MQTT certificates verification fails
ssl.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This suggests that the hostname you are connecting with doesn't match the hostname in the certificate.
With mosquitto_pub
try using the --insecure
option.
Alternatively, you've not got the right chain of CA certificates and so the server cert can't be verified by the client.
Related videos on Youtube
user5740843
Updated on September 18, 2022Comments
-
user5740843 over 1 year
I'm been desperately trying to get my MQTT clients to connect to my MQTT broker which is set up with a certificate from a CA (Letsencrypt).
To be able to get the CA certificate, I've used the letsencrypt python command (https://pypi.python.org/pypi/letsencrypt/0.4.1)
./letsencrypt-auto certonly -d www.myserver.com
This has given me:
lrwxrwxrwx 1 root root 41 Mar 6 23:50 cert.pem lrwxrwxrwx 1 root root 42 Mar 6 23:50 chain.pem lrwxrwxrwx 1 root root 46 Mar 6 23:50 fullchain.pem lrwxrwxrwx 1 root root 44 Mar 6 23:50 privkey.pem
These files I am also using for the SSL encryption on my website (apache2) which seems to work just fine as in my conf file:
SSLCertificateFile /etc/letsencrypt/live/www.server.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.server.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf
And when going on my webserver, I see the SSL icon, and it works.
Now, when I put these files inside my /etc/mosquitto/mosquitto.conf:
cafile /etc/letsencrypt/live/www.myserver.com/fullchain.pem certfile /etc/letsencrypt/live/www.myserver.com/cert.pem keyfile /etc/letsencrypt/live/www.myserver.com/privkey.pem
And I was able to start the broker, v1.4.8 fine:
[ ok ] mosquitto is running.
and from the log:
1457462631: mosquitto version 1.4.8 (build date Sun, 14 Feb 2016 15:06:55 +0000) starting
Yet, when I try to subscribe to the test topic, to, well, test, using this command from the client:
mosquitto_sub version 1.4.8 running on libmosquitto 1.4.8.
Running command:
root@titan:~# mosquitto_pub -h www.myserver.com -p 8883 -t test --cafile /etc/letsencrypt/live/www.myserver.com/fullchain.pem
It mentions in my command line:
Unable to connect (A TLS error occurred.).
A more curious look inside to mosquitto.log file reveals me:
1463562141: Socket error on client <unknown>, disconnecting. 1463562154: New connection from X.X.X.X on port 8889.
Which gives me surprising little information. A python script I use from a website gives me a little bit more information;
Python script:
import os, subprocess, socket, sys, time, struct import * import paho.mqtt.client as mqtt dir = "/etc/letsencrypt/live/www.server.com/" def on_connect(mqttc, obj, flags, rc): if rc != 0: exit(rc) else: mqttc.disconnect() def on_disconnect(mqttc, obj, rc): obj = rc run = -1 mqttc = mqtt.Client("08-ssl-connect-crt-auth", run) mqttc.tls_set(dir + "fullchain.pem", dir + "cert.pem", dir + "privkey.pem") mqttc.on_connect = on_connect mqttc.on_disconnect = on_disconnect mqttc.connect("www.server.com", 8889) while run == -1: mqttc.loop() exit(run)
And this returns me:
ssl.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I'm at a loss here. This makes no sense to me! Any help is appreciated!
-
kodybrown over 6 yearsUsing
mosquitto_pub --insecure ...
helped us figure out what was going on with our situation. We are using a Wildcard certificate, so the hostname doesn't match.. I'm not sure how to ensure we're talking to the correct server now, though.. ? Also, some clients (windows docker/moby)mosquitto_pub
works (without --secure), while some clients don't work (raspian, fedora).