secure websocket does not work with Moquette version 0.17

[AndroidDesigner]

Hello @andsel.
Im using Moquette version 0.17 and insecure websocket (ws://...) works fine, but secure websocket (wss://...) does not work.
I'm using Letsencrypt for SSL of my domain and port 9092 for wss is open and listening. but my web application can not connect to the broker via wss (tested in both firefox and chrome)

How can I debug it?

MY web application is written by flutter/dart and the below is web browser log:

main.dart.js:35531 MQTT::: Mqtt connecting....

Authenticating with username '{USERNAME1}' and password '{PASSWORD1}'
MqttClient::connect - Connection timeout period is 2000 milliseconds
MqttClient::connect - keep alive is enabled with a value of 60 seconds
MqttConnectionKeepAlive:: Initialised with a keep alive value of 60 seconds
MqttConnectionKeepAlive:: Disconnect on no ping response is disabled
MqttConnectionHandlerBase::connect - server wss://IP:9092/mqtt, port 9092
SynchronousMqttBrowserConnectionHandler::internalConnect entered
SynchronousMqttBrowserConnectionHandler::internalConnect - initiating connection try 0, auto reconnect in progress false
SynchronousMqttBrowserConnectionHandler::internalConnect - calling connect
MqttBrowserWsConnection::connect - entered
MqttBrowserWsConnection::connect -  WS URL is wss://IP:9092/mqtt
MqttBrowserWsConnection::connect - connection is waiting

main.dart.js:7246 WebSocket connection to 'wss://IP:9092/mqtt' failed: 

MqttBrowserWsConnection::connect - websocket has erred
SynchronousMqttBrowserConnectionHandler::internalConnect - connection complete
SynchronousMqttBrowserConnectionHandler::internalConnect sending connect message
MqttConnectionHandlerBase::sendMessage - MQTTMessage of type MqttMessageType.connect
Header: MessageType = MqttMessageType.connect, Duplicate = false, Retain = false, Qos = MqttQos.atMostOnce, Size = 0
Connect Variable Header: ProtocolName=MQTT, ProtocolVersion=4, ConnectFlags=Connect Flags: Reserved1=false, CleanStart=true, WillFlag=false, WillQos=MqttQos.atMostOnce, WillRetain=false, PasswordFlag=true, UserNameFlag=true, KeepAlive=60
MqttConnectPayload - client identifier is : CLIENT_IDENTIFIER1

main.dart.js:106644 WebSocket is already in CLOSING or CLOSED state.

SynchronousMqttBrowserConnectionHandler::internalConnect - pre sleep, state = Connection status is connecting with return code of noneSpecified and a disconnection origin of none
SynchronousMqttBrowserConnectionHandler::internalConnect - post sleep, state = Connection status is connecting with return code of noneSpecified and a disconnection origin of none
SynchronousMqttBrowserConnectionHandler::internalConnect - initiating connection try 1, auto reconnect in progress false
SynchronousMqttBrowserConnectionHandler::internalConnect - calling connect
MqttBrowserWsConnection::connect - entered
MqttBrowserWsConnection::connect -  WS URL is wss://IP:9092/mqtt
MqttBrowserWsConnection::connect - connection is waiting

[andsel]

You have to enable SSL debug logs, so grab more details during the TLS handshaking.
When you run the application with the broker you have to add

-Djavax.net.debug=ssl,handshake

to java command used to run.

More details on TLS debugging here:

• https://www.baeldung.com/java-ssl-debug-logging
• https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html
• https://access.redhat.com/solutions/973783

If the TLS handshake and connection goes well, then we find out how to investigate at Netty/Moquette handler level.

[AndroidDesigner]

I see secure TCP connections do not work also!

So, I used sudo tcpdump -i any port 8883 -X to monitor SSL/TLS connections on port 8883 on my own server.
If I send a secure tcp connection over port 8883 (using for example MQTT.Fx client), the below logs is shown, but the connection is not established.

Also, I added -Djavax.net.debug=ssl,handshake to java -jar ..., but nothing is shown at all about ssl details in my logs.
Do you think what is my problem?

tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
14:43:43.359378 eth0  In  IP MY-IP.54610 > mqtt.8883: Flags [S], seq 1240210208, win 64240, options [mss 1350,sackOK,TS val 3773092798 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c 9a6d 4000 3606 e9a8 b9ed 0aa7  E..<[email protected].......
	0x0010:  c0a8 3b69 d552 22b3 49ec 1b20 0000 0000  ..;i.R".I.......
	0x0020:  a002 faf0 7b21 0000 0204 0546 0402 080a  ....{!.....F....
	0x0030:  e0e4 d3be 0000 0000 0103 0307            ............
14:43:44.384151 eth0  In  IP MY-IP.54610 > mqtt.8883: Flags [S], seq 1240210208, win 64240, options [mss 1350,sackOK,TS val 3773093823 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c 9a6e 4000 3606 e9a7 b9ed 0aa7  E..<[email protected].......
	0x0010:  c0a8 3b69 d552 22b3 49ec 1b20 0000 0000  ..;i.R".I.......
	0x0020:  a002 faf0 7720 0000 0204 0546 0402 080a  ....w......F....
	0x0030:  e0e4 d7bf 0000 0000 0103 0307            ............
14:43:45.408341 eth0  In  IP MY-IP.54610 > mqtt.8883: Flags [S], seq 1240210208, win 64240, options [mss 1350,sackOK,TS val 3773094847 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c 9a6f 4000 3606 e9a6 b9ed 0aa7  E..<[email protected].......
	0x0010:  c0a8 3b69 d552 22b3 49ec 1b20 0000 0000  ..;i.R".I.......
	0x0020:  a002 faf0 7320 0000 0204 0546 0402 080a  ....s......F....
	0x0030:  e0e4 dbbf 0000 0000 0103 0307            ............
14:43:46.433158 eth0  In  IP MY-IP.54610 > mqtt.8883: Flags [S], seq 1240210208, win 64240, options [mss 1350,sackOK,TS val 3773095871 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c 9a70 4000 3606 e9a5 b9ed 0aa7  E..<[email protected].......
	0x0010:  c0a8 3b69 d552 22b3 49ec 1b20 0000 0000  ..;i.R".I.......
	0x0020:  a002 faf0 6f20 0000 0204 0546 0402 080a  ....o......F....
	0x0030:  e0e4 dfbf 0000 0000 0103 0307            ............
14:43:47.458928 eth0  In  IP MY-IP.54610 > mqtt.8883: Flags [S], seq 1240210208, win 64240, options [mss 1350,sackOK,TS val 3773096896 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c 9a71 4000 3606 e9a4 b9ed 0aa7  E..<[email protected].......
	0x0010:  c0a8 3b69 d552 22b3 49ec 1b20 0000 0000  ..;i.R".I.......
	0x0020:  a002 faf0 6b1f 0000 0204 0546 0402 080a  ....k......F....
	0x0030:  e0e4 e3c0 0000 0000 0103 0307            ............
14:43:48.480035 eth0  In  IP MY-IP.54610 > mqtt.8883: Flags [S], seq 1240210208, win 64240, options [mss 1350,sackOK,TS val 3773097919 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c 9a72 4000 3606 e9a3 b9ed 0aa7  E..<[email protected].......
	0x0010:  c0a8 3b69 d552 22b3 49ec 1b20 0000 0000  ..;i.R".I.......
	0x0020:  a002 faf0 6720 0000 0204 0546 0402 080a  ....g......F....
	0x0030:  e0e4 e7bf 0000 0000 0103 0307            ............
14:43:50.528300 eth0  In  IP MY-IP.54610 > mqtt.8883: Flags [S], seq 1240210208, win 64240, options [mss 1350,sackOK,TS val 3773099967 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c 9a73 4000 3606 e9a2 b9ed 0aa7  E..<[email protected].......
	0x0010:  c0a8 3b69 d552 22b3 49ec 1b20 0000 0000  ..;i.R".I.......
	0x0020:  a002 faf0 5f20 0000 0204 0546 0402 080a  ...._......F....
	0x0030:  e0e4 efbf 0000 0000 0103 0307            ............

[andsel]

By default that net.debug log things are printed on console error, check https://www.baeldung.com/java-ssl-debug-logging#using-logging-configuration-file if you need to configure Java Util Logging, remember that Moquette uses Apache Log4j 1, so you have to set the properties.
Here is a small guide on how to configure JUL (Java Util Logging), in general you should create a jul_logging.properties file containing:

java.util.logging.ConsoleHandler.level=ALL
java.net.ssl.handlers=java.util.logging.ConsoleHandler
javax.net.ssl.level=ALL

and then pass -Djava.util.logging.config.file=<path_to>/jul_logging.properties to your Java launch line.

[AndroidDesigner]

Thanks dear @andsel
I solved it finally! The problem was due to the .jks file!