We are working on setting up Haproxy as Load Balancer in front of our MQTT cluster. The goal is to use certificate authentication to setup mTLS between our devices and the broker. The configuration is something very similar to this: Restrict API Access With Client Certificates (mTLS)
Currently we have a private CA established for handing out certs as needed to multiple customers. The main SSL cert is from GoDaddy. The same as described in the blog referenced above.
The MQTT client is a PAHO C implementation. We continue to see odd behavior when passing the ca-file to Haproxy. Some devices using the GoDaddy bundle in the ca-file parameter work and others do not. Some devices using the Private CA in the ca-file parameter work and others do not. It’s odd to not be able to get the same results with the same configuration.
So first question. When PAHO sends the ca-file should that be referencing the SSL cert from GoDaddy or the private CA we have established for client authentication? Should I remove GoDaddy from the TCP configuration and setup a server cert from the private CA instead?
Second…has anyone had any luck setting up mTLS over TCP using Haproxy and an MQTT client?