将 AWS IoT 与本地 Mosquitto MQTT 桥接时出现“证书验证失败”
[英]"certificate verify failed" when bridging AWS IoT with local Mosquitto MQTT
问题描述
I have a mosquitto MQTT on a local raspberry pi working like a charm.
我在本地树莓派上安装了一个 mosquitto MQTT,它的工作非常迷人。 I created a MQTT broker on AWS IoT that works as well.我在 AWS IoT 上创建了一个同样有效的 MQTT 代理。
On my raspberry pi I can connect, publish and subscribe on the AWS broker "manually", using the commands mosquitto_pub and mosquitto_sub.在我的树莓派上,我可以使用 mosquitto_pub 和 mosquitto_sub 命令“手动”连接、发布和订阅 AWS 代理。 When I do this manually, i use all the certificates and stuff.当我手动执行此操作时,我使用所有证书和内容。 The command I use is:我使用的命令是:
mosquitto_pub --cafile amazonCA1.pem --cert certificate.cert --key private.key -h XXXXXXXXXXXXXXXXXX.amazonaws.com -p 8883 -q 1 -d -t "iot/test" -m "testing message"
So, I think the problem is not on the certificates.所以,我认为问题不在于证书。
The problem is when I change the configuration to use "bridge mode" i get the following message on mosquitto log:问题是当我更改配置以使用“桥接模式”时,我在 mosquitto 日志中收到以下消息:
1584371971: Connecting bridge (step 1) awsiot (XXXXXXXXXXXXXXXXXXXXX.amazonaws.com:8883)
1584371972: Connecting bridge (step 2) awsiot (XXXXXXXXXXXXXXXXXXXXX.amazonaws.com:8883)
1584371972: Bridge bridgeawsiot sending CONNECT
1584371972: OpenSSL Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
1584371972: Socket error on client local.bridgeawsiot, disconnecting.
1584371977: Bridge local.bridgeawsiot doing local SUBSCRIBE on topic #
Here is my mosquitto.conf:这是我的 mosquitto.conf:
pid_file /var/run/mosquitto.pid
persistence true persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log log_type all
#log_dest topic
log_type error log_type warning log_type notice log_type information
connection_messages true log_timestamp true
include_dir /etc/mosquitto/conf.d
password_file /etc/mosquitto/passwordfile allow_anonymous false
And here is my /etc/mosquitto/conf.d/bridge.conf这是我的 /etc/mosquitto/conf.d/bridge.conf
connection awsiot
address XXXXXXXXXXXXXXXXXXXX.amazonaws.com:8883
# Specifying which topics are bridged
topic # both 1
# Setting protocol version explicitly
bridge_protocol_version mqttv311
bridge_insecure false
# Bridge connection name and MQTT client Id,
# enabling the connection automatically when the broker starts.
cleansession true
clientid bridgeawsiot
start_type automatic
notifications false
log_type all
# =================================================================
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
#Path to the rootCA
bridge_cafile /home/pi/certs/amazonCA1.pem
# Path to the PEM encoded client certificate
bridge_certfile /home/pi/certs/certificate.cert
# Path to the PEM encoded client private key
bridge_keyfile /home/pi/certs/private.key
So, overall the problem is: when I connect/publish/subscribe manually, everything works... but when I use the bridge conf file I get the error:所以,总的来说问题是:当我手动连接/发布/订阅时,一切正常......但是当我使用桥配置文件时,我收到错误:
OpenSSL Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Any suggestions?有什么建议? Is there any problem using authentication method with username/pw on my local broker (raspberry pi) and certificate authentication on AWS??在我的本地代理(树莓派)上使用带有用户名/密码的身份验证方法和在 AWS 上使用证书身份验证有什么问题吗??
Thanks谢谢
2 个解决方案
解决方案1
1 已采纳 2020-03-17 02:19:31
Ok, I have no idea of what I did, I just know it fixed the problem.好吧,我不知道我做了什么,我只知道它解决了问题。
At first I did a clean install of mosquitto on a Ubuntu VM I have and everything worked correctly.起初,我在我拥有的 Ubuntu VM 上全新安装了 mosquitto,一切正常。
Then I uninstalled Mosquitto from my raspberry pi and installed it again.然后我从我的树莓派上卸载了 Mosquitto 并重新安装了它。 Configured it just the way I configured the Ubuntu VM and still no luck.按照我配置 Ubuntu VM 的方式配置它,但仍然没有运气。 I started to think the problem was my raspbian image... but after fiddling a little bit on the configurations, moving the certificates files from one directory to another, changing their permissions, changing the bridge.conf file directory and stuff... It started working and now it's ok.我开始认为问题出在我的 raspbian 映像上……但是在对配置稍加摆弄之后,将证书文件从一个目录移动到另一个目录,更改它们的权限,更改 bridge.conf 文件目录等等……它开始工作,现在好了。
So if youre having this problem in the future: maybe is just the permissions of the files or directories.因此,如果您将来遇到此问题:可能只是文件或目录的权限。
EDIT (one day later) : as I tried to replicate the same thing on another broker, I did everything the same but as soon as my local broker stablished the connection with AWS IoT bridge the connection was lost (message below. No certificate error this time):编辑(一天后) :当我试图在另一个代理上复制相同的东西时,我做了同样的事情,但是一旦我的本地代理与 AWS IoT 桥建立了连接,连接就丢失了(下面的消息。没有证书错误时间):
1584456917: Bridge local.bridgeawsiot doing local SUBSCRIBE on topic #
1584456917: Connecting bridge (step 1) awsiot (XXXXXXXXXXXXXXX.amazonaws.com:8883)
1584456918: Connecting bridge (step 2) awsiot (XXXXXXXXXXXXXXX.amazonaws.com:8883)
1584456918: Bridge bridgeawsiot sending CONNECT
1584456918: Received CONNACK on connection local.bridgeawsiot.
1584456918: Bridge local.bridgeawsiot sending SUBSCRIBE (Mid: 2, Topic: #, QoS: 0, Options: 0x00)
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX', ... (6 bytes))
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX/LWT', ... (6 bytes))
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX/LWT', ... (6 bytes))
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX/LWT', ... (6 bytes))
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX/LWT', ... (6 bytes))
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX/LWT', ... (6 bytes))
1584456918: Received SUBACK from local.bridgeawsiot
1584456919: Socket error on client local.bridgeawsiot, disconnecting.
I was using the bridge with all the topics:我正在使用所有主题的桥梁:
topic # both 1
I THINK as soon as I connected with the bridge many devices published a lot of messages and the connection was dropped.我马上想随着我与桥相连的许多设备发布了很多信息和连接断开。 So after I changed the bridged topic everything was correct所以在我改变了桥接主题之后,一切都是正确的
topic iot/test both 1
[Another EDIT: 3 days later] I find out why it was disconnecting when I used "topic # both 1": because one of my devices was sending a message with RETAIN flag set to TRUE. [另一个编辑:3 天后]我找到了为什么当我使用“topic # both 1”时它断开连接:因为我的一个设备正在发送一条消息,其中 RETAIN 标志设置为 TRUE。
The documentation of AWS IoT says that it doesn't support RETAIN TRUE and if any message are sent that way AWS IoT Broker disconnects. AWS IoT 的文档说它不支持 RETAIN TRUE 并且如果以这种方式发送任何消息 AWS IoT Broker 断开连接。
解决方案2
0 2021-09-22 22:01:29
The rootCA.pem was invalid . rootCA.pem 无效。 Following how-to-bridge-mosquitto-mqtt-broker-to-aws-iot , they reference AmazonRootCA1.pem for the rootCA.pem file.按照how-to-bridge-mosquitto-mqtt-broker-to-aws-iot ,他们引用AmazonRootCA1.pem作为 rootCA.pem 文件。 However, that gives an error using openssl for verification:但是,使用 openssl 进行验证时会出现错误:
openssl s_client -connect <endpoint>.iot.us-east-1.amazonaws.com:8443 -CAfile rootCA.pem -cert cert.crt -key private.key
...
verify error:num=20:unable to get local issuer certificate
There are some clues about that openssl error at OpenSSL Verify return code: 20 (unable to get local issuer certificate) , where there is emphasis about the CAfile path.在OpenSSL Verify return code: 20 (unable to get local issuer certificate) 中,有一些关于 openssl 错误的线索,其中强调了 CAfile 路径。
In another tutorial to configure the bridge: Arduino-AWS-IOT-Bridge , there is a different reference for the rootCA.pem file: Public-Primary-Certification-Authority-G5.pem .在另一个配置网桥的教程中: Arduino-AWS-IOT-Bridge ,rootCA.pem 文件有不同的参考: Public-Primary-Certification-Authority-G5.pem 。 At last, trying the openssl s_client command using that new rootCA.pem returns:最后,使用新的 rootCA.pem 尝试openssl s_client命令返回:
verify return:1
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.