Issue
The connection to the MQTT broker is not working and the MQTT client in the ES is offline following an upgrade from EBO 2022 to EBO 2023.
The following error message can be seen in the ES trace.log:
nsp.csc.mqtt.MqttNetwork Connection failed: TCP/TLS connect failure
Product Line
EcoStruxure Building Operation
Environment
- Building Operation Enterprise Server
- Building Operation Enterprise Central
- MQTT integration
Cause
The reason for the connection issue is that the client certificate that is used is (self-signed) signed using SHA1. Since OpenSSL 3.0 this is forbidden at the default security level (which EBO is using) due to it having less then 80 security bits.
See text in picture below taken from https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_security_level.html The default level is 1 and that is the setting EBO is using.
Resolution
Change the client certificate to one not using signing signature MD5 or SHA1.
The certificate signature can be checked using the following OpenSSL command:
openssl x509 -in cert.pem -noout -text
Below is an example of how to use OpenSSL to check the certificate signing signature on the client certificate:
