Closed peterkappelt closed 5 years ago
I added the certificates to my rpi and added the capath but unfortunately, now Im getting a certificate verify failed. Also when I download the certificate with openssl:
openssl s_client -showcerts -connect mqtt.gbridge.kappelt.net:8883 </dev/null
And then specify this file using cafile:
mosquitto_sub --username gbridge-u104 --pw password --host mqtt.gbridge.kappelt.net --port 8883 --cafile /usr/local/share/ca-certificates/gbridge.crt --topic gBridge/u104/d276/onoff -d -v
Client mosqsub/28244-raspberry sending CONNECT
OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Do these commands work for you?
And can you check your server logs for this connect id: Domoticz_1543515460 and the reason that the topics are not returned?
2018-11-29 19:17:40.253 (gBridge Remote) MQTT CONNECT ID: 'Domoticz_1543515460'
2018-11-29 19:17:40.304 (gBridge Remote) Message from base
2018-11-29 19:17:40.304 (gBridge Remote) Incoming message!{'Status': 0, 'Description': 'Connection Accepted', 'Verb': 'CONNACK'}
2018-11-29 19:17:40.304 (gBridge Remote) MqttClient::Subscribe
2018-11-29 19:17:40.357 (gBridge Remote) Message from base
2018-11-29 19:17:40.358 (gBridge Remote) Incoming message!{'Topics': [{'Status': 128, 'Description': 'Failure'}], 'PacketIdentifier': 1, 'Verb': 'SUBACK'}
Well, not particularly useful:
Nov 29 19:17:40 helium mosquitto[863]: 1543515460: New client connected from XX.YY.ZZ.AA as Domoticz_1543515460 (c1, k60, u'gbridge-uZZZ').
Nov 29 19:17:40 helium mosquitto[863]: 1543515460: Socket error on client Domoticz_1543515460, disconnecting.
Which OS/ version is running on your RPi (Raspbian?) ?. Try https://about.gbridge.kappelt.net/static/LetsEncrypt-AllCAs.pem as the CA file, too, please.
Thats the first ca I tried and that gives the same result. It indeeds runs Raspbian.
I also tried it on my Macbook, also the same error.
Edit: Got a bit further on my Macbook (Think I didnt import the cert correctly): mosquitto_sub --username gbridge-104 --pw XXX --host mqtt.gbridge.kappelt.net --port 8883 --cafile LetsEncrypt-AllCAs.pem --topic gBridge/u104/# -d -v Client mosqsub|1187-MacBook-Pr sending CONNECT Client mosqsub|1187-MacBook-Pr received CONNACK (5) Connection Refused: not authorised. Client mosqsub|1187-MacBook-Pr sending DISCONNECT
Dont really know why Im getting an unauthorized, changed my password again to make sure I have the right one and still giving an unauthorized.
Mhh, strange...
pi@hcpi01:~ $ mosquitto_sub --username gbridge-u11 --pw 'abcd' --host mqtt.gbridge.kappe-topic gBridge/u11/d18/onoff --cafile LetsEncrypt-AllCAs.pem -v -d
Client mosqsub/20527-hcpi01 sending CONNECT
Client mosqsub/20527-hcpi01 received CONNACK
Client mosqsub/20527-hcpi01 sending SUBSCRIBE (Mid: 1, Topic: gBridge/u11/d18/onoff, QoS: 0)
Client mosqsub/20527-hcpi01 received SUBACK
Subscribed (mid: 1): 0
Client mosqsub/20527-hcpi01 received PUBLISH (d0, q0, r0, m0, 'gBridge/u11/d18/onoff', ... (1 bytes))
gBridge/u11/d18/onoff 0
pi@hcpi01:~ $ mosquitto_sub --username gbridge-u11 --pw 'Bd4RqtqU$N3RaWqG' --capath /etc/ssl/certs/ --host mqtt.gbridge.kappelt.net --port 8883 --topic gBridge/u11/d18/onoff -v -d
Client mosqsub/20595-hcpi01 sending CONNECT
Client mosqsub/20595-hcpi01 received CONNACK
Client mosqsub/20595-hcpi01 sending SUBSCRIBE (Mid: 1, Topic: gBridge/u11/d18/onoff, QoS: 0)
Client mosqsub/20595-hcpi01 received SUBACK
Subscribed (mid: 1): 0
Client mosqsub/20595-hcpi01 received PUBLISH (d0, q0, r0, m0, 'gBridge/u11/d18/onoff', ... (1 bytes))
gBridge/u11/d18/onoff 1
What's the version of mosquitto_sub? Try appending -V mqttv31
Are there any special characters in your password? Try enclosing it with apostrophes or quotes
Are there any special characters in your password? Try enclosing it with apostrophes or quotes
Thats it! Changed the password to not have the special chars and now I can connect from my Macbook.
Also changed the password, port to 1883 and removed the --ca option on my Raspbian, and now I can subscribe using the mosquitto_sub.
Could it be that the Python plugin is using the wrong MQTT protocol?
Ahhhh, no! Using port 1883 is a really bad idea, since it is unencrypted MQTT.
Yes, MQTT version problems are a possibility. I've decided to stick to the "old" V3.1, for broader compatibility.
I'm planning to offer both versions on different domains in the future.
Yes I wont use 1883 in production, just want to check if I can connect from my raspberry.
Ive added username/password protection to my own mosquitto broker, and that works. This is the mosquitto broker Im using:
mosquitto version 1.4.4 (build date Thu, 17 Sep 2015 16:11:28 +0100)
mosquitto is an MQTT v3.1 broker.
Is that the same as the one you're using?
Could you perhaps share your mqtt config so I can test it myself?
gBridge servers use Mosquitto 1.5.2. I've send you the config. However, I don't think it is really useful for you, since it uses a couple of extensions for dynamic authentication and user management.
I'm using 1.4.10 for mosquitto_sub on my client system for testing.
Have you tried all possibilities (with (not) defining --capath
/ --cafile
etc.) with the password without special characters?
Have a nice week!
When using the sub client, it now works. What I now need to figure out how I can provide certs to the Domoticz Connection class which is used for the interaction with mqtt. Unfortunately the documentation is very scarce. And I don't think the certs are the real problem, seeing as Im having the exact same behavior when using an unsecured connection:
Incoming message!{'Topics': [{'Status': 128, 'Description': 'Failure'}], 'PacketIdentifier': 1, 'Verb': 'SUBACK'}
According to the specs of mqtt this could be an issue with not having the correct access rights to the topic so I tried several ways of subscribing, gBridge/u104/Dinner_Light/brightness, gBridge/u104/#, # but nothing seems to work.
Going to close this one, seeing as its fixed. For historic purposes, the issue was the 1.5 version of mosquitto in combination with the mosquitto auth plugin regarding the read/write level: https://github.com/jpmens/mosquitto-auth-plug/issues/356
Discussion started in your pull request: https://github.com/kservices/gBridge/pull/15
You wrote about this command, that isn't working:
mosquitto_sub --username gbridge-u* --pw my-pass --host mqtt.gbridge.kappelt.net --port 8883 --topic gBridge/u1/d1/onoff -d -v
I think the problem is, that mosquitto_sub is not trying to use TLS for this connection. If you specify the path, where your system stores trusted CA-certificates (e.g. with the parameter
--capath /etc/ssl/certs/
), it should work.