MQTT certificates verification fails
I'm been desperately trying to get my MQTT clients to connect to my MQTT broker which is set up with a certificate from a CA (Letsencrypt).
To be able to get the CA certificate, I've used the letsencrypt python command (https://pypi.python.org/pypi/letsencrypt/0.4.1)
./letsencrypt-auto certonly -d www.myserver.com
This has given me:
lrwxrwxrwx 1 root root 41 Mar 6 23:50 cert.pem
lrwxrwxrwx 1 root root 42 Mar 6 23:50 chain.pem
lrwxrwxrwx 1 root root 46 Mar 6 23:50 fullchain.pem
lrwxrwxrwx 1 root root 44 Mar 6 23:50 privkey.pem
These files I am also using for the SSL encryption on my website (apache2) which seems to work just fine as in my conf file:
SSLCertificateFile /etc/letsencrypt/live/www.server.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.server.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
And when going on my webserver, I see the SSL icon, and it works.
Now, when I put these files inside my /etc/mosquitto/mosquitto.conf:
cafile /etc/letsencrypt/live/www.myserver.com/fullchain.pem
certfile /etc/letsencrypt/live/www.myserver.com/cert.pem
keyfile /etc/letsencrypt/live/www.myserver.com/privkey.pem
And I was able to start the broker, v1.4.8 fine:
[ ok ] mosquitto is running.
and from the log:
1457462631: mosquitto version 1.4.8 (build date Sun, 14 Feb 2016 15:06:55 +0000) starting
Yet, when I try to subscribe to the test topic, to, well, test, using this command from the client:
mosquitto_sub version 1.4.8 running on libmosquitto 1.4.8.
Running command:
root@titan:~# mosquitto_pub -h www.myserver.com -p 8883 -t test --cafile /etc/letsencrypt/live/www.myserver.com/fullchain.pem
It mentions in my command line:
Unable to connect (A TLS error occurred.).
A more curious look inside to mosquitto.log file reveals me:
1463562141: Socket error on client <unknown>, disconnecting.
1463562154: New connection from X.X.X.X on port 8889.
Which gives me surprising little information. A python script I use from a website gives me a little bit more information;
Python script:
import os, subprocess, socket, sys, time, struct import *
import paho.mqtt.client as mqtt
dir = "/etc/letsencrypt/live/www.server.com/"
def on_connect(mqttc, obj, flags, rc):
if rc != 0:
exit(rc)
else:
mqttc.disconnect()
def on_disconnect(mqttc, obj, rc):
obj = rc
run = -1
mqttc = mqtt.Client("08-ssl-connect-crt-auth", run)
mqttc.tls_set(dir + "fullchain.pem", dir + "cert.pem", dir + "privkey.pem")
mqttc.on_connect = on_connect
mqttc.on_disconnect = on_disconnect
mqttc.connect("www.server.com", 8889)
while run == -1:
mqttc.loop()
exit(run)
And this returns me:
ssl.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I'm at a loss here. This makes no sense to me! Any help is appreciated!
ssl.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This suggests that the hostname you are connecting with doesn't match the hostname in the certificate.
With mosquitto_pub try using the --insecure option.
Alternatively, you've not got the right chain of CA certificates and so the server cert can't be verified by the client.