mosquitto-users team mailing list archive

[Abdul Wahid <abdulwahidw@xxxxxxxxx>]

Hi,



I am new to this certificates and mosquito.

I am trying to update mosquito version from 1.1.1 to 1.2.1.

After replacing the binaries and libraries with the new one , I am getting
the following error while subscribing.



*mosquitto_sub -h 192.168.255.2 -p 8883 -v -t "test" --cafile
/etc/certs/CA/ca.crt –d*



Client mosqsub/20375-CLA-0 sending CONNECT

OpenSSL Error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Error: Protocol error



I checked some other blogs for the similar issue and some of them showed
that this could be because of the hostname not matching the CN name in the
CA certificate.

I did check the certificate and this is what I have and I could see that
the certificate has the IP address, but still the connect is failing with
certificate verification error .

a)      Openssl x509 –in ca.crt –noout –text

-------

Subject: CN=FOOBAR rootCA

Subject Public Key Info:

-------



b)       I was also able to connect using openssl s_client

OpenSSL> s_client -host 192.168.255.2 -port 8883 -CAfile
/etc/certs/CA/ca.crt

CONNECTED(00000003)

depth=1 CN = FOOBAR rootCA

verify return:1

depth=0 C = country, ST = state, O = office, OU = unit, CN =
192.168.255.130, CN = 192.168.255.2

verify return:1

---

Certificate chain

 0 s:/C=country/ST=state/O=office/OU=unit/CN=
192.168.255.130/CN=192.168.255.2

   i:/CN=FOOBAR rootCA

 1 s:/CN=FOOBAR rootCA

   i:/CN=FOOBAR rootCA

---

Server certificate

-----

    Start Time: 1382334940

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

 One thing to mention here is the subscription is successful when
"--insecure" is used in added to mosquiito_sub command.

Can I get some assistance here ? Kindly let me know if I am missing out on
something or any configuration or so.



Regards,

Wahid