mosquitto_pub拒绝iot.eclipse.org mqtt服务器证书说"Unknown CA" [英] mosquitto_pub rejecting iot.eclipse.org mqtt server certificate saying "Unknown CA"
问题描述
我正在尝试在Ubuntu Linux计算机上运行mosquitto_pub,如下所示:
I am trying to run mosquitto_pub on a Ubuntu linux machine as follows:
vbhadra@vbhadra-VirtualBox:~$ mosquitto_pub -h iot.eclipse.org -p 8883 --capath /etc/ssl/certs/ -t house/s1 -m "test message" -d
Client mosqpub/9204-vbhadra-Vi sending CONNECT
Client mosqpub/9204-vbhadra-Vi received CONNACK
Client mosqpub/9204-vbhadra-Vi sending PUBLISH (d0, q0, r0, m1, 'house/s1', ... (12 bytes))
Client mosqpub/9204-vbhadra-Vi sending DISCONNECT
可以看到mosquitto_pub工作文件.现在,我想尝试手动下载iot.eclipse.org证书,然后将其与mosquitto_pub一起使用,而不是使用Ubuntus/etc/ssl/certs/证书.
As can be seen the mosquitto_pub works file. Now I want to experiment downloading the iot.eclipse.org certificate manually and then use that with mosquitto_pub instead of using Ubuntus /etc/ssl/certs/ certificate.
所以我做了以下事情:
ex +'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect iot.eclipse.org:8883) -scq > file.crt
将file.crt保存在/home/vbhadra/remote_certificate/中.
Saved the file.crt in a location as: /home/vbhadra/remote_certificate/.
现在,我再次尝试以下操作:
Now, I try the below again:
mosquitto_pub -h iot.eclipse.org -p 8883 --capath /home/vbhadra/remote_certificate/ -t house/s1 -m "test message" -d
但是上述方法失败了.通过捕获tcpdump,我可以在Wireshark中看到我的Ubuntu客户端正在将致命:未知CA"发送回iot.eclipse.org.
But the above fails miserably. By capturing the tcpdump I can see in the Wireshark that my Ubuntu client is sending "Fatal: Unknown CA" back to the iot.eclipse.org.
从到目前为止的一点了解来看,我可以认为该证书未由任何CA签署,因此mosquitto客户端正在拒绝该证书.我一直在尝试找出如何使证书签名(自签名??),但到目前为止没有任何线索.
From my little understanding so far, I can think the certificate is not signed by any CA and hence the mosquitto client is rejecting it. I have been trying to figure out how I can I get the certificate signed (self sign ??) but no clue so far.
我尝试用openssl验证保存的file.crt的证书文件,如下所示:
I tried verifying the certificate file I saved file.crt with openssl verify as below:
openssl verify -CApath /home/vbhadra/remote_certs/ /home/vbhadra/remote_certs/file2.crt
/home/vbhadra/remote_certs/file2.crt: CN = iot.eclipse.org
error 20 at 0 depth lookup:unable to get local issuer certificate
在这一点上,我有点迷茫.人们似乎建议将.pem证书文件与openssl verify一起使用,但不确定如何执行此操作,基本上我迷路了.请帮助任何指针,以使之更进一步.
At this point I am bit lost. People seems to be suggesting to use .pem certificate file with openssl verify but not sure how to do that, basically I am lost. Please help with any pointer to take it further.
推荐答案
当您运行echo | openssl s_client -showcerts -connect iot.eclipse.org:8883命令并查看输出时,它包含多个证书,我认为这可能与切分方式有关.与前.
When you run the echo | openssl s_client -showcerts -connect iot.eclipse.org:8883 command and look at the output, it contains multiple certificates which I believe may be an issue with the way you are chopping it up with ex.
您将需要这两个证书来提供完整的证书链,以验证iot.eclipse.org的最终用户证书.
You will need both of these certs to provide a full certificate chain to verify the end user certificate for iot.eclipse.org.
您还在包含ca文件的目录中运行ca_rehash(或ubuntu上的c_rehash)吗?
Also did you run ca_rehash (or c_rehash on ubuntu) in the directory with your ca files?
-capath
--capath
定义包含受PEM编码的CA证书的目录的路径.用于启用SSL通信.
Define the path to a directory containing PEM encoded CA certificates that are trusted. Used to enable SSL communication.
要使--capath正常工作,证书文件的文件结尾必须带有".crt",并且您必须运行"c_rehash" 每次您添加/删除证书.
For --capath to work correctly, the certificate files must have ".crt" as the file ending and you must run "c_rehash " each time you add/remove a certificate.
我不得不重命名文件以.pem结尾(因为它们实际上是这样),并且还必须将DST_Root_CA_X3.pem文件从/etc/ssl/certs复制到ca目录中.
I had to rename the files to end with .pem (since this is what they actually are) and copy the DST_Root_CA_X3.pem file into the ca directory from /etc/ssl/certs as well.
此外,如果要使用自己的专用CA,则使用--cafile可能会更简单.
Also if you want to use your own private CA then using --cafile might be a bit simpler.
这篇关于mosquitto_pub拒绝iot.eclipse.org mqtt服务器证书说"Unknown CA"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
