对 Mqtt 代理使用自签名 ssl 证书时出错
我正在使用带有用户名和密码身份验证的蚊子经纪人。代理 URL 公开,以便 Django 网站和树莓派可以访问它 现在正在尝试实施ssl证书身份验证。但我收到诸如
unknown ca, [Win Error 10054] An existing connection was forcibly closed by the remote host ,
hand shake failed
如何解决此问题之类的错误。
我的 mosquitto.conf 文件看起来像这样
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
listener 8883
use_identity_as_username true
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true
从 rasberry pi 调用代理
client.tls_set(ca_certs = "certificate path")
client.tls_insecure_set(True)
import time
import paho.mqtt.client as mqtt
# The callback for when the client receives a CONNACK response from the server.
def on_connect(client, userdata, flags, rc):
print("Connected with result code "+str(rc))
# Subscribing in on_connect() means that if we lose the connection and
# reconnect then subscriptions will be renewed.
client.subscribe("$SYS/#")
# The callback for when a PUBLISH message is received from the server.
def on_message(client, userdata, msg):
print(msg.topic+" "+str(msg.payload))
client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
broker = "broker name"
#mqtt_port = 1883
mqtt_port = 8883
client = mqtt.Client(str(int(time.time()))) # create client object
client.tls_set("./ca.crt")
client.tls_insecure_set(True)
client.connect(broker, mqtt_port)
client.loop_start()
I was using mosquito broker with user name and password authentication. Broker URL is made public so that it can be accessed by a Django web site and raspberry pi
now am trying to implement ssl certificate authentication. but am getting errors like
unknown ca, [Win Error 10054] An existing connection was forcibly closed by the remote host ,
hand shake failed
how to resolve this.
http://www.steves-internet-guide.com/mosquitto-tls/
am following this article to create ssl certificate.
any issue in using self signed certificate in mqtt broker wth public url?
my mosquitto.conf file looks like this
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
listener 8883
use_identity_as_username true
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true
calling the broker from rasberry pi like this
client.tls_set(ca_certs = "certificate path")
client.tls_insecure_set(True)
import time
import paho.mqtt.client as mqtt
# The callback for when the client receives a CONNACK response from the server.
def on_connect(client, userdata, flags, rc):
print("Connected with result code "+str(rc))
# Subscribing in on_connect() means that if we lose the connection and
# reconnect then subscriptions will be renewed.
client.subscribe("$SYS/#")
# The callback for when a PUBLISH message is received from the server.
def on_message(client, userdata, msg):
print(msg.topic+" "+str(msg.payload))
client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
broker = "broker name"
#mqtt_port = 1883
mqtt_port = 8883
client = mqtt.Client(str(int(time.time()))) # create client object
client.tls_set("./ca.crt")
client.tls_insecure_set(True)
client.connect(broker, mqtt_port)
client.loop_start()
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
首先,您应该从 mosquitto.conf 中删除以下行。
它们仅在您使用不在提供的代码中的客户端证书时使用。
其次,假设文件 ca.crt 与脚本位于同一目录中,并且您开始执行以下操作的位置应该可以工作。 (它还假设代理证书有一个匹配的 CA/SAN 条目来匹配代理主机名/IP 地址)
另一个选项是这样,它将禁用检查代理的证书是否由任何 CA 签名以及它的 CA/SAN 是否与主机名匹配用于访问经纪人。
First, you should remove the following lines from the mosquitto.conf
They are only used when you are using client side certificates which you are not in the code provided.
Second, assuming that the file
ca.crtis in the same directory as the script and where you are starting the following should work. (It also assumes that the broker certificate has a matching CA/SAN entry to match the broker hostname/IP address)Another option is this which will disable checking that the broker's certificate is signed by any CA and that it's CA/SAN matches the hostname used to access the broker.