as soon as I enabled security on my Cerbo.

Hi all, just posting a note here to let you know I’ve seen this.

A colleague will have to look into this. Might take a little while for someone with experience in this to take a look.

3 Likes

Re: MQTT username:
I use “victron” just to keep it clean, but I believe it can be any string, since in Venus, only password is set in Settnings.

I assume this based on following thread, although it’s related to Mosquitto - the predecessor of FlashMQ broker that Venus uses after recent major upgrades:

Thanks. For some reason no matter what I use I still cannot get it to connect at all. The network security profile is set to “secure” and I’m on v3.51.

MQTT with TLS is on port 8883

1 Like

That’ll do it! Thanks!

In all my testing I completely missed that. I guess in my mind the port would have changed when TLS was enabled.

Hi, is there anything new about the certificate issue? I have exactly the same problem and spent some hours ending up with no solution …

I believe guys in Victron will look at it at some time, as mpvader mentioned.

I am just patient and give them their time - this is probably not so quick to implement, and if it ever will be done, then there is regular roadplan for releasing updates. So, AFAIK, there is nothing new, I patiently wait… :slight_smile:

Good news, I finally get it working … I tried so much so I didn’t know exactly what is necessary :wink:

Here is the bridge config on my HomeAssistant NUC. I created a self signed certificate as described here: https://www.baeldung.com/openssl-self-signed-cert and placed it within /ssl folder

I also create a /etc/flashmq/flashmq_user_passwd.txt file on the Cerbo as described here: https://communityarchive.victronenergy.com/storage/attachments/venus320mqttok.pdf
Probably this is not necessary?

In VenusOS on the CerboGX I changed the flashmq.conf file like this and used the self signed certs

I dont know if this is a problem for the other Victron stuff or if its gone after firmware update … :wink:

Perhaps some Victron guys can help us out here, thanks!

Hello, that might work as you described, although you are right that:

  1. password file should not be necessary, since mqtt broker in Cerbo should use the “network password” defined in the 3.50 firmware UI

  2. yes, this probably will not survive the firmware update, simiarly like the previous “hacky” solutions that existed before 3.50 firmware, like the one you linked from the PDF.

Definitely thanks for exploring and testing this, I might temporarily ho with this solution, although clean, official way would be preferred if guys from Victron will come with solution over time. Especially because of firmware updates (I previously used some of the solutions, but was then tired to setup everything again after firmware updates).

Thanks!