ESP32 Forum

ESP32 Official Forum
http://esp32.io/

How to setup MQTT over SSL with ESP IDF

http://esp32.io/viewtopic.php?f=13&t=28170

Page 1 of 1

How to setup MQTT over SSL with ESP IDF

Posted: Thu Jun 02, 2022 9:57 pm
by LucAppelman
Description

We are trying to setup ESP IDF to connect with the build in MQTT server of thingsboard. We have setup the certificates as suggested in the tutorial by thingsboard with self signed certicates https://thingsboard.io/docs/user-guide/ ... generation. We can connect using MQTT explorer on a windows machine. I expect we need to do a mutual on the ESP side but whatever we have tried so far we can't connect.
Code: [Select all] [Expand/Collapse]
  1. esp_mqtt_client_config_t clientConfig = {
  2.     .host = MQTT_HOST,
  3.     .port = 8883,
  4.     .client_id = NULL,
  5.     .username = username,
  6.     .disable_auto_reconnect = true,
  7.     .user_context = context,
  8.     .cert_pem = "-----BEGIN CERTIFICATE-----\n" // openssl command as suggested on ESP IDF
  9.                "..."
  10.                "-----END CERTIFICATE-----\0",
  11.     .transport = MQTT_TRANSPORT_OVER_SSL,
  12.     .skip_cert_common_name_check = true,
  13. };
GeSHi © Codebox Plus Extension
As mentioned above the ESP IDF suggests https://docs.espressif.com/projects/esp ... t.html#ssl getting the cert_pem option by getting this using the following command
Code: [Select all] [Expand/Collapse]
  1. openssl s_client -showcerts -connect mqtt.eclipseprojects.io:8883 </dev/null 2>/dev/null|openssl x509 -outform PEM >mqtt_eclipse_org.pem
GeSHi © Codebox Plus Extension
Of course the url here is replaced with our own. This certificate is then used as .cert_pem.

The error we are currently getting from ESP-MQTT is 0x8008 https://docs.espressif.com/projects/esp ... codes.html.

Environment

OS: Ubuntu + Docker
ThingsBoard: Latest (v3.3.4.1)
ESP-IDF: Stable (4.4.1)

Dockerfile (using a proxy for http(s)):
Code: [Select all] [Expand/Collapse]
  1. version: '3'
  2.  
  3. services:
  4.   thingsboard:
  5.     restart: unless-stopped
  6.     image: thingsboard/tb-postgres
  7.     environment:
  8.      - TB_QUEUE_TYPE=in-memory
  9.       - TZ=Europe/Amsterdam
  10.       - MQTT_SSL_ENABLED=true
  11.       - MQTT_SSL_CREDENTIALS_TYPE=PEM
  12.       - MQTT_SSL_PEM_CERT=/certs/server.pem
  13.       - MQTT_SSL_PEM_KEY=/certs/server_key.pem
  14.       - MQTT_SSL_SKIP_VALIDITY_CHECK_FOR_CLIENT_CERT=true
  15.     volumes:
  16.       - type: bind
  17.         source: ./thingsboard/data
  18.         target: /data
  19.       - type: bind
  20.         source: ./thingsboard/logs
  21.         target: /var/log/thingsboard
  22.       - type: bind
  23.         source: ./thingsboard/certs
  24.         target: /certs
  25.     ports:
  26.      - 1883:1883
  27.       - 8883:8883
  28.       - 7070:7070
  29.       - 5683-5688:5683-5688/udp
GeSHi © Codebox Plus Extension

Re: How to setup MQTT over SSL with ESP IDF

Posted: Fri Jun 03, 2022 4:43 am
by chegewara
There is one value wrong in mqtt config, but i am not 100% sure its the case. client_id cant be NULL.

Re: How to setup MQTT over SSL with ESP IDF

Posted: Sat Jun 04, 2022 9:52 am
by LucAppelman
Unfortunately this was not a solution to our problem. Still receiving the same error.

In menuconfig we have CONFIG_MQTT_PROTOCOL_311 enabled. And we also enabled CONFIG_ESP_TLS_INSECURE and CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY.

Re: How to setup MQTT over SSL with ESP IDF

Posted: Mon Jun 06, 2022 11:32 am
by ESP_YJM
The error 0x8008 is ESP_ERR_ESP_TLS_TCP_CLOSED_FIN. It seems the peer send FIN to close the connection. I have no idea why the server send FIN. You can use MQTT client tool to connect your server and compare with it.

Re: How to setup MQTT over SSL with ESP IDF

Posted: Fri Jun 10, 2022 8:27 am
by LucAppelman
ESP_YJM wrote:
Mon Jun 06, 2022 11:32 am
 The error 0x8008 is ESP_ERR_ESP_TLS_TCP_CLOSED_FIN. It seems the peer send FIN to close the connection. I have no idea why the server send FIN. You can use MQTT client tool to connect your server and compare with it.
This is true! Unfortunately this was not documented on the error code page.

I had not noticed the mqtt-explorer client on our desktop also disconnected after a short amount of time when logged in with the account for provisioning because mqtt-explorer reconnects automatically.

After we had readded the log line that was removed when changing the MQTT_EVENT_DATA handler from the example it became clear that the connection closed a lot later then we received data, and then found out that the provision response was not processed.

Code: Select all

// we used
if (strcmp(topic, "/provision/response")) {}
// but we should have done
if (strcmp(topic, "/provision/response") == 0) {}
A simple C error, but hard to notice without proper debugging 😓

Thanks for your response!
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/