How to use ssl/tls in paho mqtt using python? I got certificate verify failed

32,542

Solution 1

As thrashed out in the comments.

First, you need to supply the full CA chain to verify the certificate for iot.eclipse.org. As it looks to be using the LetsEncrypt CA you can find the Root and Intermediate certs here

Second, you need to clean up your publisher code.

import time
import paho.mqtt.client as paho
import ssl

#define callbacks
def on_message(client, userdata, message):
  print("received message =",str(message.payload.decode("utf-8")))

def on_log(client, userdata, level, buf):
  print("log: ",buf)

def on_connect(client, userdata, flags, rc):
  print("publishing ")
  client.publish("muthu","muthupavithran",)


client=paho.Client() 
client.on_message=on_message
client.on_log=on_log
client.on_connect=on_connect
print("connecting to broker")
client.tls_set("C:/Windows/system32/config/systemprofile/Desktop/attachments/server iot.crt", tls_version=ssl.PROTOCOL_TLSv1_2)
client.tls_insecure_set(True)
client.connect("iot.eclipse.org", 8883, 60)

##start loop to process received messages
client.loop_start()
#wait to allow publish and logging and exit
time.sleep(1)

This code uses the on_connect callback to ensure it doesn't try and publish if there is a failure to connect, it also removes the hardcoded client id to to allow the client to use a randomly generated one so it's less likely to clash on a public test broker. The call to client.loop_forever() is also removed as you have already started the network loop and this client doesn't need to run for ever.

Third, you really should not be publishing to $SYS topics, these topics are for the broker to report status, not for general use. Also the iot.eclipse.org broker is for testing, you should not be planning to use this for anything in production.

Solution 2

I had a similar issues in the end I found a library that creates certificate

import certifi

...

client.tls_set(certifi.where())
Share:
32,542

Related videos on Youtube

muthu pavithran
Author by

muthu pavithran

Updated on October 04, 2021

Comments

  • muthu pavithran
    muthu pavithran over 2 years

    I am working on an IOT project. I am using paho MQTT, and I need to use SSL. I wrote publish code using python, but I got an error in "certificate verify failed".

    MY PUBLISHING CODE

    import time
    import paho.mqtt.client as paho
    import ssl
    import certifi
    #define callback
    def on_message(client, userdata, message):
      time.sleep(1)
      print("received message =",str(message.payload.decode("utf-8")))
    
    client= paho.Client("client-001") 
    client.on_message=on_message
    print("connecting to broker ",)
    client.tls_set("C:/Windows/system32/config/systemprofile/Desktop/attachments/server iot.crt", tls_version=ssl.PROTOCOL_TLSv1_2)
    client.tls_insecure_set(True)
    client.connect("iot.eclipse.org", 8883, 60)
    def on_log(client, userdata, level, buf):
      print("log: ",buf)#connect
    client.loop_start() #start loop to process received messages
    print("publishing ")
    client.publish("$SYS/muthu","muthupavithran",)#publish
    client.on_log=on_log
    client.loop_forever()
    #client.loop(100)
    

    MY ERROR IS

    connecting to broker 
    Traceback (most recent call last):
      File "C:\Windows\system32\config\systemprofile\Desktop\attachments\publishTEST WITH LOG.py", line 14, in <module>
    client.connect("iot.eclipse.org", 8883, 60)
    File "C:\Python34\lib\site-packages\paho\mqtt\client.py", line 768, in connect
    return self.reconnect()
    File "C:\Python34\lib\site-packages\paho\mqtt\client.py", line 927, in reconnect
    sock.do_handshake()
    File "C:\Python34\lib\ssl.py", line 810, in do_handshake
    self._sslobj.do_handshake()
    ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
    

    MY CERTIFICATE IS

    OpenSSL> s_client -showcerts -connect iot.eclipse.org:8883
    CONNECTED(00000108)
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify error:num=20:unable to get local issuer certificate
    ---
    Certificate chain
    0 s:/CN=iot.eclipse.org
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    -----BEGIN CERTIFICATE-----
    MIIGCjCCBPKgAwIBAgISBMZjyLzHsZWasgIDta0fSCB+MA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MDIxMzQzMDJaFw0x
    ODA5MzAxMzQzMDJaMBoxGDAWBgNVBAMTD2lvdC5lY2xpcHNlLm9yZzCCASIwDQYJ
    KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJceipGv0SJrWNG5cLQMjDpCWFi57bw1
    DRM57lbt+g4o/CPOYQJsJxJCDzWBK1kTYzA7udIt6M5LyQikyiMTLBAqkxfGgbul
    ErmMfVXtZbqIda1L5L0SYNoVrMsBeqzyXJoC6Hf7nxidzkZkX99JBQBXWnMFycwk
    a1uobIKR/RDbsIun62WYXD4q7H8oH4zKvbOGKCZCoBrQIIhKYhxL+UFJuQyUEm4R
    9JNyMAetCQglerohRkzvDTVhjSLiOWGDkjDBg9HWEwB1talaQ7fLb7WxfZTmSDTv
    CPpI1aGdPwbifvzJS+zX9nbcQavGea/onW8KIAFXxwH6tsyiTwvFzj8CAwEAAaOC
    AxgwggMUMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
    BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUOuN0Niv8dMef7kpmZSdN2sn0
    snUwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
    YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
    b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
    b3JnLzAaBgNVHREEEzARgg9pb3QuZWNsaXBzZS5vcmcwgf4GA1UdIASB9jCB8zAI
    BgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8v
    Y3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRp
    ZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGll
    cyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBv
    bGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5
    LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ACk8UZZUyDlluqpQ/FgH1Ldvv1h6
    KXLcpMMM9OVFR/R4AAABZFtya8kAAAQDAEcwRQIhALOwNsLvVmEUlXCZP2IcTemC
    uktD+IbcCi9Ndkui59GTAiBuA4iy90SfNeyt/1eHardV7rxMe8DxwCYtBdRrzmh0
    sgB3AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABZFtybAQAAAQD
    AEgwRgIhAK5rIXo4d8L2muH8pt5V51aLhbs15RzYWdqVxGwcpG/DAiEAmagg9e/c
    O2Jsbdz7ZBeEwogOYZvRij2U3VOJA42VADkwDQYJKoZIhvcNAQELBQADggEBAIvc
    KIllapMu9oXqZZ1iKo9fMyxVsuLP5Lo6hjJFsZMFoVZQSguGoT9CsFvuw0QeqObg
    xbk1y+ZeEaSYI5Gf8iHlGHq4M9zGLLUvPBbCpzy4grQTjFBQvPzH0c7qrWKPYge2
    WcCox2ofvBaJ9LSOzc82vqLnkAWwnaLelk3+SlOYcrZP2me6JCQWpSRFec4p/42t
    94Yvojgj5RKY6jhA6aNG3AFBSJiwgU36UZ1H3c82L0X/djOQbFGKWFaQ956s2AoY
    Dmf+tdtj2AFCM7Ht8YdN6VxWlI/1hctK0TaF/4UrTEJ4n2ChTe9F8EP2exO/VcC7
    V/jDTid21vBdhF2mQis=
    -----END CERTIFICATE-----
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    -----BEGIN CERTIFICATE-----
    MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
    DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
    SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
    GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
    AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
    q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
    SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
    Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
    a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
    /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
    AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
    CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
    bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
    c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
    VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
    ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
    MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
    Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
    AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
    uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
    wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
    X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
    PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
    KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/CN=iot.eclipse.org
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3397 bytes and written 302 bytes
    Verification error: unable to get local issuer certificate
    ---
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 8B1F036E44D23BD9F8CB52355705726639BE769B681154D1448EB4B264EE2F43
    
    Session-ID-ctx:
    Master-Key: 538D0967D0732F7A758317E764D2550E3C1330C1192353A89E99C3E66F4B5A51
    485BB4ABF8434D23398CF84615DF54CF
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - d7 03 bf d1 ff 2b f7 6c-1a b3 56 ec 3a dc 8b 19   
    .....+.l..V.:...
        0010 - 9d 73 05 08 66 15 f3 bd-46 55 30 a0 1a e1 ca 07   .s..f...FU0.....
        0020 - 06 14 08 43 41 8e 64 1e-55 97 17 be 24 a3 a1 10   ...CA.d.U...$...
        0030 - 51 9b be c0 05 67 81 b9-e2 12 4c 80 bc 42 ed 9d   Q....g....L..B..
        0040 - 89 7a bf 9a 02 1a d6 35-07 39 6d ce 9c 8c dd cf   .z.....5.9m.....
       0050 - e2 0f f4 0f 3b e5 83 ec-2c 8d 54 bc 60 97 a1 c6   ....;...,.T.`...
       0060 - 9c c0 78 e1 1c 28 9f 38-c7 0b d9 7b ad 2a 9e 69   ..x..(.8...{.*.i
    0070 - af ef 2f 1b 2d e2 f9 8a-04 7a 6c 88 c8 28 14 8c   ../.-....zl..(..
    0080 - ac 7a 11 11 fa 94 0a 63-45 70 e8 a9 3f fb 8d be   .z.....cEp..?...
    0090 - df 9e 3c 15 20 6d 48 fe-40 d2 4f 28 58 49 a9 1b   ..<. [email protected](XI..
    00a0 - e7 1d de 1e ae f3 bc 57-79 0d e6 f5 5d 93 62 17   .......Wy...].b.
    
    Start Time: 1534843470
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    ---
    

    I got this certificate and I tried to install certifi also into python, but still the same error is showing.

    • hardillb
      hardillb almost 6 years
      Any particular reason why you created a new account to ask a new question?
    • muthu pavithran
      muthu pavithran almost 6 years
      no, sir, I cant able to post from that account I am not asking new question I am asking the same question but format what you taught me
    • hardillb
      hardillb almost 6 years
      What is in server iot.crt? It should be the CA chain for the certificate provided by the broker
    • muthu pavithran
      muthu pavithran almost 6 years
      its a certificate sir I got from the server using OpenSSL
    • hardillb
      hardillb almost 6 years
      It needs to be the CA chain, not just the certificate
    • muthu pavithran
      muthu pavithran almost 6 years
      how do I get that from iot.eclipse.org this website sir
    • hardillb
      hardillb almost 6 years
      That is not the full CA chain
  • muthu pavithran
    muthu pavithran almost 6 years
    thanks sir i will get the certificate and i try and if i find it i will report to you
  • muthu pavithran
    muthu pavithran almost 6 years
    i got the instruction from below link for get the two certificate and how i need help in how do i get DST_Root_CA_X3 how to use it in my python stackoverflow.com/questions/47713143/…
  • hardillb
    hardillb almost 6 years
    The trick will be getting the certs in the right order when you combine them into a single file
  • muthu pavithran
    muthu pavithran almost 6 years
    sir i am having trouble to getting DST_Root_CA_X3 certificate i copied file from cert folder its look like shortcut in Ubuntu please help me out
  • muthu pavithran
    muthu pavithran almost 6 years
    root@vec123-VirtualBox:/home/vec123/certs# ls DST_Root_CA_X3.pem io.cert1.pem io.cert.pem root@vec123-VirtualBox:/home/vec123/certs# c_rehash Doing /usr/lib/ssl/certs WARNING: Skipping duplicate certificate ca-certificates.crt WARNING: Skipping duplicate certificate ca-certificates.crt
  • Chris Stratton
    Chris Stratton over 5 years
    You should not be using client.tls_insecure_set(True) - if you have to use that, it means you don't actually have the certificates set up right at all, and that this is not an answer to the question, but rather a non-deployable temporary workaround.
  • hardillb
    hardillb over 5 years
    @ChrisStratton yeah I probably should have deleted that line when I cleaned up, but if that line was taking effect then it should not have failed with the error it did (as it would never have checked the remote cert)
  • hardillb
    hardillb over 2 years
    This answer needs a lot more context to be useful. Please edit it to add in way more details.