GMQTT with TLS: Not able to connect to broker #122 about gmqtt HOT 15 CLOSED

You have not right configuration. Mosquitto server doesn't know about your certs and can't use them for establishing connection;

and copied the mosquitto_client.crt and mosquitto_client.key in mosquitto folder.

This mosquitto_client.crt and mosquitto_client.key files are not for mosquitto server, but for the client and you don't need to copy them to mosquitto folder.

For right configuration of mosquitto server you need to have this certs:

• CA.crt
• mosquitto_server.crt
• mosquitto_server.key

For client:

• mosquitto_client.crt
• mosquitto_client.key

After you generate it you need to change mosquitto.conf - and set the path to them:

cafile path/to/CA.crt
certfile path/to/mosquitto_server.crt
keyfile path/to/mosquitto_server.key
tls_version tlsv1.2
require_certificate true

Also, you need provider auth credentials right before you try to connect (because you forbidden anonymous connection)

sub_client.set_auth_credentials(username, password)

Please, re-read your instruction more careful and don't skip any steps;

from gmqtt.

@Lenka42 and @nicoCalvo could you please take a look and help.

from gmqtt.

Hi @nitinkothari17

There is a small instruaction, how we made it works

First of all we need to build CA key and cert

openssl req -new -x509 -days 1024 -extensions v3_ca -keyout ca.key -out ca.crt

Build a server certificate

Generate server key

openssl genrsa -out server.key 2048

Then we need to create certificate signing request. When you will be asked for Common Name (e.g. server FQDN or YOUR name) - you SHOULD write there smth (for exmaple mqtt.server)

openssl req -out server.csr -key server.key -new

The next step is create a certificate for the server

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1024

Build a client certificate

We need made same steps (as for server crt) for the client:

• Generate a ket

openssl genrsa -out client.key 2048

• Create a signing certificate request (as I say early, you need to write some common name, when you will be asked)

openssl req -out client.csr -key client.key -new

• And at last step we create a certificate for the client

openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 1024

Configure Mosquitto

Mosquitto need the next files:

• ca.crt
• server.crt
• server.key

Copy this files to some folder (e.g /mosquito/config/certs) and change the mosquitto config file:

cafile /mosquitto/config/certs/ca.crt
keyfile /mosquitto/config/certs/server.key
certfile /mosquitto/config/certs/server.crt

require_certificate true

tls_version tlsv1.3

Be careful, if you will use the eclipse-mosquitto image you are not able use tlsv1.3 (you should use tlsv1.2);
If you want use 1.3 - please, use eclipse-mosquitto:2.0.5-openssl image;

Configure client

To config python clien you need only two files:

• client.crt
• client.key

client = MQTTClient(client_id='mqttTestClient')

ssl_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
    
ssl_ctx.load_cert_chain('certs/client.crt', 'certs/client.key')
# because we used a self-signed cert, we need to switch off 
# checking of host name
ssl_ctx.check_hostname = False

# set creds if needed
# client.set_auth_credentials('user', 'password')

await client.connect('localhost', 8883, ssl=ssl_ctx)

After doing this - I got a working TLS connection to my mosquito server in docker as well (also I checked with Wireshark that connection truly encrypted with TLSV1.3)

from gmqtt.

@nitinkothari17 Please, provide the config and logs of mosquitto.

from gmqtt.

@Mixser
mosquitto.conf :

persistence true
allow_anonymous false
password_file passwd

Logs :

• 1610697316: mosquitto version 1.6.12 starting
• 1610697316: Config loaded from mosquitto.conf. - 1610697316: Opening ipv4 listen socket on port 8883.
• 1610697316: Opening ipv6 listen socket on port 8883.
• 1610697316: mosquitto version 1.6.12 running
• 1610697429: New connection from {ip} on port 8883. - 1610697429: New client connected from {ip} as kiwee (p5, c1, k60, u'kiwee').
• 1610697429: Client kiwee disconnected.

[It disconnected instantly]

if I remove ssl context, then it works fine with logs:

• 1610697249: mosquitto version 1.6.12 starting
• 1610697249: Config loaded from mosquitto.conf.
• 1610697249: Opening ipv4 listen socket on port 8883.
• 1610697249: Opening ipv6 listen socket on port 8883.
• 1610697249: mosquitto version 1.6.12 running
• 1610697252: New connection from {ip} on port 8883.
• 1610697252: New client connected from {ip} as {topic} (p5, c1, k60, u'name').

from gmqtt.

@Mixser : Thanks for the quick response.

Tried the steps and yes set_auth_credentials is already configured.

Latest logs :

• 1610699410: mosquitto version 1.6.12 starting
• 1610699410: Config loaded from mosquitto.conf.
• 1610699410: Opening ipv4 listen socket on port 8883.
• 1610699410: Opening ipv6 listen socket on port 8883.
• 1610699410: Error: Unable to load CA certificates. Check cafile "D:\Project\kiwee_action\mosquitto\certs\ca.crt".
• 1610699410: OpenSSL Error[0]: error:02FFF002:system library:func(4095):No such file or directory
• 1610699410: OpenSSL Error[1]: error:20FFF080:BIO routines:CRYPTO_internal:no such file
• 1610699410: OpenSSL Error[2]: error:0BFFF002:x509 certificate routines:CRYPTO_internal:system lib

But the file is present in the directory, can see in pycharm.

from gmqtt.

Did you run mosquito or your app in docker?

from gmqtt.

@Mixser Docker, and the logs which I posted earlier were through mosquitto container

Please note docker mosquitto container exited after few seconds

from gmqtt.

Ok, I see. I need some time to test it on windows + docker. But it seems like you didn't copy certs into your container (or didn't mount folder with them);

Please describe how you start the container (full command or which tools do you use) and which image too.

from gmqtt.

@Mixser Got it working,

Copied the config like this in mosquitto docker file:

COPY ./certs/mosquitto_server.crt /mosquitto_server.crt
COPY ./certs/ca.crt /ca.crt
COPY ./certs/mosquitto_server.key /mosquitto_server.key

now the container is up.
But topic is not subscribed or even connected now in the main app container

After mosquitto container is up, is the code corrent because I didn't encounter any error (mosquitto_client crt and key file)

sub_client = MQTTClient(client_id='test')
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
ssl_context.load_cert_chain('D:\Project\kiwee_action\mosquitto\certs\mosquitto_client.crt',
                            keyfile='D:\Project\kiwee_action\mosquitto\certs\mosquitto_client.key')
self.assign_callbacks_to_client(sub_client)
logging.info("connecting")
await sub_client.connect(host=config.37c16a79d00a, port=8883, ssl=ssl_context)
return sub_client

from gmqtt.

Did you change path to the cert in config??
Now it should be like

cafile /ca.crt
certfile /mosquitto_server.crt
keyfile /mosquitto_server.key
tls_version tlsv1.2
require_certificate true

from gmqtt.

@Mixser Yep, that's why mosquitto container is running now.

from gmqtt.

@Mixser I think there is some problem in this code or keys:

After mosquitto container is up, is the code correct because I didn't encounter any error (mosquitto_client crt and key file)

sub_client = MQTTClient(client_id='test')
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
ssl_context.load_cert_chain('/mosquitto_client.crt',
                            keyfile='/mosquitto_client.key')
self.assign_callbacks_to_client(sub_client)
logging.info("connecting")
await sub_client.connect(host=config.37c16a79d00a, port=1883, ssl=ssl_context)
return sub_client

I have copied mosquitto_client crt and key as well in docker file

from gmqtt.

Okey, give us some time. We will test it with same env as your and after that will write how to make it works

from gmqtt.

@Mixser I resolved the issue but encountered one more after trying to connect regarding the ca certificate:

• Verification error: self signed certificate
• Can't use SSL_get_servername
• 23564:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../openssl-1.1.1g/ssl/record/rec_layer_s3.c:1543:SSL alert number 40

from gmqtt.