MQTT Host name verification failure (SSL)

String-656 · September 10, 2021, 9:24am

Hi HA community.

I’ve spent days attempting to sent a MQTT update between two RPis, one with a hass.io instance using the MQTT broker addon (installed by supervisor), the other from a blank RPi install using “mosquitto-clients”.

I’ve successfully managed to do this on an insecure port, however I’m having issues using TSL/SSL.

I’ve generated the server certificates following this guide
I’ve generated the client certificates following this guide

I have followed @duceduc post regarding creating a v3.ext file to include DNS & IP.

I’ve successfully sent encrypted updates internal to my home network
The issue is with external communication via the internet.

I can successfully send an update if I include “–insecure” in the publish command. However without it the following error is received.

Client mosqpub|920-raspberrypi sending CONNECT
Error: host name verification failed.
OpenSSL Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: A TLS error occurred.

It seems there’s an issue with the host name. What host name should be used in the Common name when generating the certs? I’ve tried “hassio” (from the system tab under supervisor)… I’ve tried the hostname on the mosquito broker page “core-mosquito”. I’ve tried the local IP as well.

Additional information.
Example command - internal to network - no issue

mosquitto_pub --cafile ca.crt --cert client.crt --key client.key -h 192.168.0.50 -p 8883 -u mqtt -P password -t "topic" -m "1234" -d

Example command - External to network with “–insecure” - no issue

mosquitto_pub --cafile ca.crt --cert client.crt --key client.key -h <xxxxx>.duckdns.org -p 8883 -u mqtt -P password -t "topic" -m "1234" --insecure

Example command - External to network - fail

mosquitto_pub --cafile ca.crt --cert client.crt --key client.key -h <xxxxx>.duckdns.org -p 8883 -u mqtt -P password -t "topic" -m "1234"

Note:
I’m using lets Encrypt and Duckdns, so the host is pointing at .duckdns for hostname resolution.

Any guidance or suggestions on the common name would be appreciated.

koying · September 10, 2021, 12:01pm

The CN of the mosquito server certificate (or one of its alt_name) must be the one you use to connect, i.e. <xxxxx>.duckdns.org

String-656 · September 11, 2021, 4:26am

Thanks for the suggestion.

I did try xxxxxx.duckdns.org as the CN, with no luck, same error.

After several tries, I populated as many alt names as I could think of and I have managed to get this to work. I don’t know which alt name has fixed the issue, but at this stage I’m just happy it’s working.

For anyone else who is attempting SSL/TSL with MQTT, see below for alt names used. Hopefully this saves some time. I’ll post every step I did in order later.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = hassio
DNS.2 = hassio.local
DNS.3 = hassio.local.core-mosquitto
DNS.4 = hassio.core-mosquitto
DNS.5 = duckdns.org
DNS.6 = <xxxxx>.duckdns.org
DNS.7 = <Router>
DNS.8 = <Router>.hassio.local
DNS.9 = <Router>.hassio.local.core-mosquitto
DNS.10 = <Router>.hassio.core-mosquitto
IP = 192.168.0.50

Where “router” is the name of my router.

Note, I have my hassio behind a modem router, with 8883 port forwarded for MQTT.

String-656 · September 11, 2021, 9:49am

Steps

Create a shared folder on RPi where you can create and copy files… e.g.

/home/pi/shared

Create a file called v3.ext in the above location and paste the following in. Where Router is the name of your router and xxxx is you duckdns address. (these are not all needed, but I’m not spending time to figure out which ones are not needed!)

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = hassio
DNS.2 = hassio.local
DNS.3 = hassio.local.core-mosquitto
DNS.4 = hassio.core-mosquitto
DNS.5 = duckdns.org
DNS.6 = <xxxxx>.duckdns.org
DNS.7 = <Router>
DNS.8 = <Router>.hassio.local
DNS.9 = <Router>.hassio.local.core-mosquitto
DNS.10 = <Router>.hassio.core-mosquitto
IP = 192.168.0.50

Run the following commands in order to generate cert and server files

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -extfile v3.ext -CAkey ca.key -CAcreateserial -out server.crt -days 720

When prompted to add info regarding the common name, I used “hassio”

run the following commands in order to generate client files

openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key
openssl x509 -req -in client.csr -CA ca.crt -extfile v3.ext -CAkey ca.key -CAcreateserial -out client.crt -days 720

When prompted to add info regarding the common name, I used “hassio”

I had to modify perms so I could then gab the files (via samba) and transfer to my HA ssl folder.

sudo chmod -R 777 /home/pi/shared

Copy the following files to your hassio ssl folder

ca.crt
server.crt
server.key

Copy the following files to your client

ca.crt
client.crt
client.key

Set up your hassio MQTT Broker as per below

logins:
  - username: user
    password: pass
customize:
  active: false
  folder: mosquitto
certfile: server.crt
keyfile: server.key
require_certificate: true
cafile: ca.crt

Open port 8883 and point it to your hassio IP address.

Test a MQTT Publish message.

mosquitto_pub --cafile ca.crt --cert client.crt --key client.key -h xxxx.duckdns.org -p 8883 -u user -P pass -t "topic" -m "it's working!" -d