search

php-mqtt / client

An MQTT client written in and for PHP.
MIT License
374 stars 72 forks source link

Login to mosquitto-broker fails after last update to 6.1.1 #105

Closed Oxaluz closed 2 years ago

Oxaluz commented 2 years ago

Hi folks,

after my last update of the mosquitto broker to the latest version (6.1.1) I don’t receive any value. A look into the log sais to me that my login fails.

PHP Fatal error:  Uncaught PhpMqtt\Client\Exceptions\ConnectingToBrokerFailedException: [6] Establishing a connection to the MQTT broker failed: The configured broker responded with unauthorized. in /volume2/web/Heizung/vendor/php-mqtt/client/src/MessageProcessors/Mqtt31MessageProcessor.php:243
Stack trace:
#0 /volume2/web/Heizung/vendor/php-mqtt/client/src/MqttClient.php(350): PhpMqtt\Client\MessageProcessors\Mqtt31MessageProcessor->handleConnectAcknowledgement(' \x02\x00\x05')
#1 /volume2/web/Heizung/vendor/php-mqtt/client/src/MqttClient.php(131): PhpMqtt\Client\MqttClient->performConnectionHandshake(false)
#2 /volume2/web/Heizung/mqtt-send.php(32): PhpMqtt\Client\MqttClient->connect(Object(PhpMqtt\Client\ConnectionSettings), false)
#3 {main}
  thrown in /volume2/web/Heizung/vendor/php-mqtt/client/src/MessageProcessors/Mqtt31MessageProcessor.php on line 243

Fatal error: Uncaught PhpMqtt\Client\Exceptions\ConnectingToBrokerFailedException: [6] Establishing a connection to the MQTT broker failed: The configured broker responded with unauthorized. in /volume2/web/Heizung/vendor/php-mqtt/client/src/MessageProcessors/Mqtt31MessageProcessor.php:243
Stack trace:
#0 /volume2/web/Heizung/vendor/php-mqtt/client/src/MqttClient.php(350): PhpMqtt\Client\MessageProcessors\Mqtt31MessageProcessor->handleConnectAcknowledgement(' \x02\x00\x05')
#1 /volume2/web/Heizung/vendor/php-mqtt/client/src/MqttClient.php(131): PhpMqtt\Client\MqttClient->performConnectionHandshake(false)
#2 /volume2/web/Heizung/mqtt-send.php(32): PhpMqtt\Client\MqttClient->connect(Object(PhpMqtt\Client\ConnectionSettings), false)
#3 {main}
  thrown in /volume2/web/Heizung/vendor/php-mqtt/client/src/MessageProcessors/Mqtt31MessageProcessor.php on line 243

1651901465: Client <unknown> closed its connection.
1651901521: New connection from 192.168.178.7:40683 on port 1883.
error: received null username or password for unpwd check
1651901521: Client <unknown> disconnected, not authorised.
I made noch changes in configuration of server or client and before that everything worked perfect.

Is somebody able to help me?

regards, Bernd

PS: hereis the start-log of mosquitto-broker:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] mosquitto.sh: executing... 
[07:57:03] INFO: SSL is not enabled
[cont-init.d] mosquitto.sh: exited 0.
[cont-init.d] nginx.sh: executing... 
[cont-init.d] nginx.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[07:57:04] INFO: Starting NGINX for authentication handling...
[07:57:05] INFO: Starting mosquitto MQTT broker...
1651903025: Warning: Mosquitto should not be run as root/administrator.
[07:57:06] INFO: Successfully send discovery information to Home Assistant.
[07:57:06] INFO: Successfully send service information to the Supervisor.
1651903025: mosquitto version 2.0.11 starting
1651903025: Config loaded from /etc/mosquitto/mosquitto.conf.
1651903025: Loading plugin: /usr/share/mosquitto/go-auth.so
1651903025:  ├── Username/password checking enabled.
1651903025:  ├── TLS-PSK checking enabled.
1651903025:  └── Extended authentication not enabled.
1651903025: Opening ipv4 listen socket on port 1883.
1651903025: Opening ipv6 listen socket on port 1883.
1651903025: Opening websockets listen socket on port 1884.
1651903025: mosquitto version 2.0.11 running
1651903025: New connection from 127.0.0.1:34384 on port 1883.
1651903025: Client <unknown> closed its connection.
1651903025: New connection from 172.30.32.2:34300 on port 1883.
1651903025: Client <unknown> closed its connection.
1651903027: New connection from 172.30.32.1:47629 on port 1883.
1651903027: New client connected from 172.30.32.1:47629 as 5e2fpUC8OJ3MbYQ0Rz2lhO (p2, c1, k60, u'mqtt').
1651903081: New connection from 192.168.178.7:42420 on port 1883.
error: received null username or password for unpwd check
Namoshek commented 2 years ago

I'm a bit confused by your description. You say you updated to Mosquitto 6.1.1, which - according to eclipse/mosquitto - does not exist. Also does your Mosquitto log say 1651903025: mosquitto version 2.0.11 starting, which is a version of June 2021. To what exactly is version 6.1.1 referring to?

To me this sounds like a misconfiguration of the go-auth plugin or a feature incompatibility (e.g. using only a username for authentication). But I don't know the plugin, so I really cannot be of more help to be honest.

Oxaluz commented 2 years ago

it is mosquitto-broker v6.1.1

Namoshek @.***> schrieb am Sa., 7. Mai 2022, 19:22:

I'm a bit confused by your description. You say you updated to Mosquitto 6.1.1, which - according to eclipse/mosquitto https://github.com/eclipse/mosquitto/tags - does not exist. Also does your Mosquitto log say 1651903025: mosquitto version 2.0.11 starting, which is a version of June 2021. To what exactly is version 6.1.1 referring to?

To me this sounds like a misconfiguration of the go-auth plugin or a feature incompatibility (e.g. using only a username for authentication). But I don't know the plugin, so I really cannot be of more help to be honest.

— Reply to this email directly, view it on GitHub https://github.com/php-mqtt/client/issues/105#issuecomment-1120244787, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFIMPZ6G6I3EI434CHAWSF3VI2REVANCNFSM5VKTCUVA . You are receiving this because you authored the thread.Message ID: @.***>

Namoshek commented 2 years ago

As I've seen, you also posted the question in the Home Assistant forums where you should be able to receive more qualified feedback than here. From my perspective, you are clearly describing the update as the source of your problem. You should therefore start to look for changes in the mosquitto plugin of Home Assistant. My guess is, as already written, that the new authorization plugin does not support authentication with username or password only.

tylerwatt12 commented 2 years ago

I'm having the same problem. All my other MQTT libraries seem to work fine, the only outlier I've seen is php-mqtt. Ones that I've tested working are mosquitto_pub/sub in the Eclipse library, MQTT Explorer, BlueIris NVR4, Espurna 1.14.1 and Tasmota 11.1.0.

I'm relying on standard authentication with username and password, but php-mqtt is throwing this error

My usernames and passwords have pipes and hyphens in them, but that doesn't seem to matter after trying another username.

PHP throws error: `PHP Fatal error: Uncaught PhpMqtt\Client\Exceptions\ConnectingToBrokerFailedException: [6] Establishing a connection to the MQTT broker failed: The configured broker responded with unauthorized. in C:\script\vendor\php-mqtt\client\src\MessageProcessors\Mqtt31MessageProcessor.php:252 Stack trace:

0 C:\script\vendor\php-mqtt\client\src\MqttClient.php(377): PhpMqtt\Client\MessageProcessors\Mqtt31MessageProcessor->handleConnectAcknowledgement()

1 C:\script\vendor\php-mqtt\client\src\MqttClient.php(158): PhpMqtt\Client\MqttClient->performConnectionHandshake()

2 C:\script\vendor\php-mqtt\client\src\MqttClient.php(144): PhpMqtt\Client\MqttClient->connectInternal()

3 C:\script\mqtt.php(59): PhpMqtt\Client\MqttClient->connect()

4 {main}

thrown in C:\script\vendor\php-mqtt\client\src\MessageProcessors\Mqtt31MessageProcessor.php on line 252`

Mosquitto shows error 1654318883: New connection from 192.168.64.6:49166 on port 1883. error: received null username or password for unpwd check 1654318883: Client <unknown> disconnected, not authorised.

Namoshek commented 2 years ago

I'll look into it, but it would be helpful to have the Mosquitto config you are using (without the credentials of course).

Oxaluz commented 2 years ago

Broker or client?

Namoshek @.***> schrieb am Sa., 4. Juni 2022, 08:56:

I'll look into it, but it would be helpful to have the Mosquitto config you are using (without the credentials of course).

— Reply to this email directly, view it on GitHub https://github.com/php-mqtt/client/issues/105#issuecomment-1146552822, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFIMPZ3NYYPTDIQ52POEIF3VNL42JANCNFSM5VKTCUVA . You are receiving this because you authored the thread.Message ID: @.***>

Namoshek commented 2 years ago

Ideally both, but the broker settings are of more interest to me.

Oxaluz commented 2 years ago

No, silmply letters

Namoshek @.***> schrieb am Sa., 4. Juni 2022, 09:50:

Is your password ending with a pipe (or another symbol character) by any chance?

— Reply to this email directly, view it on GitHub https://github.com/php-mqtt/client/issues/105#issuecomment-1146561398, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFIMPZZAF72C7L73ND32VP3VNMDFPANCNFSM5VKTCUVA . You are receiving this because you authored the thread.Message ID: @.***>

Oxaluz commented 2 years ago

Here the broker settings

Bernd Rehlinger @.***> schrieb am Sa., 4. Juni 2022, 10:36:

No, silmply letters

Namoshek @.***> schrieb am Sa., 4. Juni 2022, 09:50:

Is your password ending with a pipe (or another symbol character) by any chance?

— Reply to this email directly, view it on GitHub https://github.com/php-mqtt/client/issues/105#issuecomment-1146561398, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFIMPZZAF72C7L73ND32VP3VNMDFPANCNFSM5VKTCUVA . You are receiving this because you authored the thread.Message ID: @.***>

Namoshek commented 2 years ago

Ok, so I added tests in #113 which ensure authentication with Mosquitto 1.6 and 2.0 works as expected. The test user is ci-test-user and the password a 40-character string with everything from digits, lower case and upper case letters to multiple different symbols.

Therefore this really looks like a configuration issue on the broker side and not a bug in this library. If you can provide me with the broker settings, maybe I'll be able to help anyway though.

tylerwatt12 commented 2 years ago

Trying my best to get what you need, I can't figure out how to pull a config file, as the addon seems to generate one when the mosquitto broker service starts.

I tried manually adding the user by adding this into the "Logins" section of the addon. 

- username: test-api
  password: Eraser-Sermon0-Blob

My hope was to bypass go-auth. I'm assuming that go-auth is what is used to do SSO between the HA user accounts and Mosquitto Broker?

Well that didn't work, and I'm getting only this error now:

error: received null username or password for unpwd check

PHP debug still says same message:

PHP Fatal error: Uncaught PhpMqtt\Client\Exceptions\ConnectingToBrokerFailedException: [6] Establishing a connection to the MQTT broker failed: The configured broker responded with unauthorized. in C:\script\vendor\php-mqtt\client\src\MessageProcessors\Mqtt31MessageProcessor.php:252

Sorry if this wasn't any help, I'm not very familiar with the back end of mosquitto home assistant addon

tylerwatt12 commented 2 years ago

Ok here are my broker settings:

logins:
  - username: test-api
    password: Eraser-Sermon0-Blob
require_certificate: false
certfile: fullchain.pem
keyfile: privkey.pem
customize:
  active: true
  folder: mosquitto
debug: true

then in /share/mosquitto/, I have these files

acl.conf

acl_file /share/mosquitto/accesscontrollist

accesscontrollist

user addons
topic readwrite #

user homeassistant
topic readwrite #

user test-api
topic readwrite #

Also tried these

logins:
  - username: test-api
    password: Eraser-Sermon0-Blob
require_certificate: false
certfile: fullchain.pem
keyfile: privkey.pem
customize:
  active: false
  folder: mosquitto
debug: true

Also recently MQTT Broker was changed to not allow anonymous connections. From what I understand anonymous connections can't even be allowed anymore due to go-auth

https://github.com/home-assistant/addons/issues/2483

Also

Are you using User Properties to authenticate? Another developer said his .NET implementation of a MQTT Client was having issues until he changed authentication via UserProperties() to WithCredentials()

Namoshek commented 2 years ago

Thank you for the details. Unfortunately, I'm still not able to reproduce the issue. I've been running my tests against a Mosquitto with go-auth using the following configuration:

sh create-certificates.sh
docker run --rm -it -p 1883:1883 -p 1884:1884 -p 8883:8883 -p 8884:8884 -v $(pwd)/.ci/tls:/mosquitto-certs -v $(pwd)/.ci/mosquitto.conf:/etc/mosquitto/mosquitto.conf -v $(pwd)/.ci/mosquitto.passwd:/etc/mosquitto/mosquitto.passwd -v $(pwd)/.ci/mosquitto.acl:/etc/mosquitto/mosquitto.acl iegomez/mosquitto-go-auth:latest-mosquitto_2.0.14
# Config file for mosquitto
per_listener_settings true

# Port to use for the default listener.
listener 1883
allow_anonymous true

# Port to use for the default listener with authentication.
listener 1884
allow_anonymous false
auth_plugin /mosquitto/go-auth.so
auth_opt_backends files
auth_opt_hasher pbkdf2
auth_opt_log_level debug
auth_opt_log_dest stderr
auth_opt_files_password_path /etc/mosquitto/mosquitto.passwd
auth_opt_files_acl_path /etc/mosquitto/mosquitto.acl

# TLS listener without client certificate requirement
listener 8883
cafile /mosquitto-certs/ca.crt
certfile /mosquitto-certs/server.crt
keyfile /mosquitto-certs/server.key
require_certificate false
allow_anonymous true

# TLS listener with client certificate requirement
listener 8884
cafile /mosquitto-certs/ca.crt
certfile /mosquitto-certs/server.crt
keyfile /mosquitto-certs/server.key
require_certificate true
allow_anonymous true

All four listeners are used in the test suite of this library and all four work just as expected. The /etc/mosquitto/mosquitto.passwd file contains the following entry:

ci-test-user:$6$QypQBNSQKE5bg6Ec$nzACfxhQ9qiYFByPPM/6GP/9kOWwDzEftN0EJPkS6M0PWqL55jAbBxUO863oWwhJ2q/YaubfLbe3xwwhBuoStQ==

and /etc/mosquitto/mosquitto.acl this one:

user ci-test-user
topic readwrite #

The logins section of the configuration seems to be some Home Automation stuff because Mosquitto doesn't know this configuration syntax / key.

Are you using User Properties to authenticate? Another developer said his .NET implementation of a MQTT Client was having issues until he changed authentication via UserProperties() to WithCredentials()

I think they refer to some methods provided by the .NET library, not an MQTT detail. In MQTT, there is only one way to authenticate: through the CONNECT message (as described here in the MQTT 3.1 specification). Libraries are just abstracting away this kind of stuff, so it is nicer to work with. No one likes to encode byte streams all the time. 👍

By the way, user properties have been introduced in MQTT 5, which this library does not implement so far. So this really is out of question for this issue.