Integration module fails to sync with external MQTT broker after certificate renewal

jeffreyapi · October 29, 2025, 12:35pm

After renewing TLS certificates on our external MQTT broker (Mosquitto 2.0), the Integration Services module in cciot-25 can no longer establish connections. The broker logs show TLS handshake failures with “certificate verification failed” errors. We’ve confirmed the new certificates are valid and properly configured on the broker side.

Error from integration logs:


SSLHandshakeException: sun.security.validator.ValidatorException
PKIX path building failed
Unable to find valid certification path

The old certificates expired yesterday, so we urgently need to complete the TLS certificate renewal process and update the trust store in IoT Cloud Connect. We’re also wondering if there are specific requirements for MQTT secure connection configuration when using external brokers. The integration was working perfectly before the certificate renewal.

jim138 · November 7, 2025, 6:13am

When working with external MQTT brokers, I always recommend using a certificate monitoring script that alerts you 30 days before expiration. This gives you time to plan the renewal without service interruption. Also, during renewal, keep both old and new certificates valid for at least 24 hours to allow gradual rollover.

rachel_cloud · November 28, 2025, 2:27am

One more thing - if you’re using client certificate authentication (mutual TLS), you’ll need to update both the trust store and the client keystore. The broker needs to trust your client certificates, and your client needs to trust the broker certificates. Both sides must be updated during renewal.

kumar_erp · October 30, 2025, 8:10pm

The PKIX path building error means the Integration module doesn’t trust the new certificate chain. You need to import the new CA certificate into IoT Cloud Connect’s trust store. The renewal process requires updating both the broker certificates and the client-side trust store.

meghalead · November 4, 2025, 11:13pm

The Integration Services module uses its own trust store located at /opt/cisco-iot/integration/config/truststore.jks. You’ll need to import the new CA certificate there using keytool. Make sure to restart the integration service after updating the trust store, as it only loads certificates at startup. Also verify that the certificate chain is complete - intermediate certificates must be included.

rachel_cloud · November 28, 2025, 12:39pm

Here’s the complete solution addressing all three focus areas:

TLS Certificate Renewal Process: First, obtain the complete certificate chain from your MQTT broker, including the root CA and any intermediate certificates. Export these to PEM format if they’re not already.

Verify the certificate chain is valid:

openssl verify -CAfile ca-chain.pem broker-cert.pem

If verification succeeds, you have a valid chain. If it fails, you’re missing intermediate certificates.

Trust Store Update: Import the new CA certificate chain into the Integration Services trust store:

keytool -import -trustcacerts -alias mqtt-broker-ca \
  -file ca-chain.pem \
  -keystore /opt/cisco-iot/integration/config/truststore.jks \
  -storepass changeit

If you had previously imported the old certificate, remove it first:

keytool -delete -alias mqtt-broker-ca-old \
  -keystore /opt/cisco-iot/integration/config/truststore.jks

Verify the import:

keytool -list -keystore /opt/cisco-iot/integration/config/truststore.jks

Restart the Integration Services module:

sudo systemctl restart cisco-iot-integration

MQTT Secure Connection Configuration: Update your MQTT integration configuration to ensure proper TLS settings:

In the Integration Services configuration file (/opt/cisco-iot/integration/config/mqtt-broker.properties), verify:

mqtt.broker.url=ssl://mqtt-broker.yourdomain.com:8883
mqtt.tls.version=TLSv1.2
mqtt.tls.verify.hostname=true
mqtt.connection.timeout=30
mqtt.keepalive.interval=60

Ensure hostname verification is enabled. The broker certificate’s CN or SAN must match the hostname in your connection URL. If you’re using an IP address, add it to the certificate’s SAN field.
For mutual TLS (if applicable), also update the client keystore:

keytool -importkeystore \
  -srckeystore client-cert.p12 -srcstoretype PKCS12 \
  -destkeystore /opt/cisco-iot/integration/config/keystore.jks \
  -deststoretype JKS

Test the connection using mosquitto_pub/sub to verify broker accessibility:

mosquitto_pub -h mqtt-broker.yourdomain.com -p 8883 \
  --cafile ca-chain.pem -t test/topic -m "test" \
  --tls-version tlsv1.2

Ongoing Certificate Management: Implement automated certificate monitoring:

Set up alerts for certificates expiring within 30 days
Use Let’s Encrypt or similar for automatic renewal where possible
Document the renewal process including all trust store locations
Test certificate renewal in a staging environment first
Keep certificate renewal history for audit purposes

After following these steps, your Integration Services module should successfully reconnect to the MQTT broker with the new certificates. Monitor the integration logs for successful TLS handshake messages confirming the connection is established.

Topic		Views
Security policy blocks MQTT message ingestion from new edge devices despite valid X.509 certificates Cisco IoT Cloud Connect question , security , tls , data-ingestion , mqtt , security-pol , device-onboarding , cciot-24 , mqtt-blocked	5	June 21, 2025
MQTT device connections fail after renewing TLS certificates in gateway management module, causing data loss SAP IoT question , security , certificate-renewal , device-connectivity , mqtt , tls-certificates , gateway-mgmt , iiot-support , sapiot-25	4	June 1, 2025
MQTT connection timeout when initializing gateway management SDK with TLS certificates Cisco IoT Cloud Connect question , connection-timeout , dns-resolution , mqtt , api-sdk , gateway-mgmt , cciot-25 , tls-certificate , device-onboarding	5	November 29, 2024
Edge device certificate renewal fails during MQTT integration Cumulocity IoT question , integration , certificate-renewal , device-connectivity , mqtt , tls-handshake , edge-security , c8y-1020 , mqtt-sdk	3	November 7, 2025
Asset tracking module fails to reconnect after MQTT broker certificate rotation on edge device (aziot-25) Microsoft Azure IoT question , connectivity , asset-tracking , tls , certificate-rotation , mqtt , edge-security , aziot-25 , azure-iot-operations	4	May 29, 2025
Security policy blocks MQTT device connections after certificate rotation IBM Watson IoT question , security , connectivity , certificate-rotation , x509-certificate , mqtt , tls-handshake , security-pol , wiot-24	6	September 23, 2025
MQTT device provisioning fails with certificate error during TLS handshake on secure connections IBM Watson IoT question , integration , api-development , mqtt , certificate-error , tls-handshake , wiot-25 , device-provisio , secure-connections	3	August 12, 2025
MQTT device fails to register in device registry when using custom CA certificates Oracle IoT Cloud question , ssl-tls , mqtt , mtls , device-regis , certificate-mgmt , protocol-compat , device-onboarding , oiot-22	3	July 24, 2025
Device certificate rotation fails for IoT devices registered in IBM Cloud IoT Platform with TLS mutual auth IBM Cloud question , iot-services , security , rest-api , iot-platform , ic-2020 , tls , certificate-rotation , device-management	6	August 4, 2025

Integration module fails to sync with external MQTT broker after certificate renewal

Related topics