I aim to have a MKR1000 board send information via MQTT over TLS. How can I get past this TLS error from the SSLClient library? The serial monitor gives the following error:
12:54:03.187 -> Attempting MQTT connection...(SSLClient)(SSL_WARN)(connect): Arduino client is already connected? Continuing anyway...12:54:03.352 -> (SSLClient)(SSL_WARN)(m_run_until): Terminating because the ssl engine closed12:54:03.352 -> (SSLClient)(SSL_ERROR)(m_start_ssl): Failed to initlalize the SSL layer12:54:03.352 -> (SSLClient)(SSL_ERROR)(m_print_br_error): Certificate is expired or not yet valid.12:54:03.352 -> failed, rc=-2 try again in 10 seconds
And the MQTT broker shows corresponding lines in the log:
1772967253: OpenSSL Error[0]: error:0A000126:SSL routines::unexpected eof while reading1772967253: Client disconnected: Protocol error.1772967253: New connection from xx.yy.zz.aa:50101 on port 8883.
I’ve refreshed all the certificates, up to and including the self-signed CA, so I know they are up to date. The sketch also uses NTP to pull in the correct date to the MKR1000.
Here is what I’ve cobbled together for a sketch:
#include <SPI.h>
#include <WiFi101.h>
#include "wifi-secrets.h"
const char* ssid = WLAN_SSID;
const char* pass = WLAN_PASS;
const char* host = WLAN_HOST;
const char* mqttServer = BROKER_ADDRESS;
int status = WL_IDLE_STATUS; /* the Wifi radio's status */
#include <SSLClient.h>
#include <PubSubClient.h>
#include <RTCZero.h> /* https://www.arduino.cc/en/Reference/RTC */
#include "trust_anchors.h" /* Certificate Authority */
#include "ssl-client.h" /* my_cert , my_key */
RTCZero rtc;
/* https://www.industrialshields.com/blog/arduino-industrial-1/building-an-mqtt-over-tls-connection-a-guide-for-esp32-plc-537 */
void callback(char* topic, byte* payload, unsigned int length) {
Serial.println("msg rcvd");
}
/* Define MQTT parameters */
WiFiClient netClient;
SSLClientParameters mTLS = SSLClientParameters::fromPEM(my_cert, sizeof my_cert, my_key, sizeof my_key);
SSLClient netClientSSL(netClient, TAs, (size_t)TAs_NUM, A5);
PubSubClient mqtt(mqttServer, 8883, callback, netClientSSL);
void reconnect() {
// Loop until we're reconnected
while (!mqtt.connected()) {
Serial.print("Attempting MQTT connection...");
// Attempt to connect
if (mqtt.connect(ID_CLIENT)) {
Serial.println("connected");
// Once connected, publish an announcement...
mqtt.publish("sensors/temperature","1772912070 9 22.0");
} else {
Serial.print("failed, rc=");
Serial.print(mqtt.state());
Serial.println(" try again in 10 seconds");
// Wait 10 seconds before retrying
delay(10000);
}
}
}
void setup(){
// Start Serial
Serial.begin(115200);
while(!Serial);
// Enable mutual TLS with SSLClient
netClientSSL.setMutualAuthParams(mTLS);
Serial.print("Connecting to ");
Serial.println(ssid);
WiFi.hostname(host);
WiFi.begin(ssid, pass);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.print(".");
}
Serial.println("");
Serial.println("WiFi connected");
IPAddress ip = WiFi.localIP();
Serial.println("IP address: ");
Serial.println(ip);
/* Initialize RTC */
rtc.begin();
int epoch = 0;
while (! epoch or epoch < 1772915611) {
epoch = WiFi.getTime();
if (!epoch) {
Serial.println("Waiting for network time");
delay(500);
}
}
rtc.setEpoch(epoch);
Serial.print("Epoch: ");
Serial.println(epoch);
}
void loop(){
if (!mqtt.connected()) {
reconnect();
}
mqtt.loop();
}
The header file, ssl-client.h, has the following structure (abbreviated here):
const char my_cert[] =
"-----BEGIN CERTIFICATE-----\n"
"MIIDFjCCAf6gAwIBAgIUFsIGQdtDoxw0wA8nFwnPo+DF1DIwDQYJKoZIhvcNAQEL\n"
...
"lISwTgSio2ghdvXdxug5HThyHWCi/AWtKsc=\n"
"-----END CERTIFICATE-----\n"
;
const char my_key[] =
"-----BEGIN PRIVATE KEY-----\n"
"MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCpXiIS3KYfPqC6\n"
...
"MW4HXhp+hqFnKKoazKjW9w==\n"
"-----END PRIVATE KEY-----\n"
;
All my Perl and Python scripts can connect to that MQTT broker just fine, albeit with TLS1.3 instead of TLS1.2 like the sketch seems to use. I’ve used openssl to triple check the certificates which I have imported and verified the dates are ok.