Home » Eclipse Projects » Paho » TLS Certificate Verify Failure in paho-mqtt implementation(Using paho-mqtt python lib, fails certificate verification based on IP mismatch )
TLS Certificate Verify Failure in paho-mqtt implementation [message #1829350] |
Wed, 01 July 2020 18:13 |
Gary Marks Messages: 3 Registered: July 2020 |
Junior Member |
|
|
Hello, I'm trying to implement a first subscription example from the book, "Hands-On MQTT Programming with Python", but I'm getting a certificate failure error as follows:
Traceback (most recent call last):
File "subscribe_with_paho.py", line 40, in <module>
keepalive = mqtt_keepalive)
File "/home/pi/MQTT/snPyEnv/lib/python3.7/site-packages/paho/mqtt/client.py", line 768, in connect
return self.reconnect()
File "/home/pi/MQTT/snPyEnv/lib/python3.7/site-packages/paho/mqtt/client.py", line 927, in reconnect
sock.do_handshake()
File "/usr/lib/python3.7/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '10.0.1.101'. (_ssl.c:1056)
I have one mosquitto server implemented on a raspberry pi 3b+, an mqtt client implemented on a raspberry pi 3b, and another client implemented on an Ubuntu 20_04 workstation on VMware Workstation. I have setup python venv (virtual environments) on the two clients as recommended by the book.
By the procedure specified in the book, I have generated certificates as follows:
• Certificate authority: ca.crt
• On the server:
o Server certificate: server.crt
o Server key: server.key
• On the clients:
o Client certificates: wsClient.crt and snClient.crt (workstation and client pi board respectively)
o Client keys: wsClient.key and snClient.key
I have successfully tested the certificates and the general setup with the mosquitto client apps, mosquitto_sub and mosquitto_pub. Example:
mosquitto_sub -h 10.0.1.101 -V mqttv311 -p 8883 --cafile /home/pi/MQTT/snPyEnv/mqtt_certs/ca.crt --cert /home/pi/MQTT/snPyEnv/mqtt_certs/snClient.crt --key /home/pi/MQTT/snPyEnv/mqtt_certs/snClient.key -t sensors/s4_01/answer -d
I have successfully tested with both mosquitto_sub and mosquitto_pub on both clients with the exact same certificates and the respective paths used in the python code. As in the book, I have two python files: config.py and subscribe_with_paho.py.
Code in config.py:
# TLS files
ca_certificate = "/home/pi/MQTT/snPyEnv/mqtt_certs/ca.crt"
client_certificate = "/home/pi/MQTT/snPyEnv/mqtt_certs/snClient.crt"
client_key = "/home/pi/MQTT/snPyEnv/mqtt_certs/snClient.key"
# MQTT configuration
mqtt_server_host = "10.0.1.101" # Replace this value based on specific host name
mqtt_server_port = 8883 # For TLS (without TLS use 1883)
mqtt_keepalive = 60
Code in subscribe_with_paho.py:
from config import *
import paho.mqtt.client as mqtt
# Callback function when CONNACK is received
def on_connect(client, userdata, flags, rc):
print("Result from connect: {}".format (
mqtt.connack_string(rc)))
# Subscribe to the vehicles/vehiclepi01/tests topic filter
client.subscibe("vehicles/vehiclepi01/test", qos=0)
# Callback function when SUBACK is recieved
def on_subscribe(client, userdata, mid, granted_qos):
print("I've subscribed with QoS: {}".format (
granted_qos[0]))
# Callback function when PUBLISH is received
def on_message(client, userdata, msg):
print("Message received. Topic: {}. Payload: {}".format (
msg.topic,
str(msg.payload)))
if __name__ == "__main__":
client =mqtt.Client(protocol=mqtt.MQTTv311)
client.on_connect = on_connect
client.on_subscribe = on_subscribe
client.on_message = on_message
client.tls_set(ca_certs = ca_certificate,
certfile = client_certificate,
keyfile = client_key)
client.connect(host = mqtt_server_host,
port = mqtt_server_port,
keepalive = mqtt_keepalive)
client.loop_forever()
The question remains, why does the mosquitto client apps work and the paho python code does not work using the exact same certificate files? By the way, the python code works for a non-TLS setup (port 1883 and no certificates).
|
|
| | | | | | |
Goto Forum:
Current Time: Thu Mar 28 09:14:29 GMT 2024
Powered by FUDForum. Page generated in 0.01787 seconds
|