-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Subscribe with certificates #86
Comments
@ochrin I can give some pointers to it as I have seen this. We use Now the error originates from
If you dont have access to it, check the version of
If the certificates were generated without Always good to keep handy. PS: This library won't work with EDIT: rustls/rustls#127 |
Thanks for your reply.
So either RustTls does not like something else in my certificate or the problem is coming from something else... |
Does your certificate have SAN set? |
@ochrin , Check for
Here is the EDIT: More context on this briansmith/webpki#90 |
Yes, looks like I don't have a SAN. |
Do I understand correctly that if I want to use certificates without SAN I would need to use x509-signature instead of rusttls in your rumqttc code? And I mean here code rework not just config parameters changes. |
@ochrin You can just think of SAN as the next version of common name (CN) |
@ochrin , As I understand:
Without |
@ochrin Yes. Certificate with SAN is a requirement (SAN is compulsory in the TLS spec and rustls just follows it). Can you let me know what the problem is with generating new certificates? Is this a hosted broker from a third-party vendor? If it helps, we have the below tool to generate certificates easily. The CommonName field there also fills SAN (as the spec says) https://github.com/bytebeamio/provision/blob/master/provision.go#L106 |
Ok, thanks for all your replies. |
@tekjar . |
@ochrin Why can't you use same CA and just reprovision server cert (with SAN) and restart the broker? That way your existing devices will continue to work? |
I did a quick search this morning and thought it was not possible without reissuing the CA. But from what you say I may have misunderstood. |
@ochrin , I am afraid you are mistaken. We dont need to reissue the CA to generate new cert. Just generate new cert with SAN and provision that on your device and it will connect. |
Would you have a link on how to do it? I can't figure it out. |
https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html Its pretty simple. Just make sure that you have a |
@ochrin @amrx101 I used to have scripts based on openssl but they became hard to maintain and modify. I've this go tool now
Update: Ok I've noticed it's private. I'll probably make it public in some time |
@ochrin , If you currently not use RSA certs you could use this https://crates.io/crates/rcgen. I use this every now and then, but I have completely gotten rid of RSA certs in my personal ecosystem of certificates. I had a Go project that I needed my ex-employer open source, they never did. |
In the end, I think I succeeded to generate 'certificates' with SAN. See below
Note that may help someone:
It generates a server.crt file with SAN... |
@ochrin , that error is completely independent of certs. That error is indicative of server not being available at end point pointed by client. |
@ochrin Your TLS setup worked and the connection is successful. But the broker is disconnecting it immediately because of some other reason. You need to check broker logs
|
My mistake: a bad copy paste for the password. So now it is working. |
I am trying to subscribe to a topic with certificates but I am getting this error:
Err(Network(Io(Custom { kind: InvalidData, error: WebPKIError(BadDER) })))
I am not sure I am configuring correctly the MqttOptions. Here is what I did:
For reference, the mosquitto command I am using and which is working.
mosquitto_sub --cafile /etc/mosquitto/certs/mqtt-ca.crt -h mysite.com -p 8884 -u 'my_username' -P 'my_password' -t 'read/+/error' -v
As I am also beginning with Rust, I am not sure the ca should be provided as I did.
Any idea what I could do wrong?
The text was updated successfully, but these errors were encountered: