I am trying to connect to a mosquitto broker using a self signed ca certificate. I have verified that the client certificate does work in both the mosquitto client and MQTT Explorer.
As far as I understand, the only thing I need to do is to enter the name of the client certificate in the conf9.json file. My configuration looks like this:
When the device tries to connect to the broker, the following is printed to the log:
mgos_mqtt_conn.c:435 MQTT0 connecting to [obfuscated]:8883
mongoose.c:4906 0x3ffd294c ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
mongoose.c:4906 0x3ffd294c x509_verify_cert returned -9984
mongoose.c:4906 0x3ffd294c The certificate is not correctly signed by the trusted CA
mongoose.c:5082 0x3ffd294c mbedTLS error: -0x2700
mgos_mqtt_conn.c:188 MQTT0 TCP connect error (-3)
mgos_mqtt_conn.c:214 MQTT0 Disconnect
Even though the client certificate works in MQTT Explorer and the mosquitto client, Mongoose os does not seem to think it is correctly signed. Why does this happen? Am I doing something wrong?
I’m sorry, but what exactly do you mean by this? How do I sign it in a way that the microcontroller can handle keeping in mind the one I have right now works perfectly well for other MQTT clients? I have read through the article that you linked but as far as I can see, there is no clue as to why it is not working for me. Would any additional information help?
This is what I see when trying to connect with the mosquitto client using the same certificate:
Edit: for clarification, the messages seen in the logs above are from a different device that connects without TLS on port 1883. It is just to show that the connection works.
Use the cert and keys linked there.
Do those work ? Do yours don’t ? Check differences, see what accellerators your processor might have and what signatures are supported by the underlying framework. Or, generate your certs as close to those that work as possible.
mgos_mqtt_conn.c:435 MQTT0 connecting to [obfuscated]:8883
mongoose.c:4906 0x3ffcf644 ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
mongoose.c:4906 0x3ffcf644 x509_verify_cert returned -9984
mongoose.c:4906 0x3ffcf644 The certificate Common Name (CN) does not match with the expected CN
The certificate is not correctly signed by the trusted CA
The certificate is signed with an unacceptable hash.
So obviously, the CN does not match the server address so it wont work but I also get similar messages about the certificate not being correctly signed by the trusted CA.
This time it also says it was signed with an unacceptable hash.
First of all, I do not understand what you mean @scaprile . How am I supposed to use the cert from the link when it has a different CN and SAN?
Second, Since I have been ripping my hair out trying to get this to work for a while now, Is there a way to disable certificate verification and make it connect anyway? I can connect to my broker with a self signed certificate this way with mqtt explorer. It would be nice if I could do the same with Mongoose os.