Copyright © https://mongoose-os.com

Mongoose OS Forum

frame

MQTT + certificate based client authentication

Hello,

I'm struggling to get certificate based authentication to work between my Mosquitto MQTT broker and mongoose-os (on ESP8266).

I use EasyRSA to create my own CA and to generate a server certificate (for the MQTT broker) and a client certificate (for my mongoose-os client). I get a "The certificate is not correctly signed by the trusted CA" error on the ESP8266. When using the same client certificate in conjunction with mosquitto_sub it works fine ....

See attached files for console output and testing with openssl.

Anyone have any ideas on what to do ?

Note: 'mqtt.visbyjacobsen.dk' resolves to a private ip-address, 192.168.2.10.

Regards,
Michael

====== EasyRSA-3.0.3 (on Ubuntu Server 16.04) ======
OpenSSL 1.0.2g 1 Mar 2016

./easyrsa --subject-alt-name=DNS:mqtt.visbyjacobsen.dk,IP:192.168.2.10 build-server-full mqtt.visbyjacobsen.dk nopass
./easyrsa build-client-full client001 nopass

====== On my MQTT broker ======
With IP address:
mosquitto_sub -h 192.168.2.10 -p 8883 -d -t "#" --cafile ca.crt --cert client001.crt --key client001.key
Client mosqsub/20056-broker sending CONNECT
Client mosqsub/20056-broker received CONNACK
Client mosqsub/20056-broker sending SUBSCRIBE (Mid: 1, Topic: #, QoS: 0)
Client mosqsub/20056-broker received SUBACK
Subscribed (mid: 1): 0
.
.
.

With FQDN:
mosquitto_sub -h mqtt.visbyjacobsen.dk -p 8883 -d -t "#" --cafile ca.crt --cert client001.crt --key client001.key
Client mosqsub/20062-broker sending CONNECT
Client mosqsub/20062-broker received CONNACK
Client mosqsub/20062-broker sending SUBSCRIBE (Mid: 1, Topic: #, QoS: 0)
Client mosqsub/20062-broker received SUBACK
Subscribed (mid: 1): 0
.
.
.

====== Mosquitto config (parts of it) ======
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/mqtt.visbyjacobsen.dk.crt
keyfile /etc/mosquitto/certs/mqtt.visbyjacobsen.dk.key
require_certificate true
use_identity_as_username true

====== mos.yml (parts of it) ======
config_schema:
- ["app", "o", {title: "My app custom settings"}]
- ["wifi.ap.enable", false]
- ["wifi.sta.enable", true]
- ["wifi.sta.ssid", "n/a"]
- ["wifi.sta.pass", "n/a"]
- ["mqtt.server", "mqtt.visbyjacobsen.dk:8883"]
- ["mqtt.enable", true]
- ["mqtt.client_id", "client001"]
- ["mqtt.ssl_ca_cert", "ca.crt"]
- ["mqtt.ssl_cert", "client.crt"]
- ["mqtt.ssl_key", "client.key"]
- ["debug.mbedtls_level", 5]
- ["debug.level", 3]

Comments

  • SergeySergey Dublin, Ireland

    add the correct CA to the ca.pem

  • Already tried that, same situation. But since I specify ["mqtt.ssl_ca_cert", "ca.crt"] why would ca.pem come into play? Also, the console output shows no attempts of accessing ca.pem.

    Content of my ca.crt is simply this:
    -----BEGIN CERTIFICATE-----
    MIIDITCCAgmgAwIBAgIJAKRgjxSfGsHeMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNV
    BAMMBU15IENBMB4XDTE3MDkwNTA3NTY1MloXDTQ3MDgyOTA3NTY1MlowEDEOMAwG
    A1UEAwwFTXkgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChBmuM
    HHGJWHHC6XoT0CuYR2WqNbpqilbrxG2ngLqhsOHDzdz6DyM+A7xZNrQ5Aq7QmVVX
    v7AOHPDO5IIvOkEp/S86jrcfm8pVv4DSf9wHzN1sZSTqeCLvdNTqBqmMPVOtivYz
    +osWsJ2LgsNfpgPVk0rTLarzVPVe1Q8dWzUjf4iUW621Bd2lwQyo4O8y/KMWa889
    bNvDDT6eMLhO6Rdc83/chAwVx16XWftUlHMHlbeHBrfe+4yff4mBV1avP0en52s1
    0/a6PFY+zsfEWr+IEkYnn44pxpxf3ES0R5C7MbERGBPEdfN423V82b38JR/tccEx
    QwSsnzLWlg9bcRHPAgMBAAGjfjB8MB0GA1UdDgQWBBRbSSHCDhjLdvOk/b8TdgwE
    SM2FsTBABgNVHSMEOTA3gBRbSSHCDhjLdvOk/b8TdgwESM2FsaEUpBIwEDEOMAwG
    A1UEAwwFTXkgQ0GCCQCkYI8UnxrB3jAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
    BjANBgkqhkiG9w0BAQsFAAOCAQEAMtm1a7P5WtJ3DKJPB9228EekSuwF+NrHjMtk
    MOqm5Yq7iCs/BebxxRu57K8o068s+Jwxy2GJFVGsoWD+CSzKRvfkKeNTrEiO2PVl
    agIbP12j2TvPeZlery1CbnTEXsM+QgG17HwJeYNYyQLZ9RbXBeMXdDRgm8QqmiNT
    MMm1DkLnFyOkW0yyj2xVSp1HBJnBA2eOO8wlKv7pN+FGv3+LnjiL7/ceTBIik4Sc
    GMhWOU/jpCU6dWGtEuAX+TdvjPFRUPjKQ8A6oSUpTjoMawGwoB8pRTj6tVMHuc4/
    J8s5LVtDjuXTTfKL4PTLg/Kzp0C6D+1yUxBi/sOIOIJHxeIxJQ==
    -----END CERTIFICATE-----

  • Full config (pulled from the ESP8266):

    {
    "sntp": {
    "enable": true,
    "server": "pool.ntp.org",
    "retry_min": 1,
    "retry_max": 30,
    "update_interval": 7200
    },
    "device": {
    "id": "client001",
    "password": ""
    },
    "debug": {
    "udp_log_addr": "",
    "mbedtls_level": 5,
    "level": 3,
    "filter": "",
    "stdout_uart": 0,
    "stderr_uart": 0,
    "factory_reset_gpio": -1,
    "mg_mgr_hexdump_file": "",
    "stdout_topic": "",
    "stderr_topic": ""
    },
    "sys": {
    "mount": {
    "path": "",
    "dev_type": "",
    "dev_opts": "",
    "fs_type": "",
    "fs_opts": ""
    },
    "wdt_timeout": 30
    },
    "conf_acl": "*",
    "mqtt": {
    "enable": true,
    "server": "mqtt.visbyjacobsen.dk:8883",
    "client_id": "client001",
    "user": "client001",
    "pass": "",
    "reconnect_timeout_min": 2,
    "reconnect_timeout_max": 60,
    "ssl_cert": "client.crt",
    "ssl_key": "client.key",
    "ssl_ca_cert": "ca.crt",
    "ssl_cipher_suites": "",
    "ssl_psk_identity": "",
    "ssl_psk_key": "",
    "clean_session": true,
    "keep_alive": 60,
    "will_topic": "",
    "will_message": ""
    },
    "rpc": {
    "enable": true,
    "max_frame_size": 4096,
    "max_queue_length": 25,
    "default_out_channel_idle_close_timeout": 10,
    "acl_file": "",
    "auth_domain": "",
    "auth_file": "",
    "ws": {
    "enable": true,
    "server_address": "",
    "reconnect_interval_min": 1,
    "reconnect_interval_max": 60,
    "ssl_server_name": "",
    "ssl_ca_file": "",
    "ssl_client_cert_file": ""
    },
    "uart": {
    "uart_no": 0,
    "baud_rate": 115200,
    "fc_type": 2,
    "wait_for_start_frame": true
    }
    },
    "wifi": {
    "sta": {
    "enable": true,
    "ssid": "n/a",
    "pass": "n/a",
    "user": "",
    "anon_identity": "",
    "cert": "",
    "key": "",
    "ca_cert": "",
    "ip": "",
    "netmask": "",
    "gw": "",
    "nameserver": "",
    "dhcp_hostname": ""
    },
    "ap": {
    "enable": false,
    "ssid": "Mongoose_??????",
    "pass": "Mongoose",
    "hidden": false,
    "channel": 6,
    "max_connections": 10,
    "ip": "192.168.4.1",
    "netmask": "255.255.255.0",
    "gw": "192.168.4.1",
    "dhcp_start": "192.168.4.2",
    "dhcp_end": "192.168.4.100",
    "trigger_on_gpio": -1,
    "keep_enabled": true
    }
    },
    "app": {
    "pin": 5
    }
    }

  • Found the 'solution': the certificate files stored on the ESP8266 must end with a blank line, i.e. the '-----END CERTIFICATE-----' line must be followed by a newline (!)

    Thanked by 1SergheiD
Sign In or Register to comment.