CODEWITHSUNDEEP
pythonmqtttls1.2mosquittopaho
ZPascal
ZPascal

Reputation: 333

MQTT PAHO [CERTIFICATE_VERIFY_FAILED]

I have a problem with Python (I'm a Python noob and learning it). I used the version 2.7.9 on a Debian 9 System. I installed paho and tinkerforge package in python.

I developed a script using the Paho MQTT client to connected my mosquitto broker. I want to use a crypted connection. My connection work fine when not encrypted but fails when encrypted. The connection work fine encrypted on openHAB (MQTT-Subscriber) and MQTTFX (MQTT-Subscriber and Producer)

I'm using these parameters for my script:

self.client = mqtt.Client()
self.client.tls_set("/home/pi/ca-cert.pem","/home/pi/IWILR1-1-cert.pem","/home/pi/IWILR1-1.pem",tls_version=ssl.PROTOCOL_TLSv1)
# disables peer verification
self.client.tls_insecure_set(False)
    self.client.on_connect = self.mqtt_on_connect
    self.client.on_disconnect = self.mqtt_on_disconnect
self.client.on_message = self.mqtt_on_message

    self.device_proxies = {}
    self.device_proxy_classes = {}

    for subclass in DeviceProxy.subclasses():
        self.device_proxy_classes[subclass.DEVICE_CLASS.DEVICE_IDENTIFIER] = subclass

def connect(self):
    if self.broker_username is not None:
        self.client.username_pw_set(self.broker_username, self.broker_password)

    self.client.connect(self.broker_host, self.broker_port)
    self.client.loop_start()

But now the problem is the error on Python.

    sudo python /home/pi/brick-mqtt-proxy.py
Traceback (most recent call last):
  File "/home/pi/brick-mqtt-proxy.py", line 1250, in <module>
    proxy.connect()
  File "/home/pi/brick-mqtt-proxy.py", line 1109, in connect
    self.client.connect(self.broker_host, self.broker_port)
  File "/usr/local/lib/python2.7/dist-packages/paho/mqtt/client.py", line 760, in connect
    return self.reconnect()
  File "/usr/local/lib/python2.7/dist-packages/paho/mqtt/client.py", line 919, in reconnect
    sock.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 840, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

and on mosquitto these errors arrived.

1504896114: New connection from 143.93.197.20 on port 8883.
1504896114: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1504896114: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1504896114: Socket error on client <unknown>, disconnecting.

Mosquitto conf

# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example


pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/


log_type all
log_facility 5
log_timestamp true
log_dest file /var/log/mosquitto/mosquitto.log

include_dir /etc/mosquitto/conf.d

port 8883
cafile /etc/mosquitto/ca_certificates/ca-cert.pem
certfile /etc/mosquitto/certs/server-cert.pem
keyfile /etc/mosquitto/certs/server-key.pem

Only Server and Ca matched the broker hostname. Client use there own hostname for CN. I hope thats right?

I hope you can help me to fix my problem.

PS: I used a self-signed certificate! TLS Version 1.2

Upvotes: 2

Views: 5358

Answers (2)

Java dev
Java dev

Reputation: 535

try providing something like below. Default port for ssl is 8883. We can start multiple listeners. In this case non-ssl on 1883 and ssl on 8883.

port 1883
listener 8883

Upvotes: -1

pegmi
pegmi

Reputation: 1

If you are using TLS v1.2 you need to modify the expression (2nd line: self.client.tls_set()) 'tls_version=ssl.PROTOCOL_TLSv1' to 'tls_version=ssl.PROTOCOL_TLSv1_2', not as expected to ...TLSv1.2. This worked for me.

Upvotes: 0

Related Questions