MQTT TLS Won't connect


I am trying to connect to a mosquitto broker using a self signed ca certificate. I have verified that the client certificate does work in both the mosquitto client and MQTT Explorer.

As far as I understand, the only thing I need to do is to enter the name of the client certificate in the conf9.json file. My configuration looks like this:

"mqtt": {
    "enable": true,
    "server": "[obfuscated]",
    "ssl_ca_cert": "mqtt_ca_cert.pem",

The broker has the following configurations:

listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
tls_version tlsv1.2

When the device tries to connect to the broker, the following is printed to the log:

mgos_mqtt_conn.c:435    MQTT0 connecting to [obfuscated]:8883
mongoose.c:4906         0x3ffd294c ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
mongoose.c:4906         0x3ffd294c x509_verify_cert returned -9984
mongoose.c:4906         0x3ffd294c   The certificate is not correctly signed by the trusted CA

mongoose.c:5082         0x3ffd294c mbedTLS error: -0x2700
mgos_mqtt_conn.c:188    MQTT0 TCP connect error (-3)
mgos_mqtt_conn.c:214    MQTT0 Disconnect

Even though the client certificate works in MQTT Explorer and the mosquitto client, Mongoose os does not seem to think it is correctly signed. Why does this happen? Am I doing something wrong?

Yes it will, use the right certificate with a signature a microcontroller can handle.

I’m sorry, but what exactly do you mean by this? How do I sign it in a way that the microcontroller can handle keeping in mind the one I have right now works perfectly well for other MQTT clients? I have read through the article that you linked but as far as I can see, there is no clue as to why it is not working for me. Would any additional information help?

This is what I see when trying to connect with the mosquitto client using the same certificate:

$ mosquitto_sub -h [obfuscated] -p 8883 -t "#" --cafile ca.crt -v
esp32_ABDE08/device/status connected

Edit: for clarification, the messages seen in the logs above are from a different device that connects without TLS on port 1883. It is just to show that the connection works.

Use the cert and keys linked there.
Do those work ? Do yours don’t ? Check differences, see what accellerators your processor might have and what signatures are supported by the underlying framework. Or, generate your certs as close to those that work as possible.

I get the following in the device logs:

mgos_mqtt_conn.c:435    MQTT0 connecting to [obfuscated]:8883
mongoose.c:4906         0x3ffcf644 ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
mongoose.c:4906         0x3ffcf644 x509_verify_cert returned -9984
mongoose.c:4906         0x3ffcf644   The certificate Common Name (CN) does not match with the expected CN
  The certificate is not correctly signed by the trusted CA
  The certificate is signed with an unacceptable hash.

So obviously, the CN does not match the server address so it wont work but I also get similar messages about the certificate not being correctly signed by the trusted CA.
This time it also says it was signed with an unacceptable hash.

I am now reviving this thread a little…

First of all, I do not understand what you mean @scaprile . How am I supposed to use the cert from the link when it has a different CN and SAN?

Second, Since I have been ripping my hair out trying to get this to work for a while now, Is there a way to disable certificate verification and make it connect anyway? I can connect to my broker with a self signed certificate this way with mqtt explorer. It would be nice if I could do the same with Mongoose os.

Did you try to run the example as is and understand what is going on ? There is a full set of certs there, including the CA’s.

Yes, just don’t use TLS… or use TLS-PSK