Project

General

Profile

Issue with MQTT Block TLS connection certificates

Added by Marco Cini about 2 months ago

Hello,
I have implemented a Mosquitto broker in a personal Oracle Cloud server, enabling the TLS connection in the 8883 port. Following the esp32_mqtt_TLS_demo1, I have configured the MQTT setup block with mqtts protocol, server IP as the host, 8883 port, and selected the folder for the certificates.
About the certificates that I need to insert inside the folder: I added the client.key, the client.crt (created using a personal certificate authority that I created for the server) and as the “server.crt” (as it is called in the example) I’m not sure what I need to add; I tried with the server public certificate authority that I used to sign the client.crt but it didn’t work (when I run the code in the ESP32 it connects to the wifi but then gives me the errors “Failed to verify peer certificate” and “Failed to open new connection”).

Could you please explain me in detail which kind of certificates and format/filename I need to add inside the certs folder specified in the MQTT setup block?

I am pretty sure that both certificates and server configuration are correct because I can connect to the server using the application MQTT Explorer (TLS enabled).

Thenk you in advance!


Replies (6)

RE: Issue with MQTT Block TLS connection certificates - Added by Parth Maheshwari (พาร์ท) about 2 months ago

Hi Marco,

We will get back to you as soon as possible.

Sincere regards,
Parth

RE: Issue with MQTT Block TLS connection certificates - Added by Senura Keheliya (เซนูระ) about 2 months ago

Hi Marco,

Can you check the port of the Oracle server? It should be 8884 for TLS with a client certificate required.

RE: Issue with MQTT Block TLS connection certificates - Added by Marco Cini about 2 months ago

Hi, thank you for the quick feedback, it is appreciated.

The port I am using now is the 8883 for both server and edge. I thought the problem was about the certificate type that I am using, are there any particular specification about the needed certificate type?

In the meanwhile, I am going to test the comunication using 8884 port.

Thank you!

RE: Issue with MQTT Block TLS connection certificates - Added by Marco Cini about 2 months ago

Hi,
we tried with port 8884 but it does not work, You can find below the report from the serial port monitor:

RE: Issue with MQTT Block TLS connection certificates - Added by Senura Keheliya (เซนูระ) about 2 months ago

It appears that the issue is related to the certificates. You can generate client.crt and client.key using OpenSSL as described in the Waijung 2 documentation https://waijung2-doc.aimagin.com/esp32_mqtt.html . However, the server.crt should be generated on your server, as you've implemented the Mosquitto server on your Oracle server. Do not follow the server.crt generation process outlined in the documentation, as it is meant for the test server at https://test.mosquitto.org/. Instead, implement the certificate generation on your own server.

After generating the certificates, you can verify the connection using MQTT Explorer to ensure the certificates are set up correctly.

I am pretty sure that both certificates and server configuration are correct because I can connect to the server using the application MQTT Explorer (TLS enabled).

Even though you're able to connect to the server using MQTT Explorer with TLS enabled, this option alone does not validate the TLS certificates. You need to enable the certificate validation option to establish a proper TLS connection.


Once you’ve completed these steps and can connect to the server via MQTT Explorer, the certificates should work in the blocks as well.

RE: Issue with MQTT Block TLS connection certificates - Added by Marco Cini about 2 months ago

Hi,
your procedure is working even for us from MQTT Explorer but not from the ESP32 board. Since you stated that the issue seems to be related to the certificate, could you please give us more details about the required certificate? What procedure should we use for the generation of the certificates? Which names should we give them?

Thank you in advance,
Marco

    (1-6/6)