Mosquitto SSL routines:tls_process_server_certificate:certificate verify failed Error: Protocol error
I use this guthub to implement the establishment of broker in AWS ec2. https://github.com/chiachin2686/oqs-demos/tree/main/mosquitto
broker-start.sh
#!/bin/bash
# generate the configuration file for mosquitto
echo -e "
## Listeners
listener 8883
max_connections -1
max_qos 2
protocol mqtt
## General configuration
allow_anonymous false
# Comment out the following two lines if using two-way authentication
#password_file /test/passwd
#acl_file /test/acl
## Certificate based SSL/TLS support
cafile /test/cert/CA.crt
keyfile /test/cert/server.key
certfile /test/cert/server.crt
tls_version tlsv1.3
ciphers_tls1.3 TLS_AES_128_GCM_SHA256
# Comment out the following two lines if using one-way authentication
require_certificate true
## Same as above
use_identity_as_username true
" > mosquitto.conf
# generate the password file(add username and password) for the mosquitto MQTT broker
mosquitto_passwd -b -c passwd user1 1234
# generate the Access Control List
echo -e "user user1\ntopic readwrite test/sensor1" > acl
mkdir cert
# copy the CA key and the cert to the cert folder
cp /test/CA.key /test/CA.crt /test/cert
# generate the new server CSR using pre-set CA.key & cert
openssl req -new -newkey $SIG_ALG -keyout /test/cert/server.key -out /test/cert/server.csr -nodes -subj "/O=test-server/CN=$BROKER_IP"
# generate the server cert
openssl x509 -req -in /test/cert/server.csr -out /test/cert/server.crt -CA /test/cert/CA.crt -CAkey /test/cert/CA.key -CAcreateserial -days 365
# modify file permission
chmod 777 cert/*
# execute the mosquitto MQTT broker
mosquitto -c mosquitto.conf -v
Then I enter the following command in EC2 to enable broker:
sudo docker run -it --rm --net=host --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=<Public IP in ec2>" -e "EXAMPLE=broker-start.sh" oqs-mosquitto-img
In the second step, I enter the following command in my VirtualBox(ubuntu) to enable publisher-start.sh
publisher-start.sh
#!/bin/bash
mkdir cert
# copy the CA key and the cert to the cert folder
cp /test/CA.key /test/CA.crt /test/cert
# generate the new publisher CSR using pre-set CA.key & cert
openssl req -new -newkey $SIG_ALG -keyout /test/cer开发者_StackOverflowt/publisher.key -out /test/cert/publisher.csr -nodes -subj "/O=test-publisher/CN=$PUB_IP"
# generate the publisher cert
openssl x509 -req -in /test/cert/publisher.csr -out /test/cert/publisher.crt -CA /test/cert/CA.crt -CAkey /test/cert/CA.key -CAcreateserial -days 365
# modify file permissions
chmod 777 cert/*
# execute the mosquitto MQTT publisher
mosquitto_pub -h $BROKER_IP -m "Hello world." -t test/sensor1 -q 0 -i "Client_pub" -d --repeat 60 --repeat-delay 1 \
--tls-version tlsv1.3 --cafile /test/cert/CA.crt \
--cert /test/cert/publisher.crt --key /test/cert/publisher.key
Then I enter the following command in ec2 to enable broker:
sudo docker run -it --rm --net=host -p 8883:8883 --name oqs-mosquitto-publisher -e "BROKER_IP=<Public IP in ec2>" -e "EXAMPLE=publisher-start.sh" oqs-mosquitto-img
Then,It show this error message.Please help me!
This is broker message in ec2:
1670399106: Warning: Unable to drop privileges to 'mosquitto' because this user does not exist. Trying 'nobody' instead.
1670399106: mosquitto version 2.0.15 starting
1670399106: Config loaded from mosquitto.conf.
1670399106: Opening ipv4 listen socket on port 8883.
1670399106: Opening ipv6 listen socket on port 8883.
1670399106: mosquitto version 2.0.15 running
1670399120: New connection from 49.216.40.44:8247 on port 8883.
1670399120: OpenSSL Error[0]: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error
1670399120: Client <unknown> disconnected: Protocol error.
精彩评论