Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed #85

Closed
tosone opened this issue Jun 22, 2016 · 7 comments

Comments

Projects
None yet
5 participants
@tosone
Copy link

commented Jun 22, 2016

Environment

  • Ubuntu 16.04
  • openssl OpenSSL 1.0.2g-fips
    client_id = self.appKey + ":" + self.appSecret
    client = mqtt.Client(client_id = client_id, clean_session = True,  protocol = "MQTTv311")
    getHash.username(self.appKey, self.appSecret, self.deviceId, self.deviceSecret)
    client.tls_set("key.pem", certfile = "certificate.pem", keyfile = "privatekey.pem", tls_version = ssl.PROTOCOL_TLSv1_1)
    client.on_connect = self.on_connect
    client.on_message = self.on_message
    client.tls_insecure_set(True)
    client.username_pw_set(getHash.username(self.appKey, self.appSecret, self.deviceId, self.deviceSecret))
    client.connect(res.get("host"),  port = int(res.get("port")), keepalive = 120)
    client.loop_forever()

will got:

  File "get.py", line 3, in <module>
    a.printf()
  File "/home/tosone/Desktop/test/aliyunIot/aliyun/aliyun.py", line 17, in printf
    self.connect(response)
  File "/home/tosone/Desktop/test/aliyunIot/aliyun/aliyun.py", line 28, in connect
    client.connect(res.get("host"),  port = int(res.get("port")), keepalive = 120)
  File "/home/tosone/.local/lib/python2.7/site-packages/paho/mqtt/client.py", line 686, in connect
    return self.reconnect()
  File "/home/tosone/.local/lib/python2.7/site-packages/paho/mqtt/client.py", line 821, in reconnect
    ciphers=self._tls_ciphers)
  File "/usr/lib/python2.7/ssl.py", line 929, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 597, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 826, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Youcan find my source code here: https://github.com/tosone/aliyun-mqtt

@tosone

This comment has been minimized.

Copy link
Author

commented Jun 22, 2016

const mqtt = require('mqtt');
const connect = Promise.coroutine(function*(appKey, appSecret, deviceId, deviceSecret) {
  const authResult = yield auth(appKey, appSecret, deviceId, deviceSecret);
  const pubkey = authResult.pubkey;
  const host = authResult.host;
  const port = authResult.port;
  console.log(pubkey.toString());
  return mqtt.connect(`tls://${host}:${port[0]}`, {
    clientId: appKey + ':' + deviceId,
    username: createUsername(appKey, appSecret, deviceId, deviceSecret),
    rejectUnauthorized: false,
    cert: pubkey,
    keepalive: 120
  });
});

in NodeJs it is very well.

@ralight

This comment has been minimized.

Copy link
Contributor

commented Jun 22, 2016

CERTIFICATE_VERIFY_FAILED usually means that the server is providing a certificate that is not signed by a CA certificate your client trusts (i.e. you've given the client the "wrong" CA root certificate), or that the server does not provide a complete chain of certificates from the root to the server certificate.

client.tls_set("key.pem", certfile = "certificate.pem", keyfile = "privatekey.pem", tls_version = ssl.PROTOCOL_TLSv1_1)

It seems a bit suspicious that the CA certificates you wish to trust are in a file called key.pem.

client.tls_insecure_set(True)

This is ok for the moment, but don't forget to set this to false when you have it working.

@tosone

This comment has been minimized.

Copy link
Author

commented Jun 22, 2016

Ummm, client.tls_insecure_set(True) True or False is same.

@ralight

This comment has been minimized.

Copy link
Contributor

commented Jun 22, 2016

Yes, I'm just reminding you that this isn't an option you should rely on in production.

@jamesmyatt

This comment has been minimized.

Copy link
Contributor

commented Sep 29, 2016

Remember that client.tls_insecure_set(True) only stops it checking the hostname, but doesn't stop it from attempting to verify the server certificate. You need to change the cert_reqs setting to ssl.CERT_NONE to do that, I think.

Again, you wouldn't want to do that in production though.

@PierreF

This comment has been minimized.

Copy link
Contributor

commented Apr 22, 2017

Issue seems solved. Feel free to reopen if issue persist.

@PierreF PierreF closed this Apr 22, 2017

@markusand

This comment has been minimized.

Copy link

commented Jun 22, 2018

I'm having the same problem, with different error code though
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

In Python I have:

TLS_CA = "./certs/mqtt.crt"
TLS_v = ssl.PROTOCOL_TLSv1_2
client.tls_set(ca_certs=TLS_CA, tls_version=TLS_v)

Adding cert_reqs=ssl.CERT_NONE the connection is established properly, but the intention of using certificates is precisely not having to avoid them, so it's not a real option

I'm in a Raspberry Pi, using server self-signed certificate created with OpenSSL.
I have added certifcate to root certificates following this just in case, but nothing changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.