06.09.2019, 07:26 (This post was last modified: 06.09.2019, 08:46 by ThomasB.)
Hi,
does anyone have an idea what could be the problem here;
The setup is an MQTT broker running vernemq, with self-signed certificates using TLS 1.2 (certs were generated using i think ACME or certbot against a Letsencrypt CA).
The point is ofcourse that a client can connect over TLS-insecure (only hostname verification, to which it connects) with the broker, login and send messages.
On another client, which is a raspberry pi (raspbian), this runs without problems and without extra clientside keys/certs from a python script but on the logic machine i cant get it working.
I tried with uploading the Letsencrypt CA and referencing it from the Lua script but i keep seeing an error in the broker logs;
8:55:09.835 [info] <0.631.0> TLS server: In state certify received CLIENT ALERT: Fatal - Unknown CA
Ive tried setting TLS to v1.1 but that didn't do anything either.
You need to provide full certificate chain in a single file including root certificate (DST Root CA X3). It is not supplied by default because it usually can be found in system's ca-certificates storage. Since LM does not have any ca-certificates by default you need to have all certificates in a single file.
06.09.2019, 14:42 (This post was last modified: 06.09.2019, 14:43 by ThomasB.)
(06.09.2019, 09:04)admin Wrote: You need to provide full certificate chain in a single file including root certificate (DST Root CA X3). It is not supplied by default because it usually can be found in system's ca-certificates storage. Since LM does not have any ca-certificates by default you need to have all certificates in a single file.
Hi admin, thank you for your reply, the error is gone but I now notice, using wireshark, the TLS handshake repeatedly succeeds on every step, the server decodes application data as being 'mqtt' but after the final step there's a connection reset every time....
client.ON_CONNECT = function()
log('connected')
value = grp.getvalue('0/3/4') or 0
client:publish("SOME/TOPIC/1", value, qos, retain)
value = grp.getvalue('0/3/5') or 0
client:publish("SOME/TOPIC/2", value, qos, retain)
client:disconnect()
end
You have disconnect call in connect handler. This example is meant for one way publish when value is changed without having a constantly open connection.
10.09.2019, 09:22 (This post was last modified: 10.09.2019, 09:22 by ThomasB.)
(10.09.2019, 07:42)admin Wrote: You have disconnect call in connect handler. This example is meant for one way publish when value is changed without having a constantly open connection.
Yes, that is the purpose, it's a script that is run every minute!
sorry for lack of info
(12.09.2019, 15:00)admin Wrote: Are you sure you need both login/password and client certificate?
i think so, the login is for the mqtt broker and the certs are for the secure websockets (TLS)
I can connect to the broker using a webclient like this one: http://www.espert.io/mqtt/index.html
I have to check the SSL box, provide login, hostname, port 8883 and it all works.
Client certificates are only needed if you are using it for client authentication which seems like you don't. So you only need to specify server certificate but there must be the whole certificate chain in a single file including root certificate.
(13.09.2019, 09:25)admin Wrote: Client certificates are only needed if you are using it for client authentication which seems like you don't. So you only need to specify server certificate but there must be the whole certificate chain in a single file including root certificate.
the packages were up to date and I had tried as you proposed. Now tried it again adding our cert.pem to your snippet but still the connection gets instantly reset after client hello.
Hi, do you also know how to conenct to AWSIoT ? AWS provides:
- the root CA :AmazonRootCA1.pem and AmazonRootCA3.pem
- the client cert : 0a1b2c3d4e-certificate.pem.crt
- the client private key: 0a1b2c3d4e-private.pem.key
- the client public key: 0a1b2c3d4e-public.pem.key
i would assume below is the correct way to connect, i left out login_set because auth is only certificate based
yes, it was indeed a problem with the path
now the assert is true and no errors but it never executes the ON_CONNECT routine
script is executed every 60s but i never see 'connected' in the logging
15.06.2020, 14:12 (This post was last modified: 15.06.2020, 14:38 by ThomasB.)
EDIT: after googling i found out the error is related to CA, i changed to CA1.pem and now i get
AWSIoT Test 15.06.2020 16:37:44
* arg: 1
* number: 16
* arg: 2
* string: Client TEST sending CONNECT but it doesnt go into the loop
OLD POST:
network config is ok. i was able to ping the host from the network utilities
with the ON_LOG i see:
AWSIoT Test 15.06.2020 16:11:39
* arg: 1
* number: 8
* arg: 2
* string: OpenSSL Error: error:14090086:lib(20):func(144):reason(134)
just for clarity, the full script: