mqtt ssl example certificate error

[DEsp3286]

Hi, I'm having some trouble with mqtt ssl example.

If I test it with the default broker "mqtts://mqtt.eclipse.org:8883" and default certificate "mqtt_eclipse_org.pem"
It works correctly.

If I change the broker with mqtts://test.mosquitto.org:8883
( https://test.mosquitto.org/ ) and change the certificate using (mosquitto.org.crt (PEM format), it fails and gave me TLS errors:

Code: Select all

mbedtls:ssl_tls.c:5757 x509_verify_cert() returned -9984 (-0x2700)

Code: Select all

esp-tls: mbedtls_ssl_handshake returned .0x2700
  	 esp-tls: Failed to verify peer certificate!
  	 esp-tls: verification info: ! The certificate Common Name (CN) does not match with the expected CN

What am I doing wrong?

[ESP-Marius]

Hi,

Not sure why you are getting "Common name doesnt match", but test.mosquitto.org is the optimal site to test ESP-IDF/mbedTLS with as you will run into problems due to their "weak" certificate. See https://github.com/espressif/esp-idf/issues/2993 for details.

[DEsp3286]

Thanks for reply;

I'm trying with my own broker and certificate, but got the same error.

How can I "fix" the certificate in order to be trusted?
Or how can I "tell" to the esp to trust this certificate ?

[ESP-Marius]

The Common Name error implies that the common name in the certificate doesn't match what you are connecting to. E.g. lets say you are running a local broker, with a certificate where the common name is "local.broker", but from IDF you are trying to connect using your local IP address. Could this be the case for you?

Does the address you are using match the common name in the certificate?

[DEsp3286]

Error is:

Code: Select all

failed to verify peer certificate
verification info: ! the certificate is not correctly signed by the trusted CA

How to fix this?

[ESP-Marius]

Seems like there is something not right with the certificate you are using then, but hard to tell without any extra information. Is this for test.mosquitto.org or your local broker? Any chance you could post the certificate?

[DEsp3286]

The error is the same I got from https://test.mosquitto.org/.

If you download the mosquitto.org.crt (PEM format), and try the mqtt/ssl example you should get the same error.

Could you try? Maybe there's something wrong in my config file.

Thanks

[ESP-Marius]

The certificate works for me (except for the problems described in the link I posted)

[DEsp3286]

What do you mean? Did you get the same error?

Code: Select all

failed to verify peer certificate
verification info: ! the certificate is not correctly signed by the trusted CA

[rsimpsonbusa]

The certificate is for mosquitto.com in the WEB. You seem to be in your LAN. That is, Common Name (CN) in the Certificate will say https://mosquitto.org and your LAN will say localhost or whatever (127.0.0.1). They dont match at all. You can make a self signed certificate but that will also give u another certification problem (the CA is not accepted). It is a mess. The securities are basically forcing everyone to have a DOMAIN name server registered with a CA like google, lets encrypt, etc even for testing.

Now say u get a domain, does your ISP router allow u to route their IP with which u registered the Domain into your LAN 192.168.x.x is another story. As I said, its a mess.

I use a free service like cloudmqtt.com that has unsecure and secure connections. I tried with my local broker (mosquitto) but eventually gave up. As a bonus u get to see the espXXX perform in therreal WEB, latencies, erros, etc. Good for testing.