I create my device in Watson IoT, I see it connected and it send some events (I see it in watson iot dashboard)
I define it by the following
Device ID 1002
Device Type semaforo
So I create my app with the following info
key a-MyOrg-tecfj072yx
description base
AccessControl permissions standard application
key: a-MyOrg-tecfj072yx
token: ATokenPsw
I try to connect to the device event using mosquitto code
mosquitto_sub -h MyOrg.messaging.internetofthings.ibmcloud.com -p 8883 -i a:MyOrg:myapp -u a-MyOrg-tecfj072yx -P ATokenPsw -t iot-2/type/+/id/+/cmd/+/fmt/+
and nothing append!!! no error displayed, no event retrieved !!!
The mosquitto_sub remain as is
Why the routine in not correctly subscribed to my device event ?
To use port 8883 you need to make a TLS connection. mosquitto_sub requires either --cafile or --capath to be present on the command line to enable a TLS connection.
extracts from the man page
To enable TLS connections when using x509 certificates, one of either --cafile or --capath must be provided as an option.
--cafile
Define the path to a file containing PEM encoded CA certificates that
are trusted. Used to enable SSL communication. See also --capath
--capath
Define the path to a directory containing PEM encoded CA certificates
that are trusted. Used to enable SSL communication. For --capath to
work correctly, the certificate files must have ".crt" as the file
ending and you must run "openssl rehash " each time
you add/remove a certificate.
Thanks.
Your info help me to resolve...but the trip was not so easy
Here is all the step that resolve the connection
1-Creating the root CA Cert using your correct info (Country,State,City and so on)
openssl genrsa -aes256 -passout pass:password123 -out rootCA_key.pem 2048
openssl req -new -sha256 -x509 -days 3560 -subj "/C=IT/ST=Itali/L=Milano/O=MyOrg/OU=MyOrg Corporate/CN=MyOrg Root CA" -extensions v3_ca -set_serial 1 -passin pass:password123 -key rootCA_key.pem -out rootCA_certificate.pem -config ext.cfg
2-Uploading the root CA Certificate to the IoT Platform
You need to load the root CA certificate into the IoT platform using the console. In the settings section goto to CA Certificates in the Security section. Select to Add certificate then select the rootCA_certificate.pem file you just generated to upload to the platform, then press Save
3-Generates the key and certificate for the MQTT server using your correct info (Country,State,City and so on) and the CN MUST to be the same of your IotServer (MyOrg.messaging.....)
openssl genrsa -aes256 -passout pass:password123 -out mqttServer_key.pem 2048
openssl req -new -sha256 -subj "/C=IT/ST=Itali/L=Milano/O=MyOrg/OU=MyOrg Corporate/CN=MyOrg.messaging.internetofthings.ibmcloud.com" -passin pass:password123 -key mqttServer_key.pem -out mqttServer_crt.csr
4-Add the server certificate to the IoT Platform
Into the IoT platform in the settings section of the console in the Messaging Server Certificates section under Security. Select to Add Certificate then upload the certificate (mqttServer_crt.pem) and private key (mqttServer_key.pem). You need to also provide the password (password123).
5-Test the server certificate by using openssl:
openssl s_client -CAfile mqttServer_crt.pem -showcerts -state -servername MyOrg.messaging.internetofthings.ibmcloud.com -connect MyOrg.messaging.internetofthings.ibmcloud.com:8883
6-To download the certificate in a PEM format, that can be easily imported to a truststore and put ii into MyOrg.messaging.internetofthings.ibmcloud.com.pem
echo | openssl s_client -connect MyOrg.messaging.internetofthings.ibmcloud.com:8883 -showcerts 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > MyOrg.messaging.internetofthings.ibmcloud.com.pem
7-Now you can use into
mosquitto_sub -h MyOrg.messaging.internetofthings.ibmcloud.com -p 8883 -i a:MyOrg:myapp -u MyOrgAppKey -P MyOrgToken -t iot-2/type/+/id/+/evt/+/fmt/+ -d --cafile MyOrg.messaging.internetofthings.ibmcloud.com.pem
To complte the info here is some tutorial that can help me
developer.ibm.com
ibm.com support
github including srvext.cfg,ext.cfg files
Related
Mosquitto 2.0.14 Ubuntu 20.04 i9-12900, TLS1.2 connection issues
This all works perfectly until I try to secure it. I have added the details below, of how I created the certificates, logs, config file and how I am trying to connect. If anyone could point me in the correct direction, I would greatly appreciate it.
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
openssl genrsa -out mosquitto.key 2048
openssl req -new -key mosquitto.key -out mosquitto.csr
openssl x509 -req -in mosquitto.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mosquitto.crt -days 3650 -sha256
openssl x509 -in ca.crt -out ca.pem //not sure this step was needed
/var/log/mosquitto/mosquitto.log
1643315161: mosquitto version 2.0.14 starting
1643315161: Config loaded from /etc/mosquitto/mosquitto.conf.
1643315161: Opening ipv4 listen socket on port 8883.
1643315161: Opening ipv4 listen socket on port 1883.
1643315161: Opening ipv6 listen socket on port 1883.
1643315161: mosquitto version 2.0.14 running
1643315168: New connection from 192.168.1.99:46526 on port 8883.
1643315168: Client <unknown> disconnected due to malformed packet.
1643315228: New connection from 192.168.1.99:46558 on port 8883.
1643315228: Client <unknown> disconnected due to malformed packet.
/etc/mosquitto/mosquitto.conf
per_listener_settings true
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
cafile /etc/mosquitto/ca_certificates/ca.pem
keyfile /etc/mosquitto/certs/mosquitto.key
certfile /etc/mosquitto/certs/mosquitto.crt
tls_version tlsv1.2
#default port
listener 8883 192.168.1.99
require_certificate true
allow_anonymous true
protocol mqtt
connection_messages true
log_type debug
log_type error
log_type warning
log_type notice
log_type information
Trying to add subscribe like this
mosquitto_sub -V mqttv311 -h 192.168.1.99 -p 8883 --cafile /etc/mosquitto/ca_certificates/ca.pem -t sensors/drone01/altitude -d
Edit one
I created a client certificate:
openssl x509 -req -in client.csr -CA /etc/mosquitto/ca_certificates/ca.crt -CAkey /etc/mosquitto/ca_certificates/ca.key -CAcreateserial -out client.crt -days 90
To subscribe:
mosquitto_sub -V mqttv311 -h 192.168.1.99 -p 8883 --cert ./client.crt --key ./client.key -t sensors/drone01/altitude -d
Same message in the log file:
1643322374: New connection from 192.168.1.99:49000 on port 8883. 1643322374: Client <unknown> disconnected due to malformed packet.
Here is a basic setup to get you started. I created the certificates in the same way you did (I usually use certstrap for this due to its ease of use):
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
openssl genrsa -out mosquitto.key 2048
openssl req -new -key mosquitto.key -out mosquitto.csr
openssl x509 -req -in mosquitto.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mosquitto.crt -days 3650 -sha256
When generating mosquitto.csr I gave it the CN (Common Name) 127.0.0.1. Basic mosquitto.conf:
log_type all
# Don't do the below in production (it allows anyone to connect with no auth)
allow_anonymous true
listener 8883
keyfile /path/mosquitto.key
certfile /path/mosquitto.crt
After starting mosquitto (I did this in the console using mosquitto -c ./mosquitto.conf) I then ran:
mosquitto_sub -h 127.0.0.1 -p 8883 --cafile ./ca.crt -t sensors/drone01/altitude -d
This successfully connected:
Client null sending CONNECT
Client null received CONNACK (0)
Client null sending SUBSCRIBE (Mid: 1, Topic: sensors/drone01/altitude, QoS: 0, Options: 0x00)
Client null received SUBACK
Subscribed (mid: 1): 0
This does not use client certificates for authentication but it does check that the server name matches the CN in the certificate (try changing 127.0.0.1 to localhost). If your cert does not have the correct CN you would need the --insecure option).
Now that TLS is working lets add the requirement for the client certificate. Technically I could use the same certificate as above but that could be confusing so I'll generate a new one (in production I would use a different CA for this):
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650 -sha256
Now we update the mosquitto.conf:
log_type all
listener 8883
keyfile /path/mosquitto.key
certfile /path/mosquitto.crt
# We want to require a client certificate
require_certificate true
# This CA is used to verify the client certificate (it need not be the one used for the above mosquitto.crt)
cafile /path/ca.crt
# As we are passing a certificate we can choose to use the certificate CN as out username (removing need for allow_anonymous)
use_identity_as_username true
If you try connecting using the mosquitto_sub parameters used above it should now fail but the following works (or did when I tested it):
mosquitto_sub -h 127.0.0.1 -p 8883 --cafile ./ca.crt --cert ./client.crt --key ./client.key -t sensors/drone01/altitude -d
I am trying to secure client daemon communication on windows by creating a certificate authority (CA).
The lab setup shown in the above image is used in the example but it says my lab will be different but I don't know how to find the IP addresses like 10.0.0.10, 10.0.0.11 and 10.0.0.12. I know the node names are docker.exe (client) and dockerd.exe (daemon) but what are their IP addresses?
The default installation puts them on the same host and configures them to communicate over a local IPC socket: //./pipe/docker_engine
It's also possible to configure them to communicate over the network. By default, network communication occurs over an unsecured HTTP socket on port 2375/tcp
I don't know what information in this is relevant or helpful but I need to know the IP addresses of the docker daemon and client.
In answer to the responses I am also writing this:
I am following along with the book Docker Deep Dive and I am trying to secure client daemon communication. I am creating a file called extfile.cnf which has the following inside:
subjectAltName = DNS:node3,IP=10.0.0.12
extendedKeyUsage = serverAuth
I need to know what to put instead of 10.0.0.12
When I put localhost/127.0.0.1/127.0.0.1:2375/tcp://127.0.0.1:2375 or anything else and then run the command afterwards which is this:
openssl x509 -req -days 730 -sha256 -in daemon.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out daemon-cert.pem -extfile extfile.cnf
The error is:
x509: Error on line 1 of config file "extfile.cnf"
7C0A0000:error:07000065:configuration file routines:def_load_bio:missing equal sign:crypto\conf\conf_def.c:511:HERE--> ■sline 1
First post here so apologies if my etiquette isn't quite on point!
I'm having a bit of trouble understanding how certificate authorities work between separate machines, specifically when it comes to MQTT and the mosquito broker.
I have generated my server and client certificates using this link and got them working absolutely fine on localhost. For the server, I used common name RPi-Host i.e. the hostname, and for the clients I used 'localhost'. An example of the code I use to generate a CA for a client is given below, where %NAME is just the name of the cert:
Generate Key with:
$ openssl genrsa -out <%NAME>.key 2048
Generate certificate request with:
$ openssl req -out <%NAME>.csr -key <%NAME>.key -new
Link to main CA:
$ openssl x509 -req -in <%NAME>.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -CAcreateserial -out <%NAME>.crt -days 365
Lets say I'd generated client and client2 certificates, I can then run the below in 2 different terminals on the RPi-Host, and connect no problem at all:
Subscribe to MQTT broker:
$ mosquitto_sub -p 8883 --cafile ca.crt --cert client2.crt --key client2.key -h localhost -t /world
Publish to MQTT broker:
$ mosquitto_pub -p 8883 --cafile ../ca/ca.crt --cert client.crt --key client.key -h localhost -m hello! -t /world
However, if I change the -h localhost to 192.168.0.190, i.e the IP address, I immediately get:
Error: A TLS Error occurred.
...which Isn't very helpful!
The aim is to try and connect to this from a separate machine, however I'm stumped just trying to do this on the same machine with its own IP address! Do I need to dome something fancy in the common name when generating the certificate? Sadly I have not yet sourced a tutorial which reviews connecting using mosquitto and TLS across 2 separate machines.
Any pointers appreciated, and terribly sorry if I'm missing the obvious!
Alex
The hostname (or IP address*) that you use to connect to the remote machine MUST to match the CN/SAN value in the certificate presented by that machine.
localhost shouldn't really ever be used in certificates as it is just a placeholder which says "This machine". Using TLS/SSL with localhost doesn't do anything useful. You should always generate certificates with the externally used hostname of the broker.
If you can't set up proper hostnames in a DNS server then you should probably add suitable entries to the /etc/hosts file on all the client machines with the hostname for the broker.
The temporary workaround to the error is probably to add -i to the mosquitto_pub and mosquitto_sub command lines. This tells them to ignore any miss match between the hostname and the name in the certificate. But this is only a workaround as it basically negates one of TLS/SSL's two key features (1. proving the machine you are connecting to is the machine it claims to be, 2. enabling encryption of the messages passing back and forth between the client/broker)
* Using raw IP addresses for TLS is possible, but it adds another level of difficulty getting the entries in the certificates right.
Actually, I wanted to implement MQTT SECURE Client over TLS using ESP8266 using Arduino IDE and wanted to check if first working on CMD line or not. But it seems it is NOT WORKING on CMD line itself.
PLEASE LET ME KNOW IF IT IS A BUG or IF ANY CONFIGURATION MISSING. I NEED TO FIX IT AS SOON AS POSSIBLE.
I followed https://mosquitto.org/man/mosquitto-tls-7.html webpage
Generate a certificate authority certificate and key.
openssl req -new -x509 -days 1095 -extensions v3_ca -keyout ca.key -out ca.crt
Generate a client key.
openssl genrsa -des3 -out client.key 2048
Generate a certificate signing request to send to the CA.
openssl req -out client.csr -key client.key -new
Send the CSR to the CA, or sign it with your CA key:
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 1095
//local.conf file
bind_address 127.0.0.1
port 8883
tls_version tlsv1
cafile C:\OpenSSL-Win64\bin\ca.crt
certfile C:\OpenSSL-Win64\bin\client.crt
keyfile C:\OpenSSL-Win64\bin\client.key
require_certificate true
// One CMD window
mosquitto_sub -h 127.0.0.1 -p 8883 -q 1 -t sensor/temp --cafile C:/OpenSSL-Win64/bin/ca.crt
//Second CMD window
mosquitto -c local.conf -v
I am getting following error:
Error: A TLS error occurred &
C:\Program Files (x86)\mosquitto>mosquitto -c mosquitto_m2mqtt.conf -v
1486436916: mosquitto version 1.4.10 (build date 24/08/2016 21:03:24.73) starting
1486436916: Config loaded from mosquitto_m2mqtt.conf.
1486436916: Opening ipv6 listen socket on port 8883.
1486436916: Opening ipv4 listen socket on port 8883.
Enter PEM pass phrase:
1486436943: New connection from 127.0.0.1 on port 8883.
1486436943: OpenSSL Error: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
1486436943: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
1486436943: Socket error on client <unknown>, disconnecting.
The require_certificate true flags means the broker will reject clients the don't supply their own certificate as identify themselves.
Remove this option and your client should connect. If you want to do mutual authentication then you will have to generate a client certificate as well and configure the client to send it along with the connection
On my server (Debian 3.2.54-2 x86_64 GNU/Linux), I use this command to check the connection with APNS (Apple Push Notification Server):
telnet gateway.sandbox.push.apple.com 2195
Trying 17.172.232.46...
Trying 17.172.232.45...
Trying 17.172.232.18...
telnet: Unable to connect to remote host: Connection timed out
ping gateway.sandbox.push.apple.com
PING gateway.sandbox.push-apple.com.akadns.net (17.172.232.46) 56(84) bytes of data.
The telnet failed to help me connect. What is the reason for that?
1) Do I need to ask the admin to configure the firewall to let the telnet go through the port 2195?
2) When we use a telnet to a server with a given port, what port on our side will be open?
telnet gateway.sandbox.push.apple.com 2195 means the port 2195 on APNS will be opened, so which port on our computer will be open to establish the connection?
Use OpenSSL and pass a valid certificate, for testing purposes you can use a self-signed certificate, for example, to create the pair key and crt:
$ openssl req -x509 -newkey rsa:2048 -sha256 -nodes -keyout example.key -out example.crt -subj "/CN=example.com" -days 10
Then to create the cert.pem
$ cat example.key example.crt > cert.pem
Later you can test with:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert cert.pem
This will connect and do the handshake but you will get verification errors something like:
CONNECTED(00000006)
...
verify error:num=20:unable to get local issuer certificate