为 Mqtt 代理使用自签名 ssl 证书时出错

Question

我正在使用带有用户名和密码身份验证的蚊子代理。 经纪人 URL 已公开，因此可以通过 Django web 站点访问它，树莓派现在正在尝试实施 ssl 证书身份验证。 但我收到类似的错误

unknown ca, [Win Error 10054] An existing connection was forcibly closed by the remote host ,
hand shake failed 

如何解决这个问题。

http://www.steves-inte.net-guide.com/mosquitto-tls/我正在按照本文创建 ssl 证书。 在公共 url 的 mqtt 代理中使用自签名证书有什么问题吗？

我的 mosquitto.conf 文件看起来像这样

persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
listener 8883
use_identity_as_username true
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true

像这样从 rasberry pi 调用代理

client.tls_set(ca_certs = "certificate path")
client.tls_insecure_set(True)

import time

import paho.mqtt.client as mqtt

# The callback for when the client receives a CONNACK response from the server.


def on_connect(client, userdata, flags, rc):
    print("Connected with result code "+str(rc))

    # Subscribing in on_connect() means that if we lose the connection and
    # reconnect then subscriptions will be renewed.
    client.subscribe("$SYS/#")

# The callback for when a PUBLISH message is received from the server.


def on_message(client, userdata, msg):
    print(msg.topic+" "+str(msg.payload))


client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
broker = "broker name"
#mqtt_port = 1883
mqtt_port = 8883

client = mqtt.Client(str(int(time.time())))  # create client object

client.tls_set("./ca.crt")
client.tls_insecure_set(True)
client.connect(broker, mqtt_port)
client.loop_start()

Answer 1

首先，您应该从 mosquitto.conf 中删除以下行

use_identity_as_username true
require_certificate true

它们仅在您使用不在提供的代码中的客户端证书时使用。

其次，假设文件ca.crt与脚本位于同一目录中，并且您从哪里开始执行以下操作。 （它还假定代理证书具有匹配的 CA/SAN 条目以匹配代理主机名/IP 地址）

...
client.tls_set_context()
client.tls_set(ca_path="./ca.crt")
client.connect(broker, mqtt_port)
client.loop_start()

另一个选项是这将禁用检查代理的证书是否由任何 CA 签名以及它的 CA/SAN 是否与用于访问代理的主机名匹配。

...
client.tls_set_context()
client.tls_insecure_set(True)
client.connect(broker, mqtt_port)
client.loop_start()