Unable to connect with certificate

Hello,
I am trying to use certificates to connect the gateway to my MQTT broker.
Here is my setup:

MQTT broker:

  • Mosquitto 2.0.15 as a docker in a VPS
  • mosquitto.conf:
per_listener_settings true
persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log

listener 1883

## Authentication ##
allow_anonymous false
password_file /mosquitto/data/password.txt

listener 8883

cafile /mosquitto/config/certs/ca.crt
certfile /mosquitto/config/certs/broker.crt
keyfile /mosquitto/config/certs/broker.key

require_certificate true
use_identity_as_username true

tls_version tlsv1.2

Gateway:

**esp32dev-multi_receiver with the configurations: **

  • prod_env.ini:
[env:esp32dev-multi_receiver]
platform = ${com.esp32_platform}
board = esp32dev
board_build.partitions = min_spiffs.csv
lib_deps =
  ${com-esp.lib_deps}
  ${libraries.rc-switch}
  ${libraries.smartrc-cc1101-driver-lib}
  ${libraries.rtl_433_ESP}
  ${libraries.esppilight}
  ${libraries.newremoteswitch}
  ${libraries.wifimanager32}
build_flags =
  ${com-esp.build_flags}
  '-DZgatewayRF="RF"'
  '-DZgatewayRF2="RF2"'
  '-DZgatewayRTL_433="RTL_433"'
  '-DZgatewayPilight="Pilight"'
  '-DZradioCC1101="CC1101"'
  '-DGateway_Name="OpenMQTTGateway_multi_receiver"'
  '-DvalueAsASubject=true'  ; mqtt topic includes model and device (rtl_433) or protocol and id ( RF and PiLight )
;  '-DDEFAULT_RECEIVER=1'  ; Default receiver to enable on startup
  '-DESPWifiManualSetup="true"'
  '-Dwifi_ssid="redacted"'
  '-Dwifi_password="redacted"'
  '-DMQTT_USER="redacted"'
  '-DMQTT_PASS="redacted"'
  '-DMQTT_SERVER="redacted"'
  '-DMQTT_PORT="8883"'
  '-DMQTT_SECURE_SELF_SIGNED=1'

Certificates configured on “User_config.h”:

  • CA certificated copied under:
const char* ss_server_cert PROGMEM = R"EOF("
-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
")EOF";
  • client certificate:
const char* ss_client_cert PROGMEM = R"EOF("
-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
")EOF";

const char* ss_client_key PROGMEM = R"EOF("
-----BEGIN RSA PRIVATE KEY-----
redacted
-----END RSA PRIVATE KEY-----
")EOF";

Using the same certificates, I can connect without issues to the broker using MQTT.fx, but the gateway cannot.

Here are the errors I get:

  • on terminal:
W: MQTT connection...
[E][WiFiClient.cpp:439] read(): fail on fd 55, errno: 104, "Connection reset by peer"
W: failure_number_mqtt: 1
W: failed, rc=-1
  • on broker:
1663400152: Client OpenMQTTGateway_multi_receiver has exceeded timeout, disconnecting.
1663400165: New connection from redacted:62689 on port 8883.
1663400165: OpenSSL Error[0]: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
1663400165: Client <unknown> disconnected: Protocol error.
1663400187: New connection from redacted:62690 on port 8883.
1663400187: OpenSSL Error[0]: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
1663400187: Client <unknown> disconnected: Protocol error.
1663400196: New connection from redacted:50931 on port 8883.
1663400196: OpenSSL Error[0]: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
1663400196: Client <unknown> disconnected: Protocol error.
1663400219: New connection from redacted:50932 on port 8883.
1663400219: OpenSSL Error[0]: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
1663400219: Client <unknown> disconnected: Protocol error.
...

I have the feeling I am missing something. I tried with different tls_version but no positive results. BTW, the error is the same ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version if I comment out ‘tls_version’, which make me thinking is something on the certificates inside gateway.
Also, CA is created with correct FQDN (my DDNS address).
Of course, if I am using with user/pass on port 1883 is working fine.

Please tell me what I am doing wrong.

Thank you!

Hello,

When setting your credentials on wifimanager, did you checked Mqtt secure option?

You can choose the value of this checkbox by adding the following macro:
-DMQTT_SECURE_DEFAULT=true

Thank you! I added -DMQTT_SECURE_DEFAULT=true and now i have the errors like:

W: MQTT connection…
[E][ssl_client.cpp:36] _handle_error(): [start_ssl_client():207]: (-32512) SSL - Memory allocation failed
[E][WiFiClientSecure.cpp:133] connect(): start_ssl_client: -32512
W: failure_number_mqtt: 3
W: failed, rc=-2
W: failed, ssl error code=-32512

On the server side I have:

1663510220: New connection from redacted:55500 on port 8883.
1663510220: OpenSSL Error[0]: error:14035412:SSL routines:ACCEPT_SR_CERT:sslv3 alert bad certificate
1663510220: OpenSSL Error[1]: error:140350E5:SSL routines:ACCEPT_SR_CERT:ssl handshake failure
1663510220: Client disconnected: Protocol error.
1663510227: New connection from redacted:55501 on port 8883.
1663510227: Client closed its connection.

I tried to find more details about this 32512 error but without sucess.

PS: I am using an ESP32 DEVKIT v4 (ESP32-WROOM-32D)