How to setup MQTT over SSL with ESP IDF

LucAppelman
Posts: 5
Joined: Thu Jun 02, 2022 9:39 pm

How to setup MQTT over SSL with ESP IDF

Postby LucAppelman » Thu Jun 02, 2022 9:57 pm

Description

We are trying to setup ESP IDF to connect with the build in MQTT server of thingsboard. We have setup the certificates as suggested in the tutorial by thingsboard with self signed certicates https://thingsboard.io/docs/user-guide/ ... generation. We can connect using MQTT explorer on a windows machine. I expect we need to do a mutual on the ESP side but whatever we have tried so far we can't connect.
  1. esp_mqtt_client_config_t clientConfig = {
  2.     .host = MQTT_HOST,
  3.     .port = 8883,
  4.     .client_id = NULL,
  5.     .username = username,
  6.     .disable_auto_reconnect = true,
  7.     .user_context = context,
  8.     .cert_pem = "-----BEGIN CERTIFICATE-----\n" // openssl command as suggested on ESP IDF
  9.                "..."
  10.                "-----END CERTIFICATE-----\0",
  11.     .transport = MQTT_TRANSPORT_OVER_SSL,
  12.     .skip_cert_common_name_check = true,
  13. };
As mentioned above the ESP IDF suggests https://docs.espressif.com/projects/esp ... t.html#ssl getting the cert_pem option by getting this using the following command
  1. openssl s_client -showcerts -connect mqtt.eclipseprojects.io:8883 </dev/null 2>/dev/null|openssl x509 -outform PEM >mqtt_eclipse_org.pem
Of course the url here is replaced with our own. This certificate is then used as .cert_pem.

The error we are currently getting from ESP-MQTT is 0x8008 https://docs.espressif.com/projects/esp ... codes.html.

Environment

OS: Ubuntu + Docker
ThingsBoard: Latest (v3.3.4.1)
ESP-IDF: Stable (4.4.1)

Dockerfile (using a proxy for http(s)):
  1. version: '3'
  2.  
  3. services:
  4.   thingsboard:
  5.     restart: unless-stopped
  6.     image: thingsboard/tb-postgres
  7.     environment:
  8.      - TB_QUEUE_TYPE=in-memory
  9.       - TZ=Europe/Amsterdam
  10.       - MQTT_SSL_ENABLED=true
  11.       - MQTT_SSL_CREDENTIALS_TYPE=PEM
  12.       - MQTT_SSL_PEM_CERT=/certs/server.pem
  13.       - MQTT_SSL_PEM_KEY=/certs/server_key.pem
  14.       - MQTT_SSL_SKIP_VALIDITY_CHECK_FOR_CLIENT_CERT=true
  15.     volumes:
  16.       - type: bind
  17.         source: ./thingsboard/data
  18.         target: /data
  19.       - type: bind
  20.         source: ./thingsboard/logs
  21.         target: /var/log/thingsboard
  22.       - type: bind
  23.         source: ./thingsboard/certs
  24.         target: /certs
  25.     ports:
  26.      - 1883:1883
  27.       - 8883:8883
  28.       - 7070:7070
  29.       - 5683-5688:5683-5688/udp

chegewara
Posts: 2364
Joined: Wed Jun 14, 2017 9:00 pm

Re: How to setup MQTT over SSL with ESP IDF

Postby chegewara » Fri Jun 03, 2022 4:43 am

There is one value wrong in mqtt config, but i am not 100% sure its the case. client_id cant be NULL.

LucAppelman
Posts: 5
Joined: Thu Jun 02, 2022 9:39 pm

Re: How to setup MQTT over SSL with ESP IDF

Postby LucAppelman » Sat Jun 04, 2022 9:52 am

Unfortunately this was not a solution to our problem. Still receiving the same error.

In menuconfig we have CONFIG_MQTT_PROTOCOL_311 enabled. And we also enabled CONFIG_ESP_TLS_INSECURE and CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY.

ESP_YJM
Posts: 300
Joined: Fri Feb 26, 2021 10:30 am

Re: How to setup MQTT over SSL with ESP IDF

Postby ESP_YJM » Mon Jun 06, 2022 11:32 am

The error 0x8008 is ESP_ERR_ESP_TLS_TCP_CLOSED_FIN. It seems the peer send FIN to close the connection. I have no idea why the server send FIN. You can use MQTT client tool to connect your server and compare with it.

LucAppelman
Posts: 5
Joined: Thu Jun 02, 2022 9:39 pm

Re: How to setup MQTT over SSL with ESP IDF

Postby LucAppelman » Fri Jun 10, 2022 8:27 am

ESP_YJM wrote:
Mon Jun 06, 2022 11:32 am
The error 0x8008 is ESP_ERR_ESP_TLS_TCP_CLOSED_FIN. It seems the peer send FIN to close the connection. I have no idea why the server send FIN. You can use MQTT client tool to connect your server and compare with it.
This is true! Unfortunately this was not documented on the error code page.

I had not noticed the mqtt-explorer client on our desktop also disconnected after a short amount of time when logged in with the account for provisioning because mqtt-explorer reconnects automatically.

After we had readded the log line that was removed when changing the MQTT_EVENT_DATA handler from the example it became clear that the connection closed a lot later then we received data, and then found out that the provision response was not processed.

Code: Select all

// we used
if (strcmp(topic, "/provision/response")) {}
// but we should have done
if (strcmp(topic, "/provision/response") == 0) {}
A simple C error, but hard to notice without proper debugging 😓

Thanks for your response!

Who is online

Users browsing this forum: Google [Bot] and 61 guests