MQTT with self-signed certificates

arrowcircle · November 22, 2018, 8:54am

Hi!

I am trying to connect lora components to MQTT broker (VerneMQ) with self-signed certificates.
I can connect to the broker with CA file with MQTT.fx without any problems, but when I add to the config

ca_cert="/etc/lora-app-server/mqtt_ca.crt"

I get openssl errors (server="ssl://127.0.0.1:8883"):

ERRO[0000] handler/mqtt: connecting to broker error, will retry in 2s: Network Error : x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs

or (server="ssl://localhost:8883")

ERRO[0000] handler/mqtt: connecting to broker error, will retry in 2s: Network Error : x509: certificate is valid for vernemq, not localhost

Broker logs for this are (no messages for mqtt.fx connection):

2018-11-22 08:34:04.890 [info] <0.546.0> TLS server: In state certify received CLIENT ALERT: Fatal - Bad Certificate

What is the best way to solve this problem?

iegomez · November 22, 2018, 1:11pm

I think that’s the key: you created a certificate for the host vernemq, which of course isn’t equal to localhost and thus is invalid. Create one for localhost and you should be fine.

arrowcircle · November 27, 2018, 12:17pm

Thing is I did not set up hostnames. Any other way to solve this without messing with certificates regeneration?

iegomez · November 27, 2018, 4:29pm

If your host isn’t named as the certificate says, it should throw an error or else that’d be a security hole. So no, the certificate must be correct.