Right now I have to do an initial test of a mqtt broker (ssl).
However right now I don't have the valid truststore certificates, however I would like to test the basic connectivity, ignoring SSL errors regarding hostname verification, certificate validation etc.
Unfortunately I am not successful, even with a broker I know it's working.
What I'm doing:
mosquitto_sub -h the_host -p 8883 -t '#' -v -u myUser -P myPass --insecure -d --capath /etc/ssl/certs
According to the manpage I just use the --capath to identify it's a TLS connection, well knowing that the necessary root certificate is not available here.
What I get is this:
Client mosqsub|11262-csbox sending CONNECT
Error: A TLS error occurred.
Any idea what I'm doing wrong?
Using --insecure just disables the verification of the hostname in the certificate presented by the broker. It does not remove the need to have a copy of the CA certificate that signed the brokers certificate.
So if /etc/ssl/certs doesn't contain a matching CA certificate then the connection will fail.
If needed you should be able to use something like openssl s_client to download the certificate chain directly from the broker, you can then point to that file with the --cafile option instead of the --capath option.
Related
I am trying mtls authentication in MQTT. I am using mosquitto to achieve this. When I created a server and client certificate from the same CA then the connection was successful. But if I use a different CA for creating a client certificate then it's failing with the below message
Client null sending CONNECT
OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Error: The connection was lost.
Is it mandatory to use the same CA for both client and server certificates in mtls?
Mosquitto.conf
listener 8883
certfile C:\\server.crt
keyfile C:\\server.key
require_certificate true
cafile C:\mqtt-ssl-demo\ca.crt
allow_anonymous true
Running broker using
mosquitto -c "C:\Program Files\mosquitto\mosquitto.conf"
Subscribe with a client with a certificate signed by server cert ca [SUCCESS]
mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\client.crt --key C:\mqtt-ssl-demo\client.key
Subscribe with a client with a certificate signed by other ca [FAILURE]
mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\otherclient.crt --key C:\mqtt-ssl-demo\otherclient.key
Created certificate using Mosquitto SSL Configuration -MQTT TLS Security
The important thing to realise here is that the CA file passed to the broker as part of it's config is used to verify the certificate of any connecting clients.
Where as the CA file passed to the client (mosquitto_sub) is used to verify the certificate the broker presents.
So if you are using different CAs then these files need to be different, it's not clear from what you've posted which CA certs you are using where.
I am using the curl terminal and while issuing the following command :-
curl --anyauth --user admin:admin "https://localhost:8000/LATEST/search?q=caesar"
I am getting below alert :-
curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
Please suggest. I have installed curl in Windows and also downloaded the .pem file and placed it in the same folder.
If your server has a self-signed cert, then by default curl doesn't know that it can trust that the server is who it says it is, and doesn't want to talk.
You can either:
import the cert into your trust store (best and most secure)
apply the -k or --insecure switch to ignore and continue. This may be fine for local development.
use a real cert, signed by a trusted CA
For local dev and a quick solution, run this line
set_config( config( ssl_verifypeer = 0L ) )
before
httr::GET(....)
but as suggested it's still preferable to use a real cert.
I have a Kafka cluster which is configured to be used over ssl on port 9093.
In order for me successfully send data on port 9093 I need to pass the certificate chain (intermediate + root CA) (all these are self signed stuff)
echo "Hello" | kafkacat -P -b localhost:9095 -t my-topic \
-X security.protocol=ssl \
-X ssl.key.location=cert-key.pem \
-X ssl.ca.location=chain.crt
(chain.crt is a file with the rootCA and intermediate cert)
My question is why do I need to issue the full chain and not just the root CA in the ssl.ca.location param ?
ssl.key.location is the client's certificate for authenticating to the broker.
ssl.ca.location is used by the client to verify the broker's certificate.
I tried following the guide shown by mosquitto but once I launch the mosquitto
mosquitto -c mosquitto.conf
which defines port, location of ca.crt, server.crt, server.key
then I followed similar step using the same CA file, to sign the client key and certificate.
Then launched client
mosquitto_pub -p [port] -h localhost --cafile [ca.crt filepath] -t "hello" -m "hello world"
when I do it like this without key and certificate I get
Error: Success
but when I do it with key and certificate
mosquitto_pub -p [port] -h localhost --cafile [ca.crt filepath] --cert [client.crt path] --key [client1.key path] t "hello" -m "hello world"
I get
Error:Success
On the server side I See the following errors
... routines:SSL3_READ_BYTES: sslv3 alert certificate unknown
... routines:SSL3_READ_BYTES: ssl handshake failure
I ran openssl commands to verify CA approves of both generated certificates, and it did.
It turns out, when entering the detail of the certificate, i mistake the common name section's purpose. After I set it to the ip address of the server, it all worked well
I was getting the same error. I tried to subscribe like this:
mosquitto_sub -h ip_address -p 8883 -t topic --cafile /etc/mosquitto/ca_certificates/ca.crt -d.
Replace ip_addres with your ip address that you wrote when you created certificate. In your question, you wrote localhost. If you replace it with ip address it will be work.
What can I do to troubleshoot/fix why my curl command cannot find my certificate when referencing to it by its nickname
I am trying to get a secure connection to a bank server, that is handling our online payments, using curl. The server is using NSS protocol. I installed the certificate from the bank into the nssdb with a nickname "foo" using:
certutil -A -d sql:/etc/pki/nssdb -i ccapi.pem -n "foo" -t "P,P,P"
Listing the cert to check that it has been created, I use
certutil -L -d sql:/etc/pki/nssdb/
with the output confirming a nickname "foo" for the cert.:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
foo P,P,P
When I am trying to connect using curl referencing to the nickname foo for the certificate like this:
curl -k -v --cert "foo" https://ccapi.client.qvalent.com/payway/ccapi
This is PART of the output:
Connected to proxy.ourdomain.com.au (172.21.0.58) port 3128 (#0)
Establish HTTP proxy tunnel to ccapi.client.qvalent.com:443
CONNECT ccapi.client.qvalent.com:443 HTTP/1.1
Host: ccapi.client.qvalent.com:443
User-Agent: curl/7.37.0
Proxy-Connection: Keep-Alive
HTTP/1.1 200 Connection established
Proxy replied OK to CONNECT request
Initializing NSS with certpath: sql:/etc/pki/nssdb
skipping SSL peer certificate verification
NSS: client certificate not found: foo
The last line: certificate not found: foo, is my problem. I seem to be doing everything right when creating the cert in the nssdb with a nickname but when using a curl command to connect it cannot find the certificate. If I link to the actual cert like this and not the nickname:
curl -k -v --cert "./ccapi.pem" https://ccapi.client.qvalent.com/payway/ccapi
Then the certificate is recognized but I cannot connect to bank server. This could be because I need to use NSS but this is irrelevant for what I am trying to get an answer to. I have found similar questions on stackoverflow eg. CURL NSS client certificate not found myCert but they fall short of answering the question. I do not have/use PKCS #12 certificate.
What can I do to troubleshoot/fix why my curl command cannot find my certificate when referencing to it by its nickname.
Appreciate any help
-M