如何使用python在Paho mqtt中使用ssl/tls我获得证书验证失败 [英] how to use ssl/tls in paho mqtt using python i got certificate verify failed
本文介绍了如何使用python在Paho mqtt中使用ssl/tls我获得证书验证失败的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在物联网上工作,我正在使用paho MQTT,我需要使用SSL,我使用python编写了发布代码,但出现了证书验证失败"错误.
hi I am working on IOT internet of things I am using paho MQTT I need to use SSL I wrote publish code using python I got an error in "certificate verify failed"
请帮助我预先感谢
我的出版代码
import time
import paho.mqtt.client as paho
import ssl
import certifi
#define callback
def on_message(client, userdata, message):
time.sleep(1)
print("received message =",str(message.payload.decode("utf-8")))
client= paho.Client("client-001")
client.on_message=on_message
print("connecting to broker ",)
client.tls_set("C:/Windows/system32/config/systemprofile/Desktop/attachments/server iot.crt", tls_version=ssl.PROTOCOL_TLSv1_2)
client.tls_insecure_set(True)
client.connect("iot.eclipse.org", 8883, 60)
def on_log(client, userdata, level, buf):
print("log: ",buf)#connect
client.loop_start() #start loop to process received messages
print("publishing ")
client.publish("$SYS/muthu","muthupavithran",)#publish
client.on_log=on_log
client.loop_forever()
#client.loop(100)
我的错误是
connecting to broker
Traceback (most recent call last):
File "C:\Windows\system32\config\systemprofile\Desktop\attachments\publishTEST WITH LOG.py", line 14, in <module>
client.connect("iot.eclipse.org", 8883, 60)
File "C:\Python34\lib\site-packages\paho\mqtt\client.py", line 768, in connect
return self.reconnect()
File "C:\Python34\lib\site-packages\paho\mqtt\client.py", line 927, in reconnect
sock.do_handshake()
File "C:\Python34\lib\ssl.py", line 810, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
我的证书是
OpenSSL> s_client -showcerts -connect iot.eclipse.org:8883
CONNECTED(00000108)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=iot.eclipse.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgISBMZjyLzHsZWasgIDta0fSCB+MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MDIxMzQzMDJaFw0x
ODA5MzAxMzQzMDJaMBoxGDAWBgNVBAMTD2lvdC5lY2xpcHNlLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJceipGv0SJrWNG5cLQMjDpCWFi57bw1
DRM57lbt+g4o/CPOYQJsJxJCDzWBK1kTYzA7udIt6M5LyQikyiMTLBAqkxfGgbul
ErmMfVXtZbqIda1L5L0SYNoVrMsBeqzyXJoC6Hf7nxidzkZkX99JBQBXWnMFycwk
a1uobIKR/RDbsIun62WYXD4q7H8oH4zKvbOGKCZCoBrQIIhKYhxL+UFJuQyUEm4R
9JNyMAetCQglerohRkzvDTVhjSLiOWGDkjDBg9HWEwB1talaQ7fLb7WxfZTmSDTv
CPpI1aGdPwbifvzJS+zX9nbcQavGea/onW8KIAFXxwH6tsyiTwvFzj8CAwEAAaOC
AxgwggMUMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUOuN0Niv8dMef7kpmZSdN2sn0
snUwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAaBgNVHREEEzARgg9pb3QuZWNsaXBzZS5vcmcwgf4GA1UdIASB9jCB8zAI
BgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRp
ZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGll
cyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBv
bGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5
LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ACk8UZZUyDlluqpQ/FgH1Ldvv1h6
KXLcpMMM9OVFR/R4AAABZFtya8kAAAQDAEcwRQIhALOwNsLvVmEUlXCZP2IcTemC
uktD+IbcCi9Ndkui59GTAiBuA4iy90SfNeyt/1eHardV7rxMe8DxwCYtBdRrzmh0
sgB3AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABZFtybAQAAAQD
AEgwRgIhAK5rIXo4d8L2muH8pt5V51aLhbs15RzYWdqVxGwcpG/DAiEAmagg9e/c
O2Jsbdz7ZBeEwogOYZvRij2U3VOJA42VADkwDQYJKoZIhvcNAQELBQADggEBAIvc
KIllapMu9oXqZZ1iKo9fMyxVsuLP5Lo6hjJFsZMFoVZQSguGoT9CsFvuw0QeqObg
xbk1y+ZeEaSYI5Gf8iHlGHq4M9zGLLUvPBbCpzy4grQTjFBQvPzH0c7qrWKPYge2
WcCox2ofvBaJ9LSOzc82vqLnkAWwnaLelk3+SlOYcrZP2me6JCQWpSRFec4p/42t
94Yvojgj5RKY6jhA6aNG3AFBSJiwgU36UZ1H3c82L0X/djOQbFGKWFaQ956s2AoY
Dmf+tdtj2AFCM7Ht8YdN6VxWlI/1hctK0TaF/4UrTEJ4n2ChTe9F8EP2exO/VcC7
V/jDTid21vBdhF2mQis=
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=iot.eclipse.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3397 bytes and written 302 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8B1F036E44D23BD9F8CB52355705726639BE769B681154D1448EB4B264EE2F43
Session-ID-ctx:
Master-Key: 538D0967D0732F7A758317E764D2550E3C1330C1192353A89E99C3E66F4B5A51
485BB4ABF8434D23398CF84615DF54CF
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d7 03 bf d1 ff 2b f7 6c-1a b3 56 ec 3a dc 8b 19
.....+.l..V.:...
0010 - 9d 73 05 08 66 15 f3 bd-46 55 30 a0 1a e1 ca 07 .s..f...FU0.....
0020 - 06 14 08 43 41 8e 64 1e-55 97 17 be 24 a3 a1 10 ...CA.d.U...$...
0030 - 51 9b be c0 05 67 81 b9-e2 12 4c 80 bc 42 ed 9d Q....g....L..B..
0040 - 89 7a bf 9a 02 1a d6 35-07 39 6d ce 9c 8c dd cf .z.....5.9m.....
0050 - e2 0f f4 0f 3b e5 83 ec-2c 8d 54 bc 60 97 a1 c6 ....;...,.T.`...
0060 - 9c c0 78 e1 1c 28 9f 38-c7 0b d9 7b ad 2a 9e 69 ..x..(.8...{.*.i
0070 - af ef 2f 1b 2d e2 f9 8a-04 7a 6c 88 c8 28 14 8c ../.-....zl..(..
0080 - ac 7a 11 11 fa 94 0a 63-45 70 e8 a9 3f fb 8d be .z.....cEp..?...
0090 - df 9e 3c 15 20 6d 48 fe-40 d2 4f 28 58 49 a9 1b ..<. mH.@.O(XI..
00a0 - e7 1d de 1e ae f3 bc 57-79 0d e6 f5 5d 93 62 17 .......Wy...].b.
Start Time: 1534843470
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
我获得了此证书,我也尝试将certifi安装到python中,仍然显示相同的错误
i got this certificate and i tried to install certifi also into python still the same error is showing
推荐答案
在评论中被剔除.
首先,您需要提供完整的CA链来验证iot.eclipse.org的证书.在使用LetsEncrypt CA的过程中,您可以在此处
First, you need to supply the full CA chain to verify the certificate for iot.eclipse.org. As it looks to be using the LetsEncrypt CA you can find the Root and Intermediate certs here
第二,您需要清理发布者代码.
Second, you need to clean up your publisher code.
import time
import paho.mqtt.client as paho
import ssl
#define callbacks
def on_message(client, userdata, message):
print("received message =",str(message.payload.decode("utf-8")))
def on_log(client, userdata, level, buf):
print("log: ",buf)
def on_connect(client, userdata, flags, rc):
print("publishing ")
client.publish("muthu","muthupavithran",)
client=paho.Client()
client.on_message=on_message
client.on_log=on_log
client.on_connect=on_connect
print("connecting to broker")
client.tls_set("C:/Windows/system32/config/systemprofile/Desktop/attachments/server iot.crt", tls_version=ssl.PROTOCOL_TLSv1_2)
client.tls_insecure_set(True)
client.connect("iot.eclipse.org", 8883, 60)
##start loop to process received messages
client.loop_start()
#wait to allow publish and logging and exit
time.sleep(1)
此代码使用on_connect回调函数来确保在连接失败时不尝试发布,也删除了硬编码的客户端ID,以允许客户端使用随机生成的ID,因此不太可能与公共测试经纪人发生冲突. client.loop_forever()的调用也已删除,因为您已经开始了网络循环,并且此客户端不需要永远运行.
This code uses the on_connect callback to ensure it doesn't try and publish if there is a failure to connect, it also removes the hardcoded client id to to allow the client to use a randomly generated one so it's less likely to clash on a public test broker. The call to client.loop_forever() is also removed as you have already started the network loop and this client doesn't need to run for ever.
第三,您确实不应该发布到$SYS主题,这些主题是供经纪人报告状态的,而不是用于一般用途.另外,iot.eclipse.org代理也用于测试,您不应该打算将其用于生产中的任何东西.
Third, you really should not be publishing to $SYS topics, these topics are for the broker to report status, not for general use. Also the iot.eclipse.org broker is for testing, you should not be planning to use this for anything in production.
这篇关于如何使用python在Paho mqtt中使用ssl/tls我获得证书验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
