[英]mosquitto_pub rejecting iot.eclipse.org mqtt server certificate saying “Unknown CA”
我正在尝试在Ubuntu Linux计算机上运行mosquitto_pub,如下所示:
vbhadra@vbhadra-VirtualBox:~$ mosquitto_pub -h iot.eclipse.org -p 8883 --capath /etc/ssl/certs/ -t house/s1 -m "test message" -d
Client mosqpub/9204-vbhadra-Vi sending CONNECT
Client mosqpub/9204-vbhadra-Vi received CONNACK
Client mosqpub/9204-vbhadra-Vi sending PUBLISH (d0, q0, r0, m1, 'house/s1', ... (12 bytes))
Client mosqpub/9204-vbhadra-Vi sending DISCONNECT
可以看到mosquitto_pub工作文件。 现在,我想尝试手动下载iot.eclipse.org证书,然后将其与mosquitto_pub一起使用,而不是使用Ubuntus / etc / ssl / certs /证书。
所以我做了以下事情:
ex +'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect iot.eclipse.org:8883) -scq > file.crt
将file.crt保存在/ home / vbhadra / remote_certificate /中。
现在,我再次尝试以下方法:
mosquitto_pub -h iot.eclipse.org -p 8883 --capath /home/vbhadra/remote_certificate/ -t house/s1 -m "test message" -d
但是以上情况惨遭失败。 通过捕获tcpdump,我可以在Wireshark中看到我的Ubuntu客户端正在将“致命:未知CA”发送回iot.eclipse.org。
从到目前为止的了解,我可以认为该证书未由任何CA签名,因此mosquitto客户正在拒绝该证书。 我一直在尝试找出如何使证书签名(自签名??),但到目前为止没有任何线索。
我尝试使用openssl验证来验证保存了file.crt的证书文件,如下所示:
openssl verify -CApath /home/vbhadra/remote_certs/ /home/vbhadra/remote_certs/file2.crt
/home/vbhadra/remote_certs/file2.crt: CN = iot.eclipse.org
error 20 at 0 depth lookup:unable to get local issuer certificate
在这一点上,我有点迷茫。 人们似乎建议将.pem证书文件与openssl verify一起使用,但不确定如何执行此操作,基本上我迷路了。 请帮助任何指针,以使之更进一步。
运行echo | openssl s_client -showcerts -connect iot.eclipse.org:8883 echo | openssl s_client -showcerts -connect iot.eclipse.org:8883命令并查看输出,它包含多个证书,我相信这可能与您使用ex echo | openssl s_client -showcerts -connect iot.eclipse.org:8883的方式有关。
您将需要这两个证书来提供完整的证书链,以验证iot.eclipse.org的最终用户证书。
您是否还在包含ca文件的目录中运行ca_rehash(或ubuntu上的c_rehash)?
--capath
定义包含受PEM编码的CA证书的目录的路径。 用于启用SSL通信。
为了使--capath正常工作,证书文件的文件尾必须带有“ .crt”,并且每次添加/删除证书时都必须运行“ c_rehash”。
我必须重命名文件以.pem结尾(因为它们实际上是这样),并将DST_Root_CA_X3.pem文件也从/ etc / ssl / certs复制到ca目录中。
另外,如果要使用自己的专用CA,则使用--cafile可能会更简单。
这些是我按照上述hardillb的回答所做的步骤:
vbhadra@vbhadra-VirtualBox:~/remote_certs$ openssl s_client -showcerts -CApath /etc/ssl/certs/ -connect iot.eclipse.org:8883
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = iot.eclipse.org
verify return:1
---
Certificate chain
0 s:/CN=iot.eclipse.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFATCCA+mgAwIBAgISBC9SZX2gUAjJc1w00bxPBlvYMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzExMDMwOTE1MzFaFw0x
ODAyMDEwOTE1MzFaMBoxGDAWBgNVBAMTD2lvdC5lY2xpcHNlLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIBN2DDEwV17T9JnHRe7OL4Cz4tKxc8
oB+wV+QFmXjObtYTlH9bbT+TidNHhHnnUKtVr/2hOyoEwNpjQsRmToesIWARfzyU
1RlGLKT4bWcheVzda5IoYqEDTQqbh5hpqeXqdqkW1X7NzqSHo8hfPRL3N8m8zaMA
tkeMzQ8nmedUBBPtK1Py2zadun1je4b53AwCBUYDrOo1vAm3Bg/Jz66AhNJ7zf7V
rHyBFJ99v2WwTVsWzYFQ+kIJ6p8l7Nn+yODx0rdfghlH4083mkjk+qR6GQJkRiRi
FxoZMHivZRP3AoDDrtyrEUDkJW+S9NctSVL+hkDackt2NaHGEdtHBZECAwEAAaOC
Ag8wggILMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUq+M2vIxu+xP6g9VVpIEf+eCh
nmUwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAaBgNVHREEEzARgg9pb3QuZWNsaXBzZS5vcmcwgf4GA1UdIASB9jCB8zAI
BgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRp
ZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGll
cyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBv
bGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5
LzANBgkqhkiG9w0BAQsFAAOCAQEAXK7WWSZlNGC5aKehhgIpyA4PBzO3I64YQCIR
NGoaeVRd4nniEMQ2bgdv7psvYRYsvM1m9fEscox0UuQEvOGGts76Hrr1lpVPdUDh
JPduBX+8rtzgs3uA2PdwvoEAQsbb2ulcVBe10wF0W0bUky6ZHutDp/GK9pHiWWTu
RFYkJ74rzuPVNvFJ1jS4ow7gIg3rY6mLpMwcSQo7t2sb54i63PggzepPenqJkXC9
YwWJJs/zovrZjioMXKC/Lp+ROSK8L2Z+JzyQp0Yu/vyebHZ4WL0xlXBPrRvVx5J1
3+ebwxdehisKt78Xo/HgCiwyloCQILimldCLR5LdpgPS4N0Ang==
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=iot.eclipse.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3137 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 1341B87702E30012B8FB0B98090FAB047CA84AB74566837F5600DD9C8B5BE5F5
Session-ID-ctx:
Master-Key: 8806ABE0992E57E28B628CE5A1AE29642298C37363C530DED1EB7322E023CD297687D0A0C662B7875DA00F4FA4ACE9A9
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - ca de e0 ec 30 a1 17 f3-a9 e7 eb 0b 57 5c f0 8a ....0.......W\..
0010 - 2f ad 59 79 87 11 5c f6-05 39 fa 5c 0c 6b dd 6d /.Yy..\..9.\.k.m
0020 - 64 f3 4d 93 e9 1b 30 9a-08 fc e5 87 ca 34 d5 e3 d.M...0......4..
0030 - 82 4b 60 67 b1 44 e6 4e-31 63 03 ec d8 e3 b4 0d .K`g.D.N1c......
0040 - 8d 03 e3 e2 a3 fb 6c ed-1f 0d 25 03 43 a8 b6 ff ......l...%.C...
0050 - 01 6a d0 48 a7 10 72 8c-6d aa ff 85 4e e8 b5 91 .j.H..r.m...N...
0060 - 53 da 88 f2 03 88 88 54-94 f0 d5 e9 bd a0 55 06 S......T......U.
0070 - 16 04 87 d8 ec 99 e5 cd-fc 9c 46 ff 1f cc 63 9e ..........F...c.
0080 - c3 cb 18 72 c9 ec ff fd-82 5a 79 fc 10 90 5a 10 ...r.....Zy...Z.
0090 - 4d b8 5b 1e 9e 09 93 b6-cc 6d f8 06 10 6e f0 a4 M.[......m...n..
00a0 - ab 71 c2 a8 58 01 25 43-3a b9 1d 38 52 b2 56 52 .q..X.%C:..8R.VR
Start Time: 1513006076
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
注意,BEGIN和END CERTIFICATE部分之间有两个证书。 将两个证书复制到两个单独的文件中,就像我确实将两个证书复制并保存在两个不同的文件cert.pem和cert2.pem中一样,该文件位于我的主目录中名为remote_certificates的文件夹中。 现在,将DST_Root_CA_X3.pem文件从/ etc / ssl / certs /文件夹复制到remote_certificates文件夹。
现在,正如@hardillb在上述注释中所建议的那样,运行c_rehash:
vbhadra@vbhadra-VirtualBox:~/remote_certs$ c_rehash .
Doing .
DST_Root_CA_X3.crt => 2e5ac55d.0
DST_Root_CA_X3.crt => 12d55845.0
iot.cert2.pem => 4f06f81d.0
iot.cert2.pem => 4a0a35c0.0
iot.cert1.pem => c6cb63f9.0
iot.cert1.pem => 8a8c4ac3.0
现在,我在remote_certificates文件夹中具有以下文件:
vbhadra@vbhadra-VirtualBox:~/remote_certs$ ls -la
total 20
drwxrwxr-x 2 vbhadra vbhadra 4096 Dec 11 15:38 .
drwxr-xr-x 40 vbhadra vbhadra 4096 Dec 11 15:38 ..
lrwxrwxrwx 1 vbhadra vbhadra 18 Dec 11 15:38 12d55845.0 -> DST_Root_CA_X3.crt
lrwxrwxrwx 1 vbhadra vbhadra 18 Dec 11 15:38 2e5ac55d.0 -> DST_Root_CA_X3.crt
lrwxrwxrwx 1 vbhadra vbhadra 13 Dec 11 15:38 4a0a35c0.0 -> iot.cert2.pem
lrwxrwxrwx 1 vbhadra vbhadra 13 Dec 11 15:38 4f06f81d.0 -> iot.cert2.pem
lrwxrwxrwx 1 vbhadra vbhadra 13 Dec 11 15:38 8a8c4ac3.0 -> iot.cert1.pem
lrwxrwxrwx 1 vbhadra vbhadra 13 Dec 11 15:38 c6cb63f9.0 -> iot.cert1.pem
-rw-r--r-- 1 vbhadra vbhadra 1200 Dec 11 15:33 DST_Root_CA_X3.crt
-rw-rw-r-- 1 vbhadra vbhadra 1798 Dec 11 15:37 iot.cert1.pem
-rw-rw-r-- 1 vbhadra vbhadra 1648 Dec 11 15:37 iot.cert2.pem
现在,我按如下所示运行mosquitto_pub命令,它可以正常工作:
vbhadra@vbhadra-VirtualBox:~/remote_certs$ mosquitto_pub -h iot.eclipse.org -p 8883 --capath /home/vbhadra/remote_certs/ -t house/s1 -m "test message" -d
Client mosqpub/3728-vbhadra-Vi sending CONNECT
Client mosqpub/3728-vbhadra-Vi received CONNACK
Client mosqpub/3728-vbhadra-Vi sending PUBLISH (d0, q0, r0, m1, 'house/s1', ... (12 bytes))
Client mosqpub/3728-vbhadra-Vi sending DISCONNECT
vbhadra@vbhadra-VirtualBox:~/remote_certs$
再次非常感谢@hardillb。
通过TLS连接到MQTT服务器的CA证书-iot.eclipse.org
[英]CA certificate to connect to MQTT server over TLS - iot.eclipse.org
Mosquitto TLS,适用于 MQTTfx 但不适用于 mosquitto_pub(tlsv1 警报未知 ca)
[英]Mosquitto TLS, works with MQTTfx but not mosquitto_pub (tlsv1 alert unknown ca)
无法使用 mosquitto、paho 的 X509 CA 证书连接 IoT 中心
[英]Cannot connect IoT Hub using X509 CA certificate by mosquitto, paho
从Java客户端(Eclipse Paho)到mosquitto broker的SSL连接:“unknown_ca”
[英]SSL connection from Java client (Eclipse Paho) to mosquitto broker: “unknown_ca”
服务器是否仅使用Mosquit的CA证书对从客户端到服务器的消息进行加密
[英]Does server only CA certificate with Mosquitto encrypt messages from the client to the server
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.