Sign in with
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
SOLVED

"Self-signed certificate" error while using TLS certificates in MQTT connection

Go to solution

"Self-signed certificate" error while using TLS certificates in MQTT connection

Go to solution
Akseer
Established Member

‎04-30-2023 04:24 PM

Some background: I am testing Cedalo MQTT broker connection using self-signed certificates on MQTT Explorer. I have generated SSL certificates using openssl on my Ubuntu machine and added them in both Mosquitto Certificate Store & MQTT Explorer as shown below.

Certificates in ctrlX CORE "Mosquitto Certificate Store"

Akseer_0-1682863316598.png

Akseer_1-1682863344625.png


Certificates in "MQTT Explorer"

Akseer_2-1682863467038.png


Issue: The client connection request shows "self signed certificate" error when I try to connect with broker using the above approach. I have tested the connection with python as well on my computer and it shows the same error.

Akseer_3-1682864547664.png


Questions

  • Is the above approach correct to connect the clients?
  • Is there something I am missing?
  • Will the communication work when I use certificates from a trusted source?
  • Is there any example of connecting the broker in ctrlX CORE via self-signed certificates?

 

Any help would be appreciated.
Thanks

0 Likes
Reply
5 REPLIES 5

Go to solution
Marc_Smaak
Long-established Member

‎05-01-2023 08:47 AM

We are also implementing certificate authenication for our own Mosquitto broker. I still find it is very easy to make an mistake so maybe some background to start with sorry if this is all clear.

The broker certificate is useful to allow clients to athenticate the broker before they send the acces credentials (mqtt user + password) I consider this the biggest tspe to get things more secure. Without this somebody can use the ctrlX-CORE Ip address on a diffrent device and easily steals the access credentials from the client.

To allow the client to check the certificate it needs the root certificate from which the MQTT server certificate is created and signed. So if you use sefl signed you also need this 'CA' certificate and add it to MQTT explorer as CA certifiacte. The client certificate + key can be left blank (see below).
This allows MQTT explorer to validate thepublic key in the MQTT server certificate supplied by the MQTT broker.
Alternatively you can use a formal CA signed certificate. e.g. letesencrypt for the MQTT broker. In that case there is no need to supply any certificate to MQTT explorer since it has access to the root certificates itself. 
The GUI for MQTTX is a bit clearer on this point:

CA signed

Marc_Smaak_0-1682922569868.png

And with self signed you get the option to add the CA certificate

Marc_Smaak_1-1682922601352.png

 

Client certificate

The use of the client certificate is for authentication of the client by the broker. It avoids that rogue clients although they have the right access credentials can connect to your broker. For this you beed to generate a client certificate signed by the CA certificate of the MQTT broker. This again can be a selfsigned certifiacte or a CA sgned certificate. TH eprivate key for the client is only used on the client to prove this client is the legal owner of the certificate (p[ublic key) If this key gets into the wrong hands the client authentication is useless 😉

We are not using this yet. If you want to you need to generate a certificate signing request based on your private key. If your broker uses self signed this signing request needs to get processed by the ctrlX-CORE. I do not know excatly how that works with the certificate manager GUI.

0 Likes
Reply

Go to solution
Akseer
Established Member
In response to Marc_Smaak

‎05-01-2023 05:02 PM

Hi,

Thanks for the response.

Sorry, but I could not fully understand how to use the self-signed certificate. I just installed the MQTTX software and tried to connect the client by selecting the "Self signed" option. I have tried to connect the client using just the CA certificate as well as CA+client cert+client key.

I am still getting the same error. Please see the attached figure below.

Akseer_0-1682953100876.png

 

Is there any tutorial or working example to solve the issue? Also, I would be glad if you can share the steps you have followed in your solution.

Thanks a lot.

0 Likes
Reply

Go to solution
Marc_Smaak
Long-established Member
In response to Akseer

‎05-02-2023 09:57 AM

So just to be clear you downloaded the CA for the certificate manager MQTT (As said we are using our own broker so I do not know the details) 

Marc_Smaak_1-1683013901824.png


Please check what is used as common name for the server certificate, we are using the hostname. You must use the same name to connect to the broker from the client. 

Marc_Smaak_0-1683013861610.png

Leave the client certificate and private key blank

This is my full configuration which connect succesfully.  

Marc_Smaak_2-1683014061309.png

Marc_Smaak_3-1683014116686.png

If I change the CA certificate or try to connect to a diffrent core I get which is intended.

 

0 Likes
Reply

Go to solution
Taste66
Occasional Visitor
In response to Marc_Smaak

‎05-09-2023 04:40 PM - edited ‎05-09-2023 05:21 PM

Since I wanted to know more about using cleint certificates I searched further and found this helpful explanation
http://www.steves-internet-guide.com/creating-and-using-client-certificates-with-mqtt-and-mosquitto/

For Mosquitto on the ctrlX this would mean:

  • Get the MQTT CA certificate and coresponding private key ( currently we delete this key after generating the CA certificate  😉)
  • Generate on a PC with open_SSL a private key for the client
  • Generate with open _SSl een Certificate Signing request for this client private key
  • Sign this with the CA certificate and CA pravate key
  • Add the generated signed certificate and client private key to the MQTT client
  • Configure mosquitto to use client authentication i.s.o. user/pass or both

 

For the record, I see I am a new member now but still the same Marc Smaak as from the reply's above 😉

0 Likes
Reply

Go to solution
CodeShepherd
Community Moderator
Community Moderator
In response to Taste66

‎06-22-2023 11:45 AM

Is this still an issue or can this topic be closed?

0 Likes
Reply

OK
OK
Icon--AD-black-48x48Icon--address-consumer-data-black-48x48Icon--appointment-black-48x48Icon--back-left-black-48x48Icon--calendar-black-48x48Icon--center-alignedIcon--Checkbox-checkIcon--clock-black-48x48Icon--close-black-48x48Icon--compare-black-48x48Icon--confirmation-black-48x48Icon--dealer-details-black-48x48Icon--delete-black-48x48Icon--delivery-black-48x48Icon--down-black-48x48Icon--download-black-48x48Ic-OverlayAlertIcon--externallink-black-48x48Icon-Filledforward-right_adjustedIcon--grid-view-black-48x48IC_gd_Check-Circle170821_Icons_Community170823_Bosch_Icons170823_Bosch_Icons170821_Icons_CommunityIC-logout170821_Icons_Community170825_Bosch_Icons170821_Icons_CommunityIC-shopping-cart2170821_Icons_CommunityIC-upIC_UserIcon--imageIcon--info-i-black-48x48Icon--left-alignedIcon--Less-minimize-black-48x48Icon-FilledIcon--List-Check-grennIcon--List-Check-blackIcon--List-Cross-blackIcon--list-view-mobile-black-48x48Icon--list-view-black-48x48Icon--More-Maximize-black-48x48Icon--my-product-black-48x48Icon--newsletter-black-48x48Icon--payment-black-48x48Icon--print-black-48x48Icon--promotion-black-48x48Icon--registration-black-48x48Icon--Reset-black-48x48Icon--right-alignedshare-circle1Icon--share-black-48x48Icon--shopping-bag-black-48x48Icon-shopping-cartIcon--start-play-black-48x48Icon--store-locator-black-48x48Ic-OverlayAlertIcon--summary-black-48x48tumblrIcon-FilledvineIc-OverlayAlertwhishlist