how to connect mkr1000 with mosquitto broker while using self signed certificate

I am having a problem connecting to a mosquitto mqtt server using self signed certificate. I want to connect my mkr1000 securely to my mosquitto MQTT server on ubuntu. I am generating a CSR on mkr1000 using ARDUINOECCX08CSR example and creating a certificate(.crt),using CA file of ubuntu. Below I am mentioning the process of generating CA,CSR and CRT files for my project.
PROCEDURE I
Ubuntu Machine Steps

Generate a certificate authority certificate and key in ubuntu

openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ca.key -out ca.crt

passphrase: abcd

here i get ca.key and ca.crt, where i used “Ubuntu IP” in common name

Server:
Generate a server key.

openssl genrsa -des3 -out server.key 2048
#passphrase :abcd
#I tried both ways with and without -des3
Generate a server key without encryption.

openssl genrsa -out server.key 2048

Generate a certificate signing request to send to the CA.

openssl req -out server.csr -key server.key -new
Here I again used “Ubuntu IP” in common Name and I used my subscriber IP( reason, I have no domain name)

Send the CSR to the CA, or sign it with your CA key:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365

##Client/Device/MKR1000/ Generating csr
: CSR generated by mkr1000(procedure given below)

We are using mkr1000 device for sending sensor data to mosquitto broker as stated above. Libraries which i am using are:

#For connecting to secure mqtt broker at port no 8883, we are generating ECCX08CSR example from #ArduinoECCX08 library for ECC508 & ECC608 crypto chips, examples in Arduino IDE.##
#Burned code example ECCX08CSR in mkr1000 board
CSR file content attached in the file below “CSR by MKR”

After this, Copy the CSR and store it in a file in .txt format.
This file is given to CA for generating a certificate for mkr1000.

And I used again ubuntu IP in Common Name, copy the client.csr content and paste it in new file in UBUNTU with same name client.csr where I run below command to get client.crt

Send the CSR to the CA, or sign it with your CA key:

openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365

IF I compare this UBUNTU generated client.crt file with AWS IoT generated CRT file I found X509 content is missing. To add [X509 content][1] I followed another procedure that one I also tried but still I could not understand why MKR1000 is not connected with Ubuntu while using self signed ssl. Even When I was not using SSL concept It work properly following are the mosquitto sub commands which I ran in Ubuntu Terminal

mosquitto_sub -h “UBUNTU IP” -t “Home” --cafile /home/ubuntu/client.crt -p 8333

After getting .crt file generated and signed by CA , We copy the content of the file and paste it in const char SECRET_CERTIFICATE variable (attached in file)

After this We upload the code in the MKR1000, (code file attached):

After burning this code I am getting connected to wifi message on my serial monitor but mkr1000 remains unable to connect to the mqtt server, the code retry to connect to server in every 5 mins.

Please provide necessary help
Thankyou

libraries_used.txt (273 Bytes)

code.txt (4.33 KB)

certificate content in mkr1000.txt (1.11 KB)

csr file generated by mkr1000.txt (1.08 KB)

Also posted at:

yes, because i need to solve this urgently.
please help if possible.

Hi. have you found the solution for this problem?

I’m facing the the same issue with Arduino nano 33 iot + Mosquitto.
I set up mosquitto server, generated CA cert + CA key.
Then I generated CSR request from my Arduino nano 33 iot.
CSR was signed using CA cert + CA key (steps: Creating and Using Client Certificates with MQTT and Mosquitto).
The certificate then pasted into SECRET_CERTIFICATE.

In the mosquitto log I see repeating records:
New connection from my_ip_address on port 8883
OpenSSL Error: error:1409E0E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Socket error on client , disconnecting

I also tried add CA certificate into SECRET_CERTIFICATE (according AWS_IoT/AWS_IoT.ino · 3d311ef2ac85264fcb2bd97fedae39f7a208e9de · Sudeep Kanur / labsaiot · GitLab).

No one has the working solution?

Hello,

Do you make any progress on it ?

Thank you.