Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Paho » TLS Certificate Verify Failure in paho-mqtt implementation(Using paho-mqtt python lib, fails certificate verification based on IP mismatch )
TLS Certificate Verify Failure in paho-mqtt implementation [message #1829350] Wed, 01 July 2020 18:13 Go to next message
Gary Marks is currently offline Gary MarksFriend
Messages: 3
Registered: July 2020
Junior Member
Hello, I'm trying to implement a first subscription example from the book, "Hands-On MQTT Programming with Python", but I'm getting a certificate failure error as follows:
Traceback (most recent call last):
File "subscribe_with_paho.py", line 40, in <module>
keepalive = mqtt_keepalive)
File "/home/pi/MQTT/snPyEnv/lib/python3.7/site-packages/paho/mqtt/client.py", line 768, in connect
return self.reconnect()
File "/home/pi/MQTT/snPyEnv/lib/python3.7/site-packages/paho/mqtt/client.py", line 927, in reconnect
sock.do_handshake()
File "/usr/lib/python3.7/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '10.0.1.101'. (_ssl.c:1056)

I have one mosquitto server implemented on a raspberry pi 3b+, an mqtt client implemented on a raspberry pi 3b, and another client implemented on an Ubuntu 20_04 workstation on VMware Workstation. I have setup python venv (virtual environments) on the two clients as recommended by the book.
By the procedure specified in the book, I have generated certificates as follows:
• Certificate authority: ca.crt
• On the server:
o Server certificate: server.crt
o Server key: server.key
• On the clients:
o Client certificates: wsClient.crt and snClient.crt (workstation and client pi board respectively)
o Client keys: wsClient.key and snClient.key

I have successfully tested the certificates and the general setup with the mosquitto client apps, mosquitto_sub and mosquitto_pub. Example:
mosquitto_sub -h 10.0.1.101 -V mqttv311 -p 8883 --cafile /home/pi/MQTT/snPyEnv/mqtt_certs/ca.crt --cert /home/pi/MQTT/snPyEnv/mqtt_certs/snClient.crt --key /home/pi/MQTT/snPyEnv/mqtt_certs/snClient.key -t sensors/s4_01/answer -d
I have successfully tested with both mosquitto_sub and mosquitto_pub on both clients with the exact same certificates and the respective paths used in the python code. As in the book, I have two python files: config.py and subscribe_with_paho.py.
Code in config.py:
# TLS files
ca_certificate = "/home/pi/MQTT/snPyEnv/mqtt_certs/ca.crt"
client_certificate = "/home/pi/MQTT/snPyEnv/mqtt_certs/snClient.crt"
client_key = "/home/pi/MQTT/snPyEnv/mqtt_certs/snClient.key"

# MQTT configuration
mqtt_server_host = "10.0.1.101" # Replace this value based on specific host name
mqtt_server_port = 8883 # For TLS (without TLS use 1883)
mqtt_keepalive = 60

Code in subscribe_with_paho.py:
from config import *
import paho.mqtt.client as mqtt

# Callback function when CONNACK is received
def on_connect(client, userdata, flags, rc):
print("Result from connect: {}".format (
mqtt.connack_string(rc)))
# Subscribe to the vehicles/vehiclepi01/tests topic filter
client.subscibe("vehicles/vehiclepi01/test", qos=0)

# Callback function when SUBACK is recieved
def on_subscribe(client, userdata, mid, granted_qos):
print("I've subscribed with QoS: {}".format (
granted_qos[0]))

# Callback function when PUBLISH is received
def on_message(client, userdata, msg):
print("Message received. Topic: {}. Payload: {}".format (
msg.topic,
str(msg.payload)))


if __name__ == "__main__":
client =mqtt.Client(protocol=mqtt.MQTTv311)
client.on_connect = on_connect
client.on_subscribe = on_subscribe
client.on_message = on_message
client.tls_set(ca_certs = ca_certificate,
certfile = client_certificate,
keyfile = client_key)
client.connect(host = mqtt_server_host,
port = mqtt_server_port,
keepalive = mqtt_keepalive)
client.loop_forever()

The question remains, why does the mosquitto client apps work and the paho python code does not work using the exact same certificate files? By the way, the python code works for a non-TLS setup (port 1883 and no certificates).


Re: TLS Certificate Verify Failure in paho-mqtt implementation [message #1829384 is a reply to message #1829350] Thu, 02 July 2020 11:35 Go to previous messageGo to next message
Gambit Support is currently offline Gambit SupportFriend
Messages: 46
Registered: March 2019
Member
We use

         client.tls_set(ca_certs=main.cafile, certfile=main.certfile, keyfile=main.keyfile, tls_version=ssl.PROTOCOL_SSLv23, cert_reqs=main.required)
         client.tls_insecure_set(True)


and it seems to work (you can google the arguments and calls).
Re: TLS Certificate Verify Failure in paho-mqtt implementation [message #1829404 is a reply to message #1829384] Thu, 02 July 2020 20:14 Go to previous messageGo to next message
Gary Marks is currently offline Gary MarksFriend
Messages: 3
Registered: July 2020
Junior Member
Thank you, that seems to work. It seems that the client.tls_insecure_set(True) was the key to getting it to work. However, I did google the parameters and the client.tls_insecure_set() as per your recommendation. According to the Eclipse Paho documentation, setting the tls_insecure to True is the equivalent of rendering TLS useless for a "real system". The exact quote: "Do not use this function in a real system. Setting value to True means there is no point using encryption."
Is there a way to get this to work without setting that value to True? And again why does the mosquitto_sub work without an "insecure setting"?

Thank you for your help.
Re: TLS Certificate Verify Failure in paho-mqtt implementation [message #1829438 is a reply to message #1829404] Fri, 03 July 2020 13:23 Go to previous messageGo to next message
Gambit Support is currently offline Gambit SupportFriend
Messages: 46
Registered: March 2019
Member
The real question is how secure you want your software, 98% or 99%? (THERE IS NO 100% secure.)
If you care about man-in-the-middle then you MUST get your certificates correct.
If you don't care about man-in-the-middle, then you ignore this and move on.
Re: TLS Certificate Verify Failure in paho-mqtt implementation [message #1829456 is a reply to message #1829438] Sat, 04 July 2020 00:00 Go to previous messageGo to next message
Gary Marks is currently offline Gary MarksFriend
Messages: 3
Registered: July 2020
Junior Member
Thank you for your on-going patience on this issue. However, I should point out that the "client.tls_insecure_set(True)" fix actually only worked on one of my clients. Recall the mosquitto server is running on a raspberry pi 3b. My raspberry pi 3 client now works with the "client.tls_insecure_set(True)" fix, but my Ubuntu client does not. I still get the original error message ("ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '10.0.1.101'. (_ssl.c:1056)"). So the exact same code with the exact same setup works "Pi to Pi" but not "Ubuntu to Pi". Do you have any ideas?

The other thing I would point out is that your statement, "you MUST get your certificates correct" may be the crux of the issue. I meticulously followed the procedures for creating the certificates specified in the book (again, "Hand-On MQTT Programming with Python"), which works for the mosquitto client apps but not with Paho. Any ideas on this? Can you point me to something that explains how to CORRECTLY generate certificates?

Again, Thank you
Re: TLS Certificate Verify Failure in paho-mqtt implementation [message #1829476 is a reply to message #1829456] Sat, 04 July 2020 14:27 Go to previous messageGo to next message
Gambit Support is currently offline Gambit SupportFriend
Messages: 46
Registered: March 2019
Member
I suspect user error, ie. you are not running the code you think you are running.
Prove to yourself that the code that executes is the source code you think it is running.
Anything else, sorry, beyond our pay grade. We are just users of Paho.
Re: TLS Certificate Verify Failure in paho-mqtt implementation [message #1833259 is a reply to message #1829476] Wed, 07 October 2020 23:50 Go to previous message
Wayne Winchell is currently offline Wayne WinchellFriend
Messages: 1
Registered: October 2020
Junior Member
Just an FYI... I am having the exact same issue and yes I am using the same text. What I don't understand is why the self-generated key/certificates enable subscriptions and publications from/to the mqtt server (broker) when used from the command line but do not work in paho-mqtt python3.7.
Previous Topic:MQTTClient_connect() failure
Next Topic:V5 API documentation
Goto Forum:
  


Current Time: Thu Mar 28 09:14:29 GMT 2024

Powered by FUDForum. Page generated in 0.01787 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top