MQTT SSL mutual authentication CA issues
Posted: Sat Feb 20, 2021 9:31 am
Hello Everyone!
I'm trying to connect my ESP32 to a mosquitto broker, running in a raspberry in my local network, using mutual authentication. I tested the mosquitto broker and I was able to connect using client.crt client.key and ca.crt from many clients, so I'm pretty sure the issue is in my esp32 configuration, but here's the relevant part of my mosquitto.conf:
On the ESP32 side, I started from the mutual authentication example and modified it to embed the ca.crt file, and this is how I edited my mqtt client configuration:
When I try to run the application, in a terminal I can see that the ESP32 successfully connected to wifi, and then this is what I get:
and it goes on like this forever.
I tryed to google the first warning and the following errors and I understood that it has something to do with mycertificates, so I tryed to include them as a string, formatted like
and may variations around this, but still no luck.
If I disable ssl on mosquitto, comment out the certificats on mqtt configuration and keep only user-password authentication, I'm able to connect and post without issues.
I have to admit that I started fiddling with mqtt and ssl one or two days ago, I understand tha basic concepts of SSL and CA but I can't say that I fully understand what I'm doing.
What am I missing?
I'm using esp-idf 4.1.1
Let me know if you need more informations! Thanks in advance for your help!
Gustav
I'm trying to connect my ESP32 to a mosquitto broker, running in a raspberry in my local network, using mutual authentication. I tested the mosquitto broker and I was able to connect using client.crt client.key and ca.crt from many clients, so I'm pretty sure the issue is in my esp32 configuration, but here's the relevant part of my mosquitto.conf:
Code: Select all
allow_anonymous false
password_file /etc/mosquitto/pwfile
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/raspberrypi.key
certfile /etc/mosquitto/certs/raspberrypi.crt
require_certificate true
tls_version tlsv1.2
Code: Select all
const esp_mqtt_client_config_t mqtt_cfg = {
.host = "192.168.1.11", //Raspberry running mosquitto IP
.port = 8883,
.transport = MQTT_TRANSPORT_OVER_SSL,
.event_handle = mqtt_event_handler,
//.use_global_ca_store = true,
.cert_pem = (const char *)server_cert_pem_start, //this is the ca.crt file
.client_cert_pem = (const char *)client_cert_pem_start,
.client_key_pem = (const char *)client_key_pem_start,
.username = "theUsername",
.password = "thePassword"
};
Code: Select all
[...]
I (3648) MQTTS_EXAMPLE: Other event id:7
E (3718) esp-tls-mbedtls: mbedtls_x509_crt_parse returned -0x2180
E (3718) esp-tls-mbedtls: Failed to set client pki context
E (3718) esp-tls-mbedtls: Failed to set client configurations
E (3728) esp-tls: create_ssl_handle failed
E (3728) esp-tls: Failed to open new connection
E (3738) TRANS_SSL: Failed to open a new connection
E (3748) MQTT_CLIENT: Error transport connect
I (3748) MQTTS_EXAMPLE: MQTT_EVENT_ERROR
I (3758) MQTTS_EXAMPLE: MQTT_EVENT_DISCONNECTED
[...]
I tryed to google the first warning and the following errors and I understood that it has something to do with mycertificates, so I tryed to include them as a string, formatted like
Code: Select all
const uint8_t client_key_pem_start[] = \
"-----BEGIN TRUSTED CERTIFICATE-----\n" \
"every linelike this\n" \
[...]
"-----END TRUSTED CERTIFICATE-----\n";
If I disable ssl on mosquitto, comment out the certificats on mqtt configuration and keep only user-password authentication, I'm able to connect and post without issues.
I have to admit that I started fiddling with mqtt and ssl one or two days ago, I understand tha basic concepts of SSL and CA but I can't say that I fully understand what I'm doing.
What am I missing?
I'm using esp-idf 4.1.1
Let me know if you need more informations! Thanks in advance for your help!
Gustav