为 Mqtt 代理使用自签名 ssl 证书时出错
error while using Self signed ssl certificate for Mqtt broker
我使用的是带有用户名和密码身份验证的mosquito broker。 Broker URL 被制作成 public 以便它可以被 Django 网站访问并且 raspberry pi
现在正在尝试实施 ssl 证书身份验证。但我收到类似
的错误
unknown ca, [Win Error 10054] An existing connection was forcibly closed by the remote host ,
hand shake failed
如何解决这个问题。
http://www.steves-internet-guide.com/mosquitto-tls/
我正在按照本文创建 ssl 证书。
在 public url?
的 mqtt 代理中使用自签名证书有任何问题
我的 mosquitto.conf 文件看起来像这样
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
listener 8883
use_identity_as_username true
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true
像这样从 rasberry pi 调用代理
client.tls_set(ca_certs = "certificate path")
client.tls_insecure_set(True)
import time
import paho.mqtt.client as mqtt
# The callback for when the client receives a CONNACK response from the server.
def on_connect(client, userdata, flags, rc):
print("Connected with result code "+str(rc))
# Subscribing in on_connect() means that if we lose the connection and
# reconnect then subscriptions will be renewed.
client.subscribe("$SYS/#")
# The callback for when a PUBLISH message is received from the server.
def on_message(client, userdata, msg):
print(msg.topic+" "+str(msg.payload))
client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
broker = "broker name"
#mqtt_port = 1883
mqtt_port = 8883
client = mqtt.Client(str(int(time.time()))) # create client object
client.tls_set("./ca.crt")
client.tls_insecure_set(True)
client.connect(broker, mqtt_port)
client.loop_start()
首先,您应该从 mosquitto.conf
中删除以下行
use_identity_as_username true
require_certificate true
它们仅在您使用不在提供的代码中的客户端证书时使用。
其次,假设文件 ca.crt 与脚本位于同一目录中,并且您开始执行以下操作。 (它还假设经纪人证书有一个匹配的 CA/SAN 条目来匹配经纪人 hostname/IP 地址)
...
client.tls_set_context()
client.tls_set(ca_path="./ca.crt")
client.connect(broker, mqtt_port)
client.loop_start()
另一个选项是禁用检查代理的证书是否由任何 CA 签名并且它CA/SAN 与用于访问代理的主机名相匹配。
...
client.tls_set_context()
client.tls_insecure_set(True)
client.connect(broker, mqtt_port)
client.loop_start()
我使用的是带有用户名和密码身份验证的mosquito broker。 Broker URL 被制作成 public 以便它可以被 Django 网站访问并且 raspberry pi 现在正在尝试实施 ssl 证书身份验证。但我收到类似
的错误unknown ca, [Win Error 10054] An existing connection was forcibly closed by the remote host ,
hand shake failed
如何解决这个问题。
http://www.steves-internet-guide.com/mosquitto-tls/ 我正在按照本文创建 ssl 证书。 在 public url?
的 mqtt 代理中使用自签名证书有任何问题我的 mosquitto.conf 文件看起来像这样
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
listener 8883
use_identity_as_username true
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true
像这样从 rasberry pi 调用代理
client.tls_set(ca_certs = "certificate path")
client.tls_insecure_set(True)
import time
import paho.mqtt.client as mqtt
# The callback for when the client receives a CONNACK response from the server.
def on_connect(client, userdata, flags, rc):
print("Connected with result code "+str(rc))
# Subscribing in on_connect() means that if we lose the connection and
# reconnect then subscriptions will be renewed.
client.subscribe("$SYS/#")
# The callback for when a PUBLISH message is received from the server.
def on_message(client, userdata, msg):
print(msg.topic+" "+str(msg.payload))
client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
broker = "broker name"
#mqtt_port = 1883
mqtt_port = 8883
client = mqtt.Client(str(int(time.time()))) # create client object
client.tls_set("./ca.crt")
client.tls_insecure_set(True)
client.connect(broker, mqtt_port)
client.loop_start()
首先,您应该从 mosquitto.conf
中删除以下行use_identity_as_username true
require_certificate true
它们仅在您使用不在提供的代码中的客户端证书时使用。
其次,假设文件 ca.crt 与脚本位于同一目录中,并且您开始执行以下操作。 (它还假设经纪人证书有一个匹配的 CA/SAN 条目来匹配经纪人 hostname/IP 地址)
...
client.tls_set_context()
client.tls_set(ca_path="./ca.crt")
client.connect(broker, mqtt_port)
client.loop_start()
另一个选项是禁用检查代理的证书是否由任何 CA 签名并且它CA/SAN 与用于访问代理的主机名相匹配。
...
client.tls_set_context()
client.tls_insecure_set(True)
client.connect(broker, mqtt_port)
client.loop_start()