MQTT SSL mutual authentication CA issues

Gustav
Posts: 7
Joined: Tue Aug 18, 2020 7:57 am

MQTT SSL mutual authentication CA issues

Postby Gustav » Sat Feb 20, 2021 9:31 am

Hello Everyone!

I'm trying to connect my ESP32 to a mosquitto broker, running in a raspberry in my local network, using mutual authentication. I tested the mosquitto broker and I was able to connect using client.crt client.key and ca.crt from many clients, so I'm pretty sure the issue is in my esp32 configuration, but here's the relevant part of my mosquitto.conf:

Code: Select all

allow_anonymous false
password_file /etc/mosquitto/pwfile
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/raspberrypi.key
certfile /etc/mosquitto/certs/raspberrypi.crt
require_certificate true
tls_version tlsv1.2
On the ESP32 side, I started from the mutual authentication example and modified it to embed the ca.crt file, and this is how I edited my mqtt client configuration:

Code: Select all

const esp_mqtt_client_config_t mqtt_cfg = {
        .host = "192.168.1.11", //Raspberry running mosquitto IP
	.port = 8883,
	.transport = MQTT_TRANSPORT_OVER_SSL,
        .event_handle = mqtt_event_handler,
	//.use_global_ca_store = true,
	.cert_pem = (const char *)server_cert_pem_start, //this is the ca.crt file
        .client_cert_pem = (const char *)client_cert_pem_start,
        .client_key_pem = (const char *)client_key_pem_start,
	.username = "theUsername",
	.password = "thePassword"
    };
When I try to run the application, in a terminal I can see that the ESP32 successfully connected to wifi, and then this is what I get:

Code: Select all

[...]
I (3648) MQTTS_EXAMPLE: Other event id:7
E (3718) esp-tls-mbedtls: mbedtls_x509_crt_parse returned -0x2180
E (3718) esp-tls-mbedtls: Failed to set client pki context
E (3718) esp-tls-mbedtls: Failed to set client configurations
E (3728) esp-tls: create_ssl_handle failed
E (3728) esp-tls: Failed to open new connection
E (3738) TRANS_SSL: Failed to open a new connection
E (3748) MQTT_CLIENT: Error transport connect
I (3748) MQTTS_EXAMPLE: MQTT_EVENT_ERROR
I (3758) MQTTS_EXAMPLE: MQTT_EVENT_DISCONNECTED
[...]
and it goes on like this forever.

I tryed to google the first warning and the following errors and I understood that it has something to do with mycertificates, so I tryed to include them as a string, formatted like

Code: Select all

const uint8_t client_key_pem_start[] = \
"-----BEGIN TRUSTED CERTIFICATE-----\n" \
"every linelike this\n" \
[...]
"-----END TRUSTED CERTIFICATE-----\n";
and may variations around this, but still no luck.

If I disable ssl on mosquitto, comment out the certificats on mqtt configuration and keep only user-password authentication, I'm able to connect and post without issues.

I have to admit that I started fiddling with mqtt and ssl one or two days ago, I understand tha basic concepts of SSL and CA but I can't say that I fully understand what I'm doing.

What am I missing?

I'm using esp-idf 4.1.1
Let me know if you need more informations! Thanks in advance for your help!

Gustav

Gustav
Posts: 7
Joined: Tue Aug 18, 2020 7:57 am

Re: MQTT SSL mutual authentication CA issues

Postby Gustav » Sat Feb 20, 2021 5:13 pm

nevermind, I messed up my scripts to generate and authenticate the certificates.

I switched to this https://github.com/owntracks/tools/blob ... rate-CA.sh and it worked right away.

Sorry for wasting space in the forum.

Gustav

Who is online

Users browsing this forum: No registered users and 12 guests