How to use ssl/tls in paho mqtt using python? I got certificate verify failed

python-3.x ssl-certificate mqtt iot paho
32,542

Solution 1

As thrashed out in the comments.

First, you need to supply the full CA chain to verify the certificate for iot.eclipse.org. As it looks to be using the LetsEncrypt CA you can find the Root and Intermediate certs here

Second, you need to clean up your publisher code.

import time
import paho.mqtt.client as paho
import ssl

#define callbacks
def on_message(client, userdata, message):
  print("received message =",str(message.payload.decode("utf-8")))

def on_log(client, userdata, level, buf):
  print("log: ",buf)

def on_connect(client, userdata, flags, rc):
  print("publishing ")
  client.publish("muthu","muthupavithran",)


client=paho.Client() 
client.on_message=on_message
client.on_log=on_log
client.on_connect=on_connect
print("connecting to broker")
client.tls_set("C:/Windows/system32/config/systemprofile/Desktop/attachments/server iot.crt", tls_version=ssl.PROTOCOL_TLSv1_2)
client.tls_insecure_set(True)
client.connect("iot.eclipse.org", 8883, 60)

##start loop to process received messages
client.loop_start()
#wait to allow publish and logging and exit
time.sleep(1)

This code uses the on_connect callback to ensure it doesn't try and publish if there is a failure to connect, it also removes the hardcoded client id to to allow the client to use a randomly generated one so it's less likely to clash on a public test broker. The call to client.loop_forever() is also removed as you have already started the network loop and this client doesn't need to run for ever.

Third, you really should not be publishing to $SYS topics, these topics are for the broker to report status, not for general use. Also the iot.eclipse.org broker is for testing, you should not be planning to use this for anything in production.

Solution 2

I had a similar issues in the end I found a library that creates certificate

import certifi

...

client.tls_set(certifi.where())
Share:
32,542

Related videos on Youtube

muthu pavithran
Author by

muthu pavithran

Updated on October 04, 2021

Comments

  • muthu pavithran
    muthu pavithran over 2 years

    I am working on an IOT project. I am using paho MQTT, and I need to use SSL. I wrote publish code using python, but I got an error in "certificate verify failed".

    MY PUBLISHING CODE

    import time
import paho.mqtt.client as paho
import ssl
import certifi
#define callback
def on_message(client, userdata, message):
  time.sleep(1)
  print("received message =",str(message.payload.decode("utf-8")))

client= paho.Client("client-001") 
client.on_message=on_message
print("connecting to broker ",)
client.tls_set("C:/Windows/system32/config/systemprofile/Desktop/attachments/server iot.crt", tls_version=ssl.PROTOCOL_TLSv1_2)
client.tls_insecure_set(True)
client.connect("iot.eclipse.org", 8883, 60)
def on_log(client, userdata, level, buf):
  print("log: ",buf)#connect
client.loop_start() #start loop to process received messages
print("publishing ")
client.publish("$SYS/muthu","muthupavithran",)#publish
client.on_log=on_log
client.loop_forever()
#client.loop(100)

    MY ERROR IS

    connecting to broker 
Traceback (most recent call last):
  File "C:\Windows\system32\config\systemprofile\Desktop\attachments\publishTEST WITH LOG.py", line 14, in <module>
client.connect("iot.eclipse.org", 8883, 60)
File "C:\Python34\lib\site-packages\paho\mqtt\client.py", line 768, in connect
return self.reconnect()
File "C:\Python34\lib\site-packages\paho\mqtt\client.py", line 927, in reconnect
sock.do_handshake()
File "C:\Python34\lib\ssl.py", line 810, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

    MY CERTIFICATE IS

    OpenSSL> s_client -showcerts -connect iot.eclipse.org:8883
CONNECTED(00000108)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=iot.eclipse.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgISBMZjyLzHsZWasgIDta0fSCB+MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MDIxMzQzMDJaFw0x
ODA5MzAxMzQzMDJaMBoxGDAWBgNVBAMTD2lvdC5lY2xpcHNlLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJceipGv0SJrWNG5cLQMjDpCWFi57bw1
DRM57lbt+g4o/CPOYQJsJxJCDzWBK1kTYzA7udIt6M5LyQikyiMTLBAqkxfGgbul
ErmMfVXtZbqIda1L5L0SYNoVrMsBeqzyXJoC6Hf7nxidzkZkX99JBQBXWnMFycwk
a1uobIKR/RDbsIun62WYXD4q7H8oH4zKvbOGKCZCoBrQIIhKYhxL+UFJuQyUEm4R
9JNyMAetCQglerohRkzvDTVhjSLiOWGDkjDBg9HWEwB1talaQ7fLb7WxfZTmSDTv
CPpI1aGdPwbifvzJS+zX9nbcQavGea/onW8KIAFXxwH6tsyiTwvFzj8CAwEAAaOC
AxgwggMUMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUOuN0Niv8dMef7kpmZSdN2sn0
snUwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAaBgNVHREEEzARgg9pb3QuZWNsaXBzZS5vcmcwgf4GA1UdIASB9jCB8zAI
BgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRp
ZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGll
cyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBv
bGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5
LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ACk8UZZUyDlluqpQ/FgH1Ldvv1h6
KXLcpMMM9OVFR/R4AAABZFtya8kAAAQDAEcwRQIhALOwNsLvVmEUlXCZP2IcTemC
uktD+IbcCi9Ndkui59GTAiBuA4iy90SfNeyt/1eHardV7rxMe8DxwCYtBdRrzmh0
sgB3AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABZFtybAQAAAQD
AEgwRgIhAK5rIXo4d8L2muH8pt5V51aLhbs15RzYWdqVxGwcpG/DAiEAmagg9e/c
O2Jsbdz7ZBeEwogOYZvRij2U3VOJA42VADkwDQYJKoZIhvcNAQELBQADggEBAIvc
KIllapMu9oXqZZ1iKo9fMyxVsuLP5Lo6hjJFsZMFoVZQSguGoT9CsFvuw0QeqObg
xbk1y+ZeEaSYI5Gf8iHlGHq4M9zGLLUvPBbCpzy4grQTjFBQvPzH0c7qrWKPYge2
WcCox2ofvBaJ9LSOzc82vqLnkAWwnaLelk3+SlOYcrZP2me6JCQWpSRFec4p/42t
94Yvojgj5RKY6jhA6aNG3AFBSJiwgU36UZ1H3c82L0X/djOQbFGKWFaQ956s2AoY
Dmf+tdtj2AFCM7Ht8YdN6VxWlI/1hctK0TaF/4UrTEJ4n2ChTe9F8EP2exO/VcC7
V/jDTid21vBdhF2mQis=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=iot.eclipse.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3397 bytes and written 302 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8B1F036E44D23BD9F8CB52355705726639BE769B681154D1448EB4B264EE2F43

Session-ID-ctx:
Master-Key: 538D0967D0732F7A758317E764D2550E3C1330C1192353A89E99C3E66F4B5A51
485BB4ABF8434D23398CF84615DF54CF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - d7 03 bf d1 ff 2b f7 6c-1a b3 56 ec 3a dc 8b 19   
.....+.l..V.:...
    0010 - 9d 73 05 08 66 15 f3 bd-46 55 30 a0 1a e1 ca 07   .s..f...FU0.....
    0020 - 06 14 08 43 41 8e 64 1e-55 97 17 be 24 a3 a1 10   ...CA.d.U...$...
    0030 - 51 9b be c0 05 67 81 b9-e2 12 4c 80 bc 42 ed 9d   Q....g....L..B..
    0040 - 89 7a bf 9a 02 1a d6 35-07 39 6d ce 9c 8c dd cf   .z.....5.9m.....
   0050 - e2 0f f4 0f 3b e5 83 ec-2c 8d 54 bc 60 97 a1 c6   ....;...,.T.`...
   0060 - 9c c0 78 e1 1c 28 9f 38-c7 0b d9 7b ad 2a 9e 69   ..x..(.8...{.*.i
0070 - af ef 2f 1b 2d e2 f9 8a-04 7a 6c 88 c8 28 14 8c   ../.-....zl..(..
0080 - ac 7a 11 11 fa 94 0a 63-45 70 e8 a9 3f fb 8d be   .z.....cEp..?...
0090 - df 9e 3c 15 20 6d 48 fe-40 d2 4f 28 58 49 a9 1b   ..<. [email protected](XI..
00a0 - e7 1d de 1e ae f3 bc 57-79 0d e6 f5 5d 93 62 17   .......Wy...].b.

Start Time: 1534843470
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---

    I got this certificate and I tried to install certifi also into python, but still the same error is showing.

    • hardillb
      hardillb almost 6 years
      Any particular reason why you created a new account to ask a new question?
    • muthu pavithran
      muthu pavithran almost 6 years
      no, sir, I cant able to post from that account I am not asking new question I am asking the same question but format what you taught me
    • hardillb
      hardillb almost 6 years
      What is in server iot.crt? It should be the CA chain for the certificate provided by the broker
    • muthu pavithran
      muthu pavithran almost 6 years
      its a certificate sir I got from the server using OpenSSL
    • hardillb
      hardillb almost 6 years
      It needs to be the CA chain, not just the certificate
    • muthu pavithran
      muthu pavithran almost 6 years
      how do I get that from iot.eclipse.org this website sir
    • hardillb
      hardillb almost 6 years
      That is not the full CA chain
  • muthu pavithran
    muthu pavithran almost 6 years
    thanks sir i will get the certificate and i try and if i find it i will report to you
  • muthu pavithran
    muthu pavithran almost 6 years
    i got the instruction from below link for get the two certificate and how i need help in how do i get DST_Root_CA_X3 how to use it in my python stackoverflow.com/questions/47713143/…
  • hardillb
    hardillb almost 6 years
    The trick will be getting the certs in the right order when you combine them into a single file
  • muthu pavithran
    muthu pavithran almost 6 years
    sir i am having trouble to getting DST_Root_CA_X3 certificate i copied file from cert folder its look like shortcut in Ubuntu please help me out
  • muthu pavithran
    muthu pavithran almost 6 years
    root@vec123-VirtualBox:/home/vec123/certs# ls DST_Root_CA_X3.pem io.cert1.pem io.cert.pem root@vec123-VirtualBox:/home/vec123/certs# c_rehash Doing /usr/lib/ssl/certs WARNING: Skipping duplicate certificate ca-certificates.crt WARNING: Skipping duplicate certificate ca-certificates.crt
  • Chris Stratton
    Chris Stratton over 5 years
    You should not be using client.tls_insecure_set(True) - if you have to use that, it means you don't actually have the certificates set up right at all, and that this is not an answer to the question, but rather a non-deployable temporary workaround.
  • hardillb
    hardillb over 5 years
    @ChrisStratton yeah I probably should have deleted that line when I cleaned up, but if that line was taking effect then it should not have failed with the error it did (as it would never have checked the remote cert)
  • hardillb
    hardillb over 2 years
    This answer needs a lot more context to be useful. Please edit it to add in way more details.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

MQTT over websocket in python
How to subscribe to a MQTT topic and print received messages on Eclipse (Java)
CERTIFICATE_VERIFY_FAILED: Hostname mismatch(handshake.cc:352)) for TCP connection on local server
Implementing MQTT using Google cloud pub sub in flutter
Python Paho/MQTT : Detecting Connect error
Horizontally scaling mosquitto broker
Mosquitto 1.4.2 Websocket support
MQTT subscribe client doesn't receive messages after connection
IOT Mosquitto mqtt how to test on localhost
java.io.EOFException with paho