GMQTT with TLS: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

[nicoCalvo]

TLS option is not working as expected. I can only set ssl to True but I cannot provide a path to the cert file.
Mosquitto configuration is working ok with TLS both publisher and subscriber:

mosquitto_sub --cafile /etc/mosquitto/ca_certificates/ca.crt -h 37c16a79d00a -t 'test' -p 8883 -u report -P 'report'


mosquitto_pub --cafile /etc/mosquitto/ca_certificates/ca.crt -h 37c16a79d00a -t 'test' -m 'amessage' -p 8883 -u report -P 'report'


mosquitto -v -c /etc/mosquitto/mosquitto.conf

1575295867: New client connected from 172.17.0.3 as mosq-W7nvl4LtsfAVItCtHT (p2, c1, k60, u'report').
1575295867: Client mosq-W7nvl4LtsfAVItCtHT disconnected.
1575295870: New connection from 172.17.0.3 on port 8883.

If I try to apply same configuration for gmqtt I get the error on the title

# EXAMPLE
import asyncio

from gmqtt import Client


async def main():
    cli = Client(client_id='test',
                 will_message=None,
                 clean_session=True)
    cli.set_auth_credentials('report', password='report')
    await cli.connect(host='37c16a79d00a',
                      port=8883,
                      keepalive=True,
                      ssl=True)

if __name__ == '__main__':
    loop = asyncio.get_event_loop()
    loop.run_until_complete(main())

ERROR FILE

gmqtt/mqtt/connection.py

ERROR LINE

transport, protocol = await loop.create_connection(MQTTProtocol, host, port, ssl=ssl)

ERROR MESSAGE

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)

I would like to know how to implement TLS over gmqtt. Could you provide a quick example?
Thanks

[Lenka42]

Hi @nicoCalvo
You should pass ssl.SSLContext object as ssl argument (if you pass ssl=True ssl.create_default_context() is used)
So I guess in your case you should create context yourself and pass it to client.connect method:

ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) 
ssl_ctx.load_cert_chain(`ca_file`)
await cli.connect(host='37c16a79d00a',
                      port=8883,
                      keepalive=True,
                      ssl=ssl_ctx)

[nicoCalvo]

Hi @Lenka42 you're right! That was the problem, actually I made it work this way:

import asyncio
import socket
import ssl
from gmqtt import Client


async def main():
    cli = Client(client_id='test',
                 will_message=None,
                 clean_session=True)
    ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)

    ssl_context.load_cert_chain('/etc/mosquitto/certs/mosquitto_client.crt', 
    keyfile='/etc/mosquitto/certs/mosquitto_client.key')
    await cli.connect(host='localhost', # socket.gethostname()
                      port=8883,
                      keepalive=True,
                      ssl=ssl_context)
    cli.publish('test','lala')

if __name__ == '__main__':
    loop = asyncio.get_event_loop()
    loop.run_until_complete(main())

Thanks for your help.
Best,
Nick

[nitinkothari17]

Hi

I would also like to know how to implement TLS over gmqtt. Could you please provide a example?
The one which is in the thread is ssl not tls.

DOes gmqtt supports tls? I know that paho-mqtt does

[Mixser]

Hi @nitinkothari17

Yes, gmqtt support SSL/TLS

Does the code about is not working for you (because it's using TLS ver1.2 proto)? If you will look through the paho.mqtt code you will see, that they make a SSL/TLS connection by building SSLContext object, like as example above as;

If you faced with some problem - please create a new issue and write more information about it (os version, python version, which broker do you use, which version of TLS and example of your code);

[nitinkothari17]

Hi @Mixser

I'm new to this and exploring tls/ssl on gmqtt. I just want to know how can we generate this mosquitto_client.crt and mosquitto_client.key which is being used in the above code.