mqtt ssl example certificate error

DEsp3286
Posts: 13
Joined: Sat Sep 29, 2018 11:30 am

mqtt ssl example certificate error

Postby DEsp3286 » Fri May 15, 2020 7:10 am

Hi, I'm having some trouble with mqtt ssl example.

If I test it with the default broker "mqtts://mqtt.eclipse.org:8883" and default certificate "mqtt_eclipse_org.pem"
It works correctly.

If I change the broker with mqtts://test.mosquitto.org:8883
( https://test.mosquitto.org/ ) and change the certificate using (mosquitto.org.crt (PEM format), it fails and gave me TLS errors:

Code: Select all

mbedtls:ssl_tls.c:5757 x509_verify_cert() returned -9984 (-0x2700)

Code: Select all

esp-tls: mbedtls_ssl_handshake returned .0x2700
  	 esp-tls: Failed to verify peer certificate!
  	 esp-tls: verification info: ! The certificate Common Name (CN) does not match with the expected CN
What am I doing wrong?

ESP-Marius
Posts: 74
Joined: Wed Oct 23, 2019 1:49 am

Re: mqtt ssl example certificate error

Postby ESP-Marius » Fri May 15, 2020 8:06 am

Hi,

Not sure why you are getting "Common name doesnt match", but test.mosquitto.org is the optimal site to test ESP-IDF/mbedTLS with as you will run into problems due to their "weak" certificate. See https://github.com/espressif/esp-idf/issues/2993 for details.

DEsp3286
Posts: 13
Joined: Sat Sep 29, 2018 11:30 am

Re: mqtt ssl example certificate error

Postby DEsp3286 » Fri May 15, 2020 8:46 am

Thanks for reply;

I'm trying with my own broker and certificate, but got the same error.

How can I "fix" the certificate in order to be trusted?
Or how can I "tell" to the esp to trust this certificate ?

ESP-Marius
Posts: 74
Joined: Wed Oct 23, 2019 1:49 am

Re: mqtt ssl example certificate error

Postby ESP-Marius » Fri May 15, 2020 9:59 am

The Common Name error implies that the common name in the certificate doesn't match what you are connecting to. E.g. lets say you are running a local broker, with a certificate where the common name is "local.broker", but from IDF you are trying to connect using your local IP address. Could this be the case for you?

Does the address you are using match the common name in the certificate?

DEsp3286
Posts: 13
Joined: Sat Sep 29, 2018 11:30 am

Re: mqtt ssl example certificate error

Postby DEsp3286 » Fri May 15, 2020 10:12 am

Error is:

Code: Select all

failed to verify peer certificate
verification info: ! the certificate is not correctly signed by the trusted CA
How to fix this?

ESP-Marius
Posts: 74
Joined: Wed Oct 23, 2019 1:49 am

Re: mqtt ssl example certificate error

Postby ESP-Marius » Fri May 15, 2020 10:28 am

Seems like there is something not right with the certificate you are using then, but hard to tell without any extra information. Is this for test.mosquitto.org or your local broker? Any chance you could post the certificate?

DEsp3286
Posts: 13
Joined: Sat Sep 29, 2018 11:30 am

Re: mqtt ssl example certificate error

Postby DEsp3286 » Fri May 15, 2020 10:31 am

The error is the same I got from https://test.mosquitto.org/.

If you download the mosquitto.org.crt (PEM format), and try the mqtt/ssl example you should get the same error.

Could you try? Maybe there's something wrong in my config file.

Thanks

ESP-Marius
Posts: 74
Joined: Wed Oct 23, 2019 1:49 am

Re: mqtt ssl example certificate error

Postby ESP-Marius » Fri May 15, 2020 11:03 am

The certificate works for me (except for the problems described in the link I posted)

DEsp3286
Posts: 13
Joined: Sat Sep 29, 2018 11:30 am

Re: mqtt ssl example certificate error

Postby DEsp3286 » Fri May 15, 2020 11:47 am

What do you mean? Did you get the same error?

Code: Select all

failed to verify peer certificate
verification info: ! the certificate is not correctly signed by the trusted CA

rsimpsonbusa
Posts: 131
Joined: Tue May 17, 2016 8:12 pm

Re: mqtt ssl example certificate error

Postby rsimpsonbusa » Mon May 18, 2020 2:21 am

The certificate is for mosquitto.com in the WEB. You seem to be in your LAN. That is, Common Name (CN) in the Certificate will say https://mosquitto.org and your LAN will say localhost or whatever (127.0.0.1). They dont match at all. You can make a self signed certificate but that will also give u another certification problem (the CA is not accepted). It is a mess. The securities are basically forcing everyone to have a DOMAIN name server registered with a CA like google, lets encrypt, etc even for testing.

Now say u get a domain, does your ISP router allow u to route their IP with which u registered the Domain into your LAN 192.168.x.x is another story. As I said, its a mess.

I use a free service like cloudmqtt.com that has unsecure and secure connections. I tried with my local broker (mosquitto) but eventually gave up. As a bonus u get to see the espXXX perform in therreal WEB, latencies, erros, etc. Good for testing.

Who is online

Users browsing this forum: ESP_Roland, MicroController, snutw_ and 94 guests