问题描述
我在树莓派上运行这个 首先我使用
生成了ca.key openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
使用
创建的服务器证书 openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key
CAcreateserial -out server.crt -days 360
并使用与服务器相同的步骤创建 client.key 和 client.crt。
mosquitto_pub --cert client.crt --key client.key -h
test.mosquitto.org -p 8883 -m "hellohibye" -i c10dd3be-a258478f-
b7aa-da9aa734a373 -t ack/c10dd3be-a258-478f-b7aa-da9aa734a373 -d
Client c10dd3be-a258-478f-b7aa-da9aa734a373 sending CONNECT OpenSSL
Error: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify Failed
Error: A TLS error occurred.
这是我的 client.crt 看起来像:
openssl x509 -text -noout -in client.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
15:d3:db:e7:b0:cc:76:e8:67:01:5c:a0:73:48:85:77:c5:1d:bd:af
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = in,ST = ka,O = livn,CN = test.mosquitto.org
Validity
Not Before: Jul 29 08:38:24 2021 GMT
Not After : Jul 24 08:38:24 2022 GMT
Subject: C = in,ST = ba,L = ka,CN =
test.mosquitto.org
Subject Public Key Info:
Public Key Algorithm: rSAEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9f:bd:44:c0:4c:34:a2:1b:9b:90:b6:ff:7b:41:
c5:70:9d:34:a0:a9:f5:c6:ee:12:41:07:49:bc:c6:
fb:2e:74:3c:91:7d:b5:dd:d0:8a:b5:96:ab:fa:32:
79:15:0c:fb:9a:90:3a:87:68:2a:27:39:67:e8:38:
6b:46:86:f8:82:18:a2:10:15:3a:cf:e4:61:69:45:
47:72:67:79:fd:c6:b4:91:79:a8:64:fe:e3:0e:a4:
34:6f:e6:59:3d:43:33:4d:0b:63:e7:9b:b8:c9:d6:
85:6b:90:c1:5a:06:ee:07:fb:b9:8f:9c:9f:9b:e7:
4c:b6:c5:91:4b:d4:da:7c:9a:11:bf:dd:92:7b:33:
d2:6c:9a:e9:37:9a:62:cf:bc:13:f1:42:b4:b0:3c:
a1:9d:e5:07:86:43:f4:11:04:1c:59:e2:61:9c:c0:
47:05:a2:ed:6c:2b:57:69:af:d2:3c:50:e4:39:b2:
d6:b3:89:55:1e:ba:6d:47:89:7a:b5:38:e5:1b:4a:
dd:ce:18:13:35:0e:41:f4:5a:ae:e2:52:9e:a6:10:
af:be:bc:53:e9:4a:6c:4b:34:39:54:2d:45:77:68:
05:06:5e:8a:5d:98:76:8f:fb:5a:cd:14:b8:ef:74:
74:8c:8a:60:d0:be:2b:96:37:bd:ce:eb:15:c7:c4:
00:65
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
54:81:c9:4a:10:6e:2d:be:9a:10:01:60:45:54:3e:50:8a:79:
15:0a:be:5a:0b:f9:c7:04:39:d8:50:52:a0:85:ba:ad:f7:ac:
f6:49:d1:70:3f:49:b9:ef:3b:ff:ee:20:48:25:7a:34:b3:f0:
f8:b8:ca:8d:0d:02:07:cc:ef:22:05:64:96:9a:69:70:14:b2:
71:ed:96:f1:cf:fc:51:a2:92:c6:3f:03:42:d7:8b:b1:5b:14:
24:12:fc:96:b8:5f:c2:e8:59:13:f3:6c:39:b2:c5:09:04:00:
c6:fd:ff:7c:9a:b9:84:d5:0c:ff:db:07:7c:98:ba:e8:dd:c3:
4e:5d:27:5b:5b:80:22:b0:bb:78:2b:a2:7c:a8:9c:cd:d8:bb:
c2:be:2c:9f:c1:44:c3:9a:1d:48:3f:66:4d:72:ba:1a:cf:8a:
3a:fe:a2:85:12:67:2d:a8:ea:a0:e8:5f:cf:10:16:a0:1e:f2:
2d:db:6c:01:4d:cd:15:11:46:9a:23:e4:9f:ea:1a:23:db:ac:
2a:e5:9e:37:55:ef:bd:d4:bb:2e:03:78:8e:c0:f2:7d:68:3b:
c7:91:0e:50:e4:24:30:af:c2:61:93:32:c5:cb:5f:58:19:3a:
d9:27:a9:b3:44:15:5f:4b:45:be:0f:72:f3:f7:e6:5e:96:35:
58:03:66:2b
这是我的 server.crt
openssl x509 -text -noout -in server.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
15:d3:db:e7:b0:cc:76:e8:67:01:5c:a0:73:48:85:77:c5:1d:bd:ad
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = in,CN = test.mosquitto.org
Validity
Not Before: Jul 29 07:50:34 2021 GMT
Not After : Jul 24 07:50:34 2022 GMT
Subject: C = in,CN = test.mosquitto.org
Subject Public Key Info:
Public Key Algorithm: rSAEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c6:a3:cb:c0:36:ae:0f:06:c4:d4:d4:0b:2f:c5:
0f:58:35:98:de:56:fd:67:19:25:f6:eb:a7:e2:7b:
41:c8:ef:a8:6e:33:61:f7:62:cd:b3:82:49:c1:e6:
4e:1c:cb:f8:f2:56:c7:b7:fa:af:3e:bd:19:0e:b4:
32:9f:4f:45:af:95:9f:27:00:56:18:0f:10:58:3c:
8e:90:f1:2b:e7:9a:8c:07:5b:48:06:7d:70:58:e8:
ea:38:1d:43:fc:1a:07:58:ee:b5:d3:2e:2f:e7:7d:
ed:1c:8c:4e:ab:a3:34:3e:9a:49:7d:85:b2:7d:8b:
c6:b5:90:df:e4:24:5c:78:81:ce:52:be:5f:b9:27:
5e:19:07:ff:c9:f0:04:0d:73:96:c1:ca:18:58:79:
6e:0b:ef:cd:ab:9d:00:d4:e9:7e:b4:53:01:72:86:
ec:e7:87:0d:90:97:df:6f:13:4f:c0:3b:4c:17:7f:
12:09:08:87:47:75:5a:f6:c8:e6:cc:70:29:47:42:
53:c6:5f:ff:0b:40:58:06:8d:e3:14:e5:f1:bc:15:
fa:08:56:1b:c5:13:80:2c:e2:ee:71:c1:2d:c8:3b:
cf:59:a3:fb:7d:64:32:6e:8f:e9:78:b5:57:9d:24:
09:fd:bd:33:47:dd:6c:74:1d:90:21:c4:4e:9a:05:
6a:69
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
c1:8a:8d:87:23:df:8a:30:74:7a:c8:88:b5:a8:88:f9:e3:80:
c2:c0:10:1d:da:3c:22:d2:fc:88:49:6c:b4:72:6e:07:e4:95:
01:c7:f4:f0:bc:d6:3f:3d:26:4e:cf:fa:9a:1e:35:e8:e6:bc:
e6:cc:dd:56:dc:df:65:bf:ab:56:fa:ab:f7:8c:84:17:da:7d:
c5:01:a3:0f:48:7a:34:14:68:68:00:52:83:d3:8b:5e:9d:8e:
71:84:17:c7:15:f9:21:de:5f:47:85:44:6e:5b:89:87:50:33:
3a:a2:43:88:07:6e:cc:b3:bd:07:91:a0:dc:ef:0a:b8:cb:80:
f3:54:6c:2e:15:13:35:c8:73:f8:8a:1d:84:c8:67:9a:02:9f:
90:66:18:a6:e6:22:52:f8:d6:3a:b6:87:bc:73:55:e2:69:66:
03:f2:34:57:af:9c:4b:33:6c:47:f1:d0:1a:ed:9c:53:c3:1a:
1e:16:21:4e:74:ad:94:a8:a5:f4:3b:da:87:f3:73:02:ec:6f:
84:eb:a0:16:77:ce:71:0b:89:62:b9:c7:f8:96:a9:83:a7:fe:
24:4f:2e:a6:95:f7:7c:9d:b3:85:7d:66:50:5c:ad:8a:01:78:
c0:95:86:2d:05:60:d3:6e:90:19:da:a9:cc:67:94:50:06:94:
ed:d4:7e:66
任何帮助将不胜感激。 尝试连接 8884 端口,然后也出现此错误
mosquitto_pub --cafile ca.crt --cert client.crt --key client.key -h test.mosquitto.org -p 8884 -t test -m "hello there" -i c1 -d
Client c1 sending CONNECT
OpenSSL Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify Failed
Error: A TLS error occurred.
解决方法
问题是您没有提供有效的主机名。
-h test.mosquitto.org:8883
您需要单独提供端口号
-h test.mosquitto.org -p 8883
您还需要使用正确的 CA 证书来验证 test.mosquitto.org 代理:
来自 test.mosquitto.org 网页:
加密端口支持 TLS v1.3、v1.2 或 v1.1 with x509 证书并需要客户端支持才能连接。对于端口 8883 和 8884 您应该使用证书颁发机构文件 (mosquitto.org.crt (PEM format) 或 mosquitto.org.der (DER format)) 来验证服务器 联系。端口 8081 有一个 Lets Encrypt 证书,所以你应该 使用您的系统 CA 证书或适当的 Lets Encrypt CA 用于验证的证书。
也来自网站:
- 1883 年:MQTT,未加密,未认证
- 1884:MQTT,未加密,已认证
- 8883:MQTT,加密,未经身份验证
- 8884:MQTT,加密,需要客户端证书
- 8885:MQTT、加密、认证
- 8887:MQTT、加密、服务器证书故意过期
- 8080:MQTT over WebSockets,未加密,未认证
- 8081:MQTT over WebSockets,加密,未认证
- 8090:MQTT over WebSockets,未加密,已认证
- 8091:MQTT over WebSockets,加密,认证
这里明确指出,如果要使用客户端证书身份验证,则需要使用端口 8884 而不是 8883。