Comments (15)
You have not right configuration. Mosquitto server doesn't know about your certs and can't use them for establishing connection;
and copied the mosquitto_client.crt and mosquitto_client.key in mosquitto folder.
This mosquitto_client.crt and mosquitto_client.key files are not for mosquitto server, but for the client and you don't need to copy them to mosquitto folder.
For right configuration of mosquitto server you need to have this certs:
- CA.crt
- mosquitto_server.crt
- mosquitto_server.key
For client:
- mosquitto_client.crt
- mosquitto_client.key
After you generate it you need to change mosquitto.conf - and set the path to them:
cafile path/to/CA.crt
certfile path/to/mosquitto_server.crt
keyfile path/to/mosquitto_server.key
tls_version tlsv1.2
require_certificate true
Also, you need provider auth credentials right before you try to connect (because you forbidden anonymous connection)
sub_client.set_auth_credentials(username, password)
Please, re-read your instruction more careful and don't skip any steps;
from gmqtt.
@Lenka42 and @nicoCalvo could you please take a look and help.
from gmqtt.
There is a small instruaction, how we made it works
First of all we need to build CA key and cert
openssl req -new -x509 -days 1024 -extensions v3_ca -keyout ca.key -out ca.crt
Build a server certificate
Generate server key
openssl genrsa -out server.key 2048
Then we need to create certificate signing request. When you will be asked for Common Name (e.g. server FQDN or YOUR name)
- you SHOULD write there smth (for exmaple mqtt.server)
openssl req -out server.csr -key server.key -new
The next step is create a certificate for the server
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1024
Build a client certificate
We need made same steps (as for server crt) for the client:
- Generate a ket
openssl genrsa -out client.key 2048
- Create a signing certificate request (as I say early, you need to write some common name, when you will be asked)
openssl req -out client.csr -key client.key -new
- And at last step we create a certificate for the client
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 1024
Configure Mosquitto
Mosquitto need the next files:
- ca.crt
- server.crt
- server.key
Copy this files to some folder (e.g /mosquito/config/certs) and change the mosquitto config file:
cafile /mosquitto/config/certs/ca.crt
keyfile /mosquitto/config/certs/server.key
certfile /mosquitto/config/certs/server.crt
require_certificate true
tls_version tlsv1.3
Be careful, if you will use the eclipse-mosquitto
image you are not able use tlsv1.3 (you should use tlsv1.2);
If you want use 1.3 - please, use eclipse-mosquitto:2.0.5-openssl
image;
Configure client
To config python clien you need only two files:
- client.crt
- client.key
client = MQTTClient(client_id='mqttTestClient')
ssl_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
ssl_ctx.load_cert_chain('certs/client.crt', 'certs/client.key')
# because we used a self-signed cert, we need to switch off
# checking of host name
ssl_ctx.check_hostname = False
# set creds if needed
# client.set_auth_credentials('user', 'password')
await client.connect('localhost', 8883, ssl=ssl_ctx)
After doing this - I got a working TLS connection to my mosquito server in docker as well (also I checked with Wireshark that connection truly encrypted with TLSV1.3)
from gmqtt.
@nitinkothari17 Please, provide the config and logs of mosquitto.
from gmqtt.
@Mixser
mosquitto.conf :
persistence true
allow_anonymous false
password_file passwd
Logs :
- 1610697316: mosquitto version 1.6.12 starting
- 1610697316: Config loaded from mosquitto.conf. - 1610697316: Opening ipv4 listen socket on port 8883.
- 1610697316: Opening ipv6 listen socket on port 8883.
- 1610697316: mosquitto version 1.6.12 running
- 1610697429: New connection from {ip} on port 8883. - 1610697429: New client connected from {ip} as kiwee (p5, c1, k60, u'kiwee').
- 1610697429: Client kiwee disconnected.
[It disconnected instantly]
if I remove ssl context, then it works fine with logs:
- 1610697249: mosquitto version 1.6.12 starting
- 1610697249: Config loaded from mosquitto.conf.
- 1610697249: Opening ipv4 listen socket on port 8883.
- 1610697249: Opening ipv6 listen socket on port 8883.
- 1610697249: mosquitto version 1.6.12 running
- 1610697252: New connection from {ip} on port 8883.
- 1610697252: New client connected from {ip} as {topic} (p5, c1, k60, u'name').
from gmqtt.
@Mixser : Thanks for the quick response.
Tried the steps and yes set_auth_credentials is already configured.
Latest logs :
- 1610699410: mosquitto version 1.6.12 starting
- 1610699410: Config loaded from mosquitto.conf.
- 1610699410: Opening ipv4 listen socket on port 8883.
- 1610699410: Opening ipv6 listen socket on port 8883.
- 1610699410: Error: Unable to load CA certificates. Check cafile "D:\Project\kiwee_action\mosquitto\certs\ca.crt".
- 1610699410: OpenSSL Error[0]: error:02FFF002:system library:func(4095):No such file or directory
- 1610699410: OpenSSL Error[1]: error:20FFF080:BIO routines:CRYPTO_internal:no such file
- 1610699410: OpenSSL Error[2]: error:0BFFF002:x509 certificate routines:CRYPTO_internal:system lib
But the file is present in the directory, can see in pycharm.
from gmqtt.
Did you run mosquito or your app in docker?
from gmqtt.
@Mixser Docker, and the logs which I posted earlier were through mosquitto container
Please note docker mosquitto container exited after few seconds
from gmqtt.
Ok, I see. I need some time to test it on windows + docker. But it seems like you didn't copy certs into your container (or didn't mount folder with them);
Please describe how you start the container (full command or which tools do you use) and which image too.
from gmqtt.
@Mixser Got it working,
Copied the config like this in mosquitto docker file:
COPY ./certs/mosquitto_server.crt /mosquitto_server.crt
COPY ./certs/ca.crt /ca.crt
COPY ./certs/mosquitto_server.key /mosquitto_server.key
now the container is up.
But topic is not subscribed or even connected now in the main app container
After mosquitto container is up, is the code corrent because I didn't encounter any error (mosquitto_client crt and key file)
sub_client = MQTTClient(client_id='test')
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
ssl_context.load_cert_chain('D:\Project\kiwee_action\mosquitto\certs\mosquitto_client.crt',
keyfile='D:\Project\kiwee_action\mosquitto\certs\mosquitto_client.key')
self.assign_callbacks_to_client(sub_client)
logging.info("connecting")
await sub_client.connect(host=config.37c16a79d00a, port=8883, ssl=ssl_context)
return sub_client
from gmqtt.
Did you change path to the cert in config??
Now it should be like
cafile /ca.crt
certfile /mosquitto_server.crt
keyfile /mosquitto_server.key
tls_version tlsv1.2
require_certificate true
from gmqtt.
@Mixser Yep, that's why mosquitto container is running now.
from gmqtt.
@Mixser I think there is some problem in this code or keys:
After mosquitto container is up, is the code correct because I didn't encounter any error (mosquitto_client crt and key file)
sub_client = MQTTClient(client_id='test')
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
ssl_context.load_cert_chain('/mosquitto_client.crt',
keyfile='/mosquitto_client.key')
self.assign_callbacks_to_client(sub_client)
logging.info("connecting")
await sub_client.connect(host=config.37c16a79d00a, port=1883, ssl=ssl_context)
return sub_client
I have copied mosquitto_client crt and key as well in docker file
from gmqtt.
Okey, give us some time. We will test it with same env as your and after that will write how to make it works
from gmqtt.
@Mixser I resolved the issue but encountered one more after trying to connect regarding the ca certificate:
- Verification error: self signed certificate
- Can't use SSL_get_servername
- 23564:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../openssl-1.1.1g/ssl/record/rec_layer_s3.c:1543:SSL alert number 40
from gmqtt.
Related Issues (20)
- How to increase the max in IdGenerator from client? HOT 1
- Resubscribe after autoreconnect HOT 1
- [PROPERTIES] received invalid property id 105, disconnecting HOT 2
- Handler does not work for null body retained messages published before the handler created HOT 6
- Client still running after disconnect() in 0.6.9 HOT 1
- Exceeded reconnect_retries seems seems not to be working HOT 1
- Unsubscribe doesn't remove the topic from the internal list
- I can't to use ca.crt, client.crt, client.key (X509 certificate) to connect mqtt broker. HOT 2
- Read message from mqtt and post Data to wialon HOT 1
- request and response mechanism
- won't remove resend messages if PUBREC is faster than message pushed HOT 1
- publish() and then disconnect() may result in messages not received by a broker
- is there a handler like python.paho.mqtt message_callback_add? HOT 2
- No PubBack Message HOT 1
- Connection error
- [RECV EMPTY] Connection will be reset automatically. HOT 1
- blocking the loop when processing messages for a long time HOT 1
- Formal documentation for API HOT 1
- The subscribe non blocking method
- The QoS 2 Message Receive Queue is not being cleared HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gmqtt.