got error when running mosquitto with certificate authentication
8,844 views
Skip to first unread message
Phuc Tran
Feb 15, 2016, 4:08:44 AM2/15/16
to MQTT
I'm using OpenSSL, below is steps I performed:
1. generating the CA certificate
- openssl req -new -x509 -days 3650 -keyout m2mqtt_ca.key -out m2mqtt_ca.crt
1. generating the CA certificate
- openssl req -new -x509 -days 3650 -keyout m2mqtt_ca.key -out m2mqtt_ca.crt
- openssl genrsa -des3 -out m2mqtt_srv.key 1024
- openssl req -out m2mqtt_srv.csr -key m2mqtt_srv.key -new2. Generate a server certificate
- openssl x509 -req -in m2mqtt_srv.csr -CA m2mqtt_ca.crt -CAkey m2mqtt_ca.key -CAcreateserial -out m2mqtt_srv.crt -days 3650
2. configuring mosquitto.conf
- cafile C:\OpenSSL-Win64\bin\PEM\m2mqtt_ca.crt
- certfile C:\OpenSSL-Win64\bin\PEM\m2mqtt_srv.crt
- keyfile C:\OpenSSL-Win64\bin\PEM\m2mqtt_srv.key
- tls_version tlsv1.2
3. Starting Mosquitto
mosquitto -p 8883 -v -c mosquitto.conf
4. Starting a subscriber
mosquitto_sub -h 192.168.1.28 -p 8883 -q 1 -t topic --cafile C:\OpenSSL-Win64\bin\PEM\m2mqtt_ca.crt
I got error below:
1455525838: New connection from 192.168.1.28 on port 8883.
1455525838: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1455525838: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1455525838: Socket error on client <unknown>, disconnecting.
Thanks for all response, please help
- openssl req -out m2mqtt_srv.csr -key m2mqtt_srv.key -new2. Generate a server certificate
- openssl x509 -req -in m2mqtt_srv.csr -CA m2mqtt_ca.crt -CAkey m2mqtt_ca.key -CAcreateserial -out m2mqtt_srv.crt -days 3650
2. configuring mosquitto.conf
- cafile C:\OpenSSL-Win64\bin\PEM\m2mqtt_ca.crt
- certfile C:\OpenSSL-Win64\bin\PEM\m2mqtt_srv.crt
- keyfile C:\OpenSSL-Win64\bin\PEM\m2mqtt_srv.key
- tls_version tlsv1.2
3. Starting Mosquitto
mosquitto -p 8883 -v -c mosquitto.conf
4. Starting a subscriber
mosquitto_sub -h 192.168.1.28 -p 8883 -q 1 -t topic --cafile C:\OpenSSL-Win64\bin\PEM\m2mqtt_ca.crt
I got error below:
1455525838: New connection from 192.168.1.28 on port 8883.
1455525838: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1455525838: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1455525838: Socket error on client <unknown>, disconnecting.
Thanks for all response, please help
Roger Light
Feb 15, 2016, 4:58:49 PM2/15/16
to mq...@googlegroups.com
Hi Phuc,
From what I've seen with other people, a common problem is using the
same certificate details in the server as in the CA certificate.
Cheers,
Roger
> --
> To learn more about MQTT please visit http://mqtt.org
> ---
> You received this message because you are subscribed to the Google Groups
> "MQTT" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mqtt+uns...@googlegroups.com.
> To post to this group, send email to mq...@googlegroups.com.
> Visit this group at https://groups.google.com/group/mqtt.
> For more options, visit https://groups.google.com/d/optout.
From what I've seen with other people, a common problem is using the
same certificate details in the server as in the CA certificate.
Cheers,
Roger
> To learn more about MQTT please visit http://mqtt.org
> ---
> You received this message because you are subscribed to the Google Groups
> "MQTT" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mqtt+uns...@googlegroups.com.
> To post to this group, send email to mq...@googlegroups.com.
> Visit this group at https://groups.google.com/group/mqtt.
> For more options, visit https://groups.google.com/d/optout.
Roger Light
Feb 15, 2016, 5:01:39 PM2/15/16
to mq...@googlegroups.com
Hi Phuc,
The other thing that you could try is using the openssl client to get
more information, something like:
openssl s_client -connect host:port -CAfile
The other thing that you could try is using the openssl client to get
more information, something like:
openssl s_client -connect host:port -CAfile
C:\OpenSSL-Win64\bin\PEM\m2mqtt_ca.crt
Phuc Tran
Feb 15, 2016, 9:15:06 PM2/15/16
to MQTT, ro...@atchoo.org
Hi Roger,
Thank you for your response, I replaced m2mqtt_ca.crt by m2mqtt_ca.der when executing mosquitto_sub command and I got below error at server-side:
Thank you for your response, I replaced m2mqtt_ca.crt by m2mqtt_ca.der when executing mosquitto_sub command and I got below error at server-side:
New connection from 192.168.1.28 on port 8883.
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client <unknown>, disconnecting.
And client-side error:
Unable to connect (A TLS error occurred.)
the error (OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca) is resolved.
I don't have experience with OpenSSL authentication, could you please tell me more detail. I used link below to configure, but they worked well, whereas I got issue. please take a look
http://www.embedded101.com/Blogs/PaoloPatierno/entryid/366/mqtt-over-ssl-tls-with-the-m2mqtt-library-and-the-mosquitto-broker
Thanks,
Phuc
Unable to connect (A TLS error occurred.)
the error (OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca) is resolved.
I don't have experience with OpenSSL authentication, could you please tell me more detail. I used link below to configure, but they worked well, whereas I got issue. please take a look
http://www.embedded101.com/Blogs/PaoloPatierno/entryid/366/mqtt-over-ssl-tls-with-the-m2mqtt-library-and-the-mosquitto-broker
Thanks,
Phuc
Phuc Tran
Feb 16, 2016, 1:14:19 AM2/16/16
to MQTT, ro...@atchoo.org
Hi Roger
I tested "openssl s_client -connect 192.168.1.28:8883" and got below result
C:\OpenSSL-Win32\bin>openssl s_client -connect 192.168.1.28:8883
CONNECTED(000000F4)
....
verify error:num=18:self signed certificate
verify return:1
....
verify return:1
---
Certificate chain
0 s:....
i:...
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC8jCCAdoCCQCCW5ylsDVc5DANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJT
RzESMBAGA1UECAwJU2luZ2Fwb3JlMQswCQYDVQQHDAJTRzEMMAoGA1UECgwDTkNT
MQwwCgYDVQQLDANOQ1MxDTALBgNVBAMMBHBodWMxIjAgBgkqhkiG9w0BCQEWE3Bo
dWN0cmFuQG5jcy5jb20uc2cwHhcNMTYwMjE1MDgzMjU0WhcNMjYwMjEyMDgzMjU0
WjB9MQswCQYDVQQGEwJTRzESMBAGA1UECAwJU2luZ2Fwb3JlMQswCQYDVQQHDAJT
RzEMMAoGA1UECgwDTkNTMQwwCgYDVQQLDANOQ1MxDTALBgNVBAMMBHBodWMxIjAg
BgkqhkiG9w0BCQEWE3BodWN0cmFuQG5jcy5jb20uc2cwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAMIzApW40RL7E6D30w5C8YwkaiF9vVe+8VajpkPSQjk3TMWR
BIda//+IQC++Wk4C3biiOk1DFyED3B+XrPmLi1y9U1P0cS2jxTvCg2+euNTojgnH
1qdZ7md7eDhSDhct9MLUkMuEXuMLWntfJqZM5vrE3iYtW7rMRq77jeWxXrK1AgMB
AAEwDQYJKoZIhvcNAQELBQADggEBAG55HMT2g1ewE4PvW1V6GYqUejwo3lhw7d+4
rxgo+wdJnVZTyj7W4c0tcpNSeNIwLylVCqINyoe49USJcJYNAGJBBQkV6fJ1FFaE
7Xai2jtMDlSshMFMYRinuep3HY02qgE0E+wBszKAftc4PraYG9Nxsv6fW876+3oH
YSQx3eJ4TER1GXV21OwlKPXTdwVKqRBbdMTKuFA2Fdrpu03lh3U7thhytOncYZnB
GfFumTr9p50InnoErIKsq8I8rZyirRWYw79JjJItkm2oUAcmKrCv5CjqBFSO76gM
Oq8gsojjBLP7QWsWy9RKmo/i6Eu6hO0WfGsi2LwlDtycd1aK7j4=
-----END CERTIFICATE-----
subject=...
issuer=...
---
No client certificate CA names sent
---
SSL handshake has read 1087 bytes and written 507 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 86F2EDE7B4A4105BACCADC263777357397C262E046694486BFF1A1AF659AAA97
Session-ID-ctx:
Master-Key: 33E7E330B27BC00440E075ADDE5EAC6962BE3B94600CF13EBF7000B651EB9625D2B2C1FC067532A82D8DEC764C1D1B35
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 47 8b e6 ae 35 06 19 39-d6 36 86 f1 8c e6 3a 15 G...5..9.6....:.
0010 - 4c db 3e 44 64 42 68 e3-3b 5d 66 f7 4d dd 19 0e L.>DdBh.;]f.M...
0020 - 47 fc d7 a1 98 d3 8e e8-11 7a 75 fd 7c 18 9e 4b G........zu.|..K
0030 - 64 35 67 8c 3d e2 10 a7-a1 84 68 a9 13 fc 18 42 d5g.=.....h....B
0040 - ad 5c 2e 58 6f f0 d9 b2-bb 71 00 7e 46 7c d3 52 .\.Xo....q.~F|.R
0050 - 91 47 fb af 43 ee ce 8b-d1 08 45 10 7c 8a 2c 94 .G..C.....E.|.,.
0060 - 1f bd eb 2e 73 06 df 9b-c2 16 82 1c c3 2d 43 8c ....s........-C.
0070 - b8 b4 dc 01 51 fd e2 09-05 24 be ba 37 6c 90 08 ....Q....$..7l..
0080 - a7 13 72 22 78 10 21 46-19 e4 41 5f 36 5b 73 e9 ..r"x.!F..A_6[s.
0090 - 59 87 37 30 69 ad bf bb-12 86 a8 72 d6 05 a2 a8 Y.70i......r....
00a0 - ec 65 a9 8b 12 3c 5a 57-fc b1 4a 45 cc 8f 27 a8 .e...<ZW..JE..'.
Start Time: 1455602976
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
I tested "openssl s_client -connect 192.168.1.28:8883" and got below result
C:\OpenSSL-Win32\bin>openssl s_client -connect 192.168.1.28:8883
CONNECTED(000000F4)
....
verify error:num=18:self signed certificate
verify return:1
....
verify return:1
---
Certificate chain
0 s:....
i:...
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC8jCCAdoCCQCCW5ylsDVc5DANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJT
RzESMBAGA1UECAwJU2luZ2Fwb3JlMQswCQYDVQQHDAJTRzEMMAoGA1UECgwDTkNT
MQwwCgYDVQQLDANOQ1MxDTALBgNVBAMMBHBodWMxIjAgBgkqhkiG9w0BCQEWE3Bo
dWN0cmFuQG5jcy5jb20uc2cwHhcNMTYwMjE1MDgzMjU0WhcNMjYwMjEyMDgzMjU0
WjB9MQswCQYDVQQGEwJTRzESMBAGA1UECAwJU2luZ2Fwb3JlMQswCQYDVQQHDAJT
RzEMMAoGA1UECgwDTkNTMQwwCgYDVQQLDANOQ1MxDTALBgNVBAMMBHBodWMxIjAg
BgkqhkiG9w0BCQEWE3BodWN0cmFuQG5jcy5jb20uc2cwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAMIzApW40RL7E6D30w5C8YwkaiF9vVe+8VajpkPSQjk3TMWR
BIda//+IQC++Wk4C3biiOk1DFyED3B+XrPmLi1y9U1P0cS2jxTvCg2+euNTojgnH
1qdZ7md7eDhSDhct9MLUkMuEXuMLWntfJqZM5vrE3iYtW7rMRq77jeWxXrK1AgMB
AAEwDQYJKoZIhvcNAQELBQADggEBAG55HMT2g1ewE4PvW1V6GYqUejwo3lhw7d+4
rxgo+wdJnVZTyj7W4c0tcpNSeNIwLylVCqINyoe49USJcJYNAGJBBQkV6fJ1FFaE
7Xai2jtMDlSshMFMYRinuep3HY02qgE0E+wBszKAftc4PraYG9Nxsv6fW876+3oH
YSQx3eJ4TER1GXV21OwlKPXTdwVKqRBbdMTKuFA2Fdrpu03lh3U7thhytOncYZnB
GfFumTr9p50InnoErIKsq8I8rZyirRWYw79JjJItkm2oUAcmKrCv5CjqBFSO76gM
Oq8gsojjBLP7QWsWy9RKmo/i6Eu6hO0WfGsi2LwlDtycd1aK7j4=
-----END CERTIFICATE-----
subject=...
issuer=...
---
No client certificate CA names sent
---
SSL handshake has read 1087 bytes and written 507 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 86F2EDE7B4A4105BACCADC263777357397C262E046694486BFF1A1AF659AAA97
Session-ID-ctx:
Master-Key: 33E7E330B27BC00440E075ADDE5EAC6962BE3B94600CF13EBF7000B651EB9625D2B2C1FC067532A82D8DEC764C1D1B35
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 47 8b e6 ae 35 06 19 39-d6 36 86 f1 8c e6 3a 15 G...5..9.6....:.
0010 - 4c db 3e 44 64 42 68 e3-3b 5d 66 f7 4d dd 19 0e L.>DdBh.;]f.M...
0020 - 47 fc d7 a1 98 d3 8e e8-11 7a 75 fd 7c 18 9e 4b G........zu.|..K
0030 - 64 35 67 8c 3d e2 10 a7-a1 84 68 a9 13 fc 18 42 d5g.=.....h....B
0040 - ad 5c 2e 58 6f f0 d9 b2-bb 71 00 7e 46 7c d3 52 .\.Xo....q.~F|.R
0050 - 91 47 fb af 43 ee ce 8b-d1 08 45 10 7c 8a 2c 94 .G..C.....E.|.,.
0060 - 1f bd eb 2e 73 06 df 9b-c2 16 82 1c c3 2d 43 8c ....s........-C.
0070 - b8 b4 dc 01 51 fd e2 09-05 24 be ba 37 6c 90 08 ....Q....$..7l..
0080 - a7 13 72 22 78 10 21 46-19 e4 41 5f 36 5b 73 e9 ..r"x.!F..A_6[s.
0090 - 59 87 37 30 69 ad bf bb-12 86 a8 72 d6 05 a2 a8 Y.70i......r....
00a0 - ec 65 a9 8b 12 3c 5a 57-fc b1 4a 45 cc 8f 27 a8 .e...<ZW..JE..'.
Start Time: 1455602976
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
Phuc Tran
Feb 16, 2016, 1:34:28 AM2/16/16
to MQTT, ro...@atchoo.org
I checked my test client message, I found out "No client certificate CA names sent", I think it is problem I got "unknown client"
Marie
Oct 24, 2016, 10:24:13 PM10/24/16
to MQTT, ro...@atchoo.org
Hi Phuc,
I met exactly the same error as you. Did you find a way to solve the "No client certificate CA names sent" ?
Thanks,
Marie
Pravallika Kolisetty
Jun 20, 2017, 4:39:38 AM6/20/17
to MQTT, ro...@atchoo.org
Hi Phuc,
I am also facing the same error, as you mentioned:
I'm using OpenSSL, below is steps I performed:
1. generating the CA certificate
- openssl req -new -x509 -days 3650 -keyout m2mqtt_ca.key -out m2mqtt_ca.crt
1. generating the CA certificate
- openssl req -new -x509 -days 3650 -keyout m2mqtt_ca.key -out m2mqtt_ca.crt
- openssl genrsa -des3 -out m2mqtt_srv.key 1024
- openssl req -out m2mqtt_srv.csr -key m2mqtt_srv.key -new2. Generate a server certificate
- openssl x509 -req -in m2mqtt_srv.csr -CA m2mqtt_ca.crt -CAkey m2mqtt_ca.key -CAcreateserial -out m2mqtt_srv.crt -days 3650
2. configuring mosquitto.conf
- cafile C:\OpenSSL-Win64\bin\PEM\m2mqtt_ca.crt
- certfile C:\OpenSSL-Win64\bin\PEM\m2mqtt_srv.crt
- keyfile C:\OpenSSL-Win64\bin\PEM\m2mqtt_srv.key
- tls_version tlsv1.2
3. Starting Mosquitto
mosquitto -p 8883 -v -c mosquitto.conf
4. Starting a subscriber
mosquitto_sub -h 192.168.1.28 -p 8883 -q 1 -t topic --cafile C:\OpenSSL-Win64\bin\PEM\m2mqtt_ca.crt
I got error below:
1455525838: New connection from 192.168.1.28 on port 8883.
1455525838: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1455525838: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1455525838: Socket error on client <unknown>, disconnecting
- openssl req -out m2mqtt_srv.csr -key m2mqtt_srv.key -new2. Generate a server certificate
- openssl x509 -req -in m2mqtt_srv.csr -CA m2mqtt_ca.crt -CAkey m2mqtt_ca.key -CAcreateserial -out m2mqtt_srv.crt -days 3650
2. configuring mosquitto.conf
- cafile C:\OpenSSL-Win64\bin\PEM\m2mqtt_ca.crt
- certfile C:\OpenSSL-Win64\bin\PEM\m2mqtt_srv.crt
- keyfile C:\OpenSSL-Win64\bin\PEM\m2mqtt_srv.key
- tls_version tlsv1.2
3. Starting Mosquitto
mosquitto -p 8883 -v -c mosquitto.conf
4. Starting a subscriber
mosquitto_sub -h 192.168.1.28 -p 8883 -q 1 -t topic --cafile C:\OpenSSL-Win64\bin\PEM\m2mqtt_ca.crt
I got error below:
1455525838: New connection from 192.168.1.28 on port 8883.
1455525838: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1455525838: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1455525838: Socket error on client <unknown>, disconnecting
Is the issue resolved? Please help me how it is resolved?
Regards,
Pravallika.
sapnas...@gmail.com
Apr 5, 2019, 7:27:15 AM4/5/19
to MQTT
Pls help me to solve the issue:
1554463056: mosquitto version 1.4.15 (build date 2018-05-05 12:54:33+0000) starting
1554463056: Config loaded from /etc/mosquitto/mosquitto.conf.
1554463056: Opening ipv4 listen socket on port 8883.
1554463056: Opening ipv6 listen socket on port 8883.
1554463069: New connection from ::1 on port 8883.
1554463069: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
1554463069: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
1554463069: Socket error on client <unknown>, disconnecting.
1554463122: New connection from ::1 on port 8883.
1554463122: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
1554463122: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
1554463122: Socket error on client <unknown>, disconnecting.
1554463499: New connection from ::1 on port 8883.
1554463588: Client <unknown> has exceeded timeout, disconnecting.
sapna singh
Apr 8, 2019, 5:09:07 AM4/8/19
to mq...@googlegroups.com
Hello team,
Pls help me to implement ssl for mqtt
I have tried both self signed and CA signed certificates but no success.
Please suggest
--
Shrity Roy
Jul 31, 2020, 8:01:50 AM7/31/20
to MQTT
hi everyone.
Is this issue resolved ? Request somebody to help me with this . Have been stuck with this issue since some time now .
On Monday, February 15, 2016 at 2:38:44 PM UTC+5:30, Phuc Tran wrote:
Reply all
Reply to author
Forward
0 new messages