0

I am trying to use ssl with mosquitto. I am generating certificate with python script:

# This script will generate a CA's private key and self-signed certificate,
# a server's private key and CSR, and finally, a server's certificate signed by the CA.
# You can then use these certificates for secure communication in your applications.

from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
from datetime import datetime, timedelta

print("Generate the CA's private key and self-signed certificate (ca_cert.pem,ca_key.pem)")
print("\tGenerate CA's private key")
ca_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)

print("\tGenerate CA's self-signed certificate")
ca_subject = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"BE"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Wallonia"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Herstal"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My CA"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"localhost"), #u"myca.example.com"),
])
ca_certificate = x509.CertificateBuilder().subject_name(
    ca_subject
).issuer_name(
    ca_subject
).public_key(
    ca_key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.utcnow()
).not_valid_after(
    datetime.utcnow() + timedelta(days=365)
).add_extension(
    x509.BasicConstraints(ca=True, path_length=None), critical=True,
).sign(ca_key, hashes.SHA256())

print("\tSave CA's private key and certificate to files")
with open("ca_key.pem", "wb") as f:
    f.write(ca_key.private_bytes(
        encoding=Encoding.PEM,
        format=PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=NoEncryption()
    ))

with open("ca_cert.pem", "wb") as f:
    f.write(ca_certificate.public_bytes(Encoding.PEM))
    
    
    


print("Generate the server's private key and certificate signing request (CSR) (server_csr.pem,server_key.pem)")



print("\tGenerate server's private key")
server_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)

print("\tGenerate server's CSR")
server_subject = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"BE"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Wallonia"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Herstal"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Server"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"mmqttmaster"),#u"myserver.example.com"),
])
csr = x509.CertificateSigningRequestBuilder().subject_name(
    server_subject
).sign(server_key, hashes.SHA256())

print("\tSave server's private key and CSR to files")
with open("server_key.pem", "wb") as f:
    f.write(server_key.private_bytes(
        encoding=Encoding.PEM,
        format=PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=NoEncryption()
    ))

with open("server_csr.pem", "wb") as f:
    f.write(csr.public_bytes(Encoding.PEM))



print("Sign the server's CSR with the CA's private key to generate the server's certificate (server_cert.pem)")
print("\tSign server's CSR with CA's private key")
server_certificate = x509.CertificateBuilder().subject_name(
    csr.subject
).issuer_name(
    ca_certificate.subject
).public_key(
    csr.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.utcnow()
).not_valid_after(
    datetime.utcnow() + timedelta(days=365)
).add_extension(
    x509.BasicConstraints(ca=False, path_length=None), critical=True,
).sign(ca_key, hashes.SHA256())

print("\tSave server's certificate to file")
with open("server_cert.pem", "wb") as f:
    f.write(server_certificate.public_bytes(Encoding.PEM))

then I am trying to use them in a virtual machine (debian12 on hyperv)

sudo nano /etc/mosquitto/mosquitto.conf
cafile /etc/mosquitto/ca_certificates/ca_cert.pem
certfile /etc/mosquitto/ca_certificates/server_cert.pem
keyfile /etc/mosquitto/ca_certificates/server_key.pem

sudo systemctl restart mosquitto

then when I do

cd /etc/mosquitto/ca_certificates/
mosquitto_pub -h localhost -p 8883 -t test_topic -m "I am healthy" --cafile ca_cert.pem -d

I have the following error:

Client (null) sending CONNECT
OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed
Error: A TLS error occurred.

COMMON_NAME are probably wrong but I am not sure what I should use

Improve this question
1
  • First remove the cafile from the mosquitto.conf as this is only used to verify client certs. Next use openssl verify -CAfile ca_cert.pem -verify_hostname localhost server_cert.pem to test the cert Commented Feb 25 at 17:24

1 Answer 1

Reset to default
1

The broker (server) cert MUST have a CN (COMMON_NAME) 1 that matches the hostname used to access the broker.

So given you are using -h localhost in the mosquitto_pub command, the CN in the server_cert.pem needs to be localhost not mmqttmaster

1 should really be SAN these days, especially if you need to support multiple host names, e.g. localhost and a public host name

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.