Hey Developers!
I've managed to have a secure connection to my mosquitto broker.
In the CLI I can send and recieve MQTT Messages
mosquitto_sub -h xxx.xxx.org -t test -p 8883 --capath /etc/ssl/certs/
mosquitto_pub -h xxx.xxx.org -t test -m "hello world" -p 8883 --capath /etc/ssl/certs/
The default.conf from mosquitto
# i know - this will be replaced !!!!!
allow_anonymous true
listener 8883
certfile /etc/letsencrypt/live/xx.xx.org/cert.pem
cafile /etc/letsencrypt/live/xx.xx.org/chain.pem
keyfile /etc/letsencrypt/live/xx.xx.org/privkey.pem
listener 8083
protocol websockets
certfile /etc/letsencrypt/live/x.x.org/cert.pem
cafile /etc/letsencrypt/live/x.x.org/chain.pem
keyfile /etc/letsencrypt/live/x.x.org/privkey.pem
require_certificate true
My Question:
Which certificate can I now use for an ESP32 Connection? Because in the CLI the path of "--capath /etc/ssl/certs/ " shows to a folder which a lot of files in it?
Do you have a simple example sketch for connectiong to a mqtt broker with ssl?
All the example sketches need exactly one certificate like:
const char* root_ca PROGMEM = \
"-----BEGIN CERTIFICATE-----\r\n" \
"MIIDjTCCAnWgAwIBAgIUQY688zZZKjUGdxM5ZKSgOM5gZ8owDQYJKoZIhvcNAQEL\r\n" \
"BQAwVjELMAkGA1UEBhMCQVQxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\r\n" \
"GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGUm9vdENBMB4XDTIy\r\n" \
"MTIwOTA2Mzg1OFoXDTI3MTIwOTA2Mzg1OFowVjELMAkGA1UEBhMCQVQxEzARBgNV\r\n" \
....
"IH5ab2THmcx9zoexJcx2swEwk+0Veu9xeEyAoTlY+SztvB9tpfnaZaV13+VxhLZK\r\n" \
"qw==\r\n" \
"-----END CERTIFICATE-----\r\n";
Thanks for your help
pylon
December 9, 2022, 4:28pm
2
You shouldn't need that. The Let's Encrypt root certificate should be in the default list of trusted CAs of the ESP32.
1 Like
Hey
I was not able without the certificate to establish a mqtt connection.
I used the root ca from letsencrypt - you can find it here:Chain of Trust - Let's Encrypt
here my code - maybe interessting for some others!
#include <Arduino.h>
#include <WiFi.h>
#include <PubSubClient.h>
#include <WiFiClientSecure.h>
#include "mysensibleandnotsharedcredentials.h"
#define LED_BUILTIN 2
unsigned long previousMillis = millis();
WiFiClientSecure espClient;
PubSubClient client(espClient);
long lastMsg = 0;
char msg[50];
int value = 0;
// Root CA from letsencrypt
// get it here: https://letsencrypt.org/certificates/
const char* letsencrypt_root_ca= \
"-----BEGIN CERTIFICATE-----\n" \
"MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\n" \
"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n" \
"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\n" \
"WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\n" \
"ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\n" \
"MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\n" \
"h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n" \
"0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\n" \
"A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\n" \
"T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\n" \
"B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\n" \
"B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\n" \
"KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\n" \
"OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\n" \
"jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\n" \
"qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\n" \
"rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\n" \
"HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\n" \
"hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\n" \
"ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n" \
"3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\n" \
"NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\n" \
"ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\n" \
"TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\n" \
"jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\n" \
"oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n" \
"4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\n" \
"mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n" \
"emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n" \
"-----END CERTIFICATE-----\n";
void setup_wifi() {
delay(10);
// We start by connecting to a WiFi network
Serial.println();
Serial.print("Connecting to ");
Serial.println(ssid);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.print(".");
}
randomSeed(micros());
Serial.println("");
Serial.println("WiFi connected");
Serial.println("IP address: ");
Serial.println(WiFi.localIP());
}
void callback(char* topic, byte* message, unsigned int length) {
Serial.print("Message arrived on topic: ");
Serial.print(topic);
Serial.print(". Message: ");
String messageTemp;
for (int i = 0; i < length; i++)
{
Serial.print((char)message[i]);
messageTemp += (char)message[i];
}
Serial.println();
if (String(topic) == "mytopic")
{
}
}
void reconnect() {
// Loop until we're reconnected
while (!client.connected()) {
Serial.print("Attempting MQTT connection...");
// Create a random client ID
String clientId = "ESP32Client-";
clientId += String(random(0xffff), HEX);
// Attempt to connect
if (client.connect(clientId.c_str(),"user","pass")) {
Serial.println("connected");
client.subscribe("broker");
} else {
Serial.print("failed, rc=");
Serial.print(client.state());
Serial.println(" try again in 5 seconds");
// Wait 5 seconds before retrying
delay(5000);
}
}
}
void setup() {
Serial.begin(115200);
setup_wifi();
espClient.setCACert(letsencrypt_root_ca);
//espClient.setFingerprint(fingerprint);
client.setServer(mqttServer, 8883);
client.setCallback(callback);
}
void loop() {
if (!client.connected()) {
reconnect();
}
client.loop();
}
system
June 8, 2023, 7:50am
4
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.