Client is not authorized to connect

Hi,

I’m evaluating HiveMQ Cloud now, success to connected via mobile app and HiveMQ Websocket Client with the same Username and Password from Cluster Access Management.

But facing the problem on embedded device that using C lib.

After checked from the device log I’m observe that MQTT connection return code is 5.
from below document (3.2.2.3 Connect Return code) say that return code 5 mean The Client is not authorized to connect.
http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Toc398718028

Below are setting for my embedded device client side.

// network
network.rootCA = Root CA get from the link https://community.hivemq.com/t/frequently-asked-questions/514
network.clientCA = NULL;
network.private_key = NULL;
network.use_ssl = 1;

// Mqtt connection data
connection.MQTTVersion = 4; // version 3.1.1
connection.keepAliveInterval = 60;
connection.clientID = “device_id”;
connection.username.cstring = Username from Cluster Access Management
connection.password.cstring = Password from Cluster Access Management
connection.cleansession = 1;

Look like the problem is on mqtt level side, the ssl handshake success on network level.

Any suggestion ?

Regards,

Hi chaiyasit,

Thank you for your interest in MQTT and HiveMQ!

  1. Could you please test if you can connect with HiveMQ MQTT CLI client? You get the client if you go to the “Getting Started” tab in your HiveMQ Cloud cluster page.

  2. Checking the Paho MQTT C Client Library > MQTTClient_SSLOptions Struct Reference I can see the CAPath property, but cannot see the rootCA property that you are using in your code sample. Is it the same library that you are using?

Kind regards,

Dasha from HiveMQ Team

@Daria_H

Thank for your support.

  1. Yes, I already success to connected via MQTT CLI and mobile app (C# code) with the same user name & password from Cluster Access Management.

  2. The C lib is kind of custom version from below link.
    https://github.com/zhouzj123/MQTT/blob/master/paho.mqtt.embedded-c/MQTTClient-C/src/FreeRTOS/MQTTFreeRTOS.h
    Below code is addition for mbed TLS supprted.

struct Network
{
	int my_socket;
	int (*mqttread) (Network*, unsigned char*, int, int);
	int (*mqttwrite) (Network*, unsigned char*, int, int);
	void (*disconnect) (Network*);

      unsigned char use_ssl;
      mbedtls_ssl_context *ssl;
      mbedtls_ssl_config *conf;

    char *rootCA;
    char *clientCA;
    char *private_key;
};

May I confirm with you for below question ?

  1. Do HiveMQ Cloud support for TLS Ver1.0 connected ?
    My device was success for ssl handshake via TLS Ver1.0 connected.
    Below is evidence from the log.
[24764]mqtt:
Verify requested for (Depth 1):

[24780]mqtt:cert. version     : 3
serial number     : 91:2B:08:4A:CF:0C:18:A7:53:F6:D6:2E:25:A7:5F:5A
issuer name       : C=US, O=Internet Security Research Group, CN=ISRG Root X1
subject name      : C=US, O=Let's Encrypt, CN=R3
issued  on        : 2020-09-04 00:00:00
expires on        : 2025-09-15 16:00:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage         : Digital Signature, Key Cert Sign, CRL Sign
ext key usage     : TLS Web Client Authentication, TLS Web Server Authentication

[24937]mqtt:  This certificate has no flags

[24950]mqtt:
Verify requested for (Depth 0):

[24966]mqtt:cert. version     : 3
serial number     : 04:CD:C2:9B:C1:DA:D8:C3:E3:CD:3C:49:D7:19:38:28:28:1F
issuer name       : C=US, O=Let's Encrypt, CN=R3
subject name      : CN=*.s2.eu.hivemq.cloud
issued  on        : 2021-11-23 10:47:53
expires on        : 2022-02-21 10:47:52
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : *.s2.eu.hivemq.cloud, s2.eu.hivemq.cloud
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication

[25124]mqtt:  This certificate has no flags

[26927]mqtt:ssl handshake success

But finally my device receive CONNACK with return code is 5 (The Client is not authorized to connect) on MQTT package level.

[41557]mqtt:Read packet type: 2
Couldn't connect to IOT Broker: token invaild  <---this is CONNACK with return code is 5.
  1. Is TLS Ver1.0 the cause of Client is not authorized to connect received from HiveMQTT Cloud ? But why above ssl handshake was success ?
  1. Is it possible to set up my Cluster to support TLS Ver 1.0 ? (Our current production with other MQTT Broker vendor is running on TLS Ver1.0, so if we decide to go with HiveMQ Cloud for production will save time for us to migrate device firmware that we still don’t know it will work for TLS Ver1.2 or not.

Regards,

Hi,

Appreciate if you can help to answer my above question, especially No.1 that ssl handshake were success but finally why my device receive CONNACK with return code is 5 (The Client is not authorized to connect) ?

Regards,

Hi,

After checked my device log seem that my device already support for TLS Ver1.2. So, that why ssl handshake were success. Below is the tls log evidence.

[Sat Dec 04 22:25:19.817 2021] [32477]mqtt:root_crt parse done
[Sat Dec 04 22:25:19.835 2021] ssl_tls.c:6344: |2| => handshake
[Sat Dec 04 22:25:19.836 2021] ssl_cli.c:3279: |2| client state: 0
[Sat Dec 04 22:25:19.855 2021] ssl_tls.c:2420: |2| => flush output
[Sat Dec 04 22:25:19.865 2021] ssl_tls.c:2432: |2| <= flush output
[Sat Dec 04 22:25:19.866 2021] ssl_cli.c:3279: |2| client state: 1
[Sat Dec 04 22:25:19.879 2021] ssl_tls.c:2420: |2| => flush output
[Sat Dec 04 22:25:19.880 2021] ssl_tls.c:2432: |2| <= flush output
[Sat Dec 04 22:25:19.895 2021] ssl_cli.c:0717: |2| => write client hello
[Sat Dec 04 22:25:19.911 2021] ssl_cli.c:0755: |3| client hello, max version: [3:3]
[Sat Dec 04 22:25:19.926 2021] ssl_cli.c:0764: |3| dumping 'client hello, random bytes' (32 bytes)
[Sat Dec 04 22:25:19.942 2021] ssl_cli.c:0764: |3| 0000:  60 08 e8 12 37 30 ea 3b 8f 1b e3 3a a4 47 62 3e  `...70.;...:.Gb>
[Sat Dec 04 22:25:19.959 2021] ssl_cli.c:0764: |3| 0010:  78 d2 e6 3e ed 1c e6 3c a3 56 e4 3c e9 71 e4 3d  x..>...<.V.<.q.=
[Sat Dec 04 22:25:19.991 2021] ssl_cli.c:0817: |3| client hello, session id len.: 0
[Sat Dec 04 22:25:20.008 2021] ssl_cli.c:0818: |3| dumping 'client hello, session id' (0 bytes)
[Sat Dec 04 22:25:20.023 2021] ssl_cli.c:0885: |3| client hello, add ciphersuite: 4x
[Sat Dec 04 22:25:20.039 2021] ssl_cli.c:0885: |3| client hello, add ciphersuite: 4x
[Sat Dec 04 22:25:20.055 2021] ssl_cli.c:0885: |3| client hello, add ciphersuite: 4x
[Sat Dec 04 22:25:20.071 2021] ssl_cli.c:0885: |3| client hello, add ciphersuite: 4x
[Sat Dec 04 22:25:20.086 2021] ssl_cli.c:0918: |3| client hello, got 5 ciphersuites
[Sat Dec 04 22:25:20.087 2021] ssl_cli.c:0949: |3| client hello, compress len.: 1
[Sat Dec 04 22:25:20.104 2021] ssl_cli.c:0951: |3| client hello, compress alg.: 0
[Sat Dec 04 22:25:20.121 2021] ssl_cli.c:0178: |3| client hello, adding signature_algorithms extension
[Sat Dec 04 22:25:20.138 2021] ssl_cli.c:0508: |3| client hello, adding encrypt_then_mac extension
[Sat Dec 04 22:25:20.165 2021] ssl_cli.c:0542: |3| client hello, adding extended_master_secret extension
[Sat Dec 04 22:25:20.181 2021] ssl_cli.c:0575: |3| client hello, adding session ticket extension
[Sat Dec 04 22:25:20.198 2021] ssl_cli.c:1023: |3| client hello, total extension length: 28
[Sat Dec 04 22:25:20.214 2021] ssl_tls.c:2705: |2| => write record
[Sat Dec 04 22:25:20.229 2021] ssl_tls.c:2842: |3| output record: msgtype = 22, version = [3:1], msglen = 83
[Sat Dec 04 22:25:20.245 2021] ssl_tls.c:2845: |4| dumping 'output record sent to network' (88 bytes)
[Sat Dec 04 22:25:20.262 2021] ssl_tls.c:2845: |4| 0000:  16 03 01 00 53 01 00 00 4f 03 03 60 08 e8 12 37  ....S...O..`...7
[Sat Dec 04 22:25:20.293 2021] ssl_tls.c:2845: |4| 0010:  30 ea 3b 8f 1b e3 3a a4 47 62 3e 78 d2 e6 3e ed  0.;...:.Gb>x..>.
[Sat Dec 04 22:25:20.310 2021] ssl_tls.c:2845: |4| 0020:  1c e6 3c a3 56 e4 3c e9 71 e4 3d 00 00 0a 00 3d  ..<.V.<.q.=....=
[Sat Dec 04 22:25:20.341 2021] ssl_tls.c:2845: |4| 0030:  00 35 00 3c 00 2f 00 ff 01 00 00 1c 00 0d 00 0c  .5.<./..........
[Sat Dec 04 22:25:20.357 2021] ssl_tls.c:2845: |4| 0040:  00 0a 06 01 05 01 04 01 03 01 02 01 00 16 00 00  ................
[Sat Dec 04 22:25:20.389 2021] ssl_tls.c:2845: |4| 0050:  00 17 00 00 00 23 00 00                          .....#..
[Sat Dec 04 22:25:20.424 2021] ssl_tls.c:2420: |2| => flush output
[Sat Dec 04 22:25:20.425 2021] ssl_tls.c:2439: |2| message length: 88, out_left: 88
[Sat Dec 04 22:25:20.445 2021] ssl_tls.c:2445: |2| ssl->f_send() returned 88 (-0xffffffa8)
[Sat Dec 04 22:25:20.455 2021] ssl_tls.c:2464: |2| <= flush output
[Sat Dec 04 22:25:20.470 2021] ssl_tls.c:2854: |2| <= write record
[Sat Dec 04 22:25:20.470 2021] ssl_cli.c:1049: |2| <= write client hello
[Sat Dec 04 22:25:20.486 2021] ssl_cli.c:3279: |2| client state: 2
[Sat Dec 04 22:25:20.503 2021] ssl_tls.c:2420: |2| => flush output
[Sat Dec 04 22:25:20.503 2021] ssl_tls.c:2432: |2| <= flush output
[Sat Dec 04 22:25:20.516 2021] ssl_cli.c:1410: |2| => parse server hello
[Sat Dec 04 22:25:20.517 2021] ssl_tls.c:3732: |2| => read record
[Sat Dec 04 22:25:20.533 2021] ssl_tls.c:2212: |2| => fetch input
[Sat Dec 04 22:25:20.548 2021] ssl_tls.c:2370: |2| in_left: 0, nb_want: 5
[Sat Dec 04 22:25:20.821 2021] ssl_tls.c:2394: |2| in_left: 0, nb_want: 5
[Sat Dec 04 22:25:20.840 2021] ssl_tls.c:2395: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
[Sat Dec 04 22:25:20.863 2021] ssl_tls.c:2407: |2| <= fetch input
[Sat Dec 04 22:25:20.878 2021] ssl_tls.c:3483: |4| dumping 'input record header' (5 bytes)
[Sat Dec 04 22:25:20.891 2021] ssl_tls.c:3483: |4| 0000:  16 03 03 00 55                                   ....U
[Sat Dec 04 22:25:20.903 2021] ssl_tls.c:3492: |3| input record: msgtype = 22, version = [3:3], msglen = 85
[Sat Dec 04 22:25:20.915 2021] ssl_tls.c:2212: |2| => fetch input
[Sat Dec 04 22:25:20.931 2021] ssl_tls.c:2370: |2| in_left: 5, nb_want: 90
[Sat Dec 04 22:25:20.947 2021] ssl_tls.c:2394: |2| in_left: 5, nb_want: 90
[Sat Dec 04 22:25:20.948 2021] ssl_tls.c:2395: |2| ssl->f_recv(_timeout)() returned 85 (-0xffffffab)
[Sat Dec 04 22:25:20.979 2021] ssl_tls.c:2407: |2| <= fetch input
[Sat Dec 04 22:25:20.980 2021] ssl_tls.c:3661: |4| dumping 'input record from network' (90 bytes)
[Sat Dec 04 22:25:21.011 2021] ssl_tls.c:3661: |4| 0000:  16 03 03 00 55 02 00 00 51 03 03 61 ab 88 5e 24  ....U...Q..a..^$
[Sat Dec 04 22:25:21.027 2021] ssl_tls.c:3661: |4| 0010:  89 74 93 3f e6 68 b6 b6 f2 0d a8 5b ea 01 fd 90  .t.?.h.....[....
[Sat Dec 04 22:25:21.062 2021] ssl_tls.c:3661: |4| 0020:  56 a5 3b 23 cb e5 4d eb 6c 39 d0 20 5a 37 b9 a2  V.;#..M.l9. Z7..
[Sat Dec 04 22:25:21.082 2021] ssl_tls.c:3661: |4| 0030:  02 3a e7 93 0f 39 cc fb c7 bd 01 d6 6c 47 7a 56  .:...9......lGzV
[Sat Dec 04 22:25:21.107 2021] ssl_tls.c:3661: |4| 0040:  7a 30 9d 7d 34 dc 55 28 df e8 ab fa 00 2f 00 00  z0.}4.U(...../..
[Sat Dec 04 22:25:21.123 2021] ssl_tls.c:3661: |4| 0050:  09 00 17 00 00 ff 01 00 01 00                    ..........
[Sat Dec 04 22:25:21.154 2021] ssl_tls.c:3093: |3| handshake message: msglen = 85, type = 2, hslen = 85
[Sat Dec 04 22:25:21.171 2021] ssl_tls.c:3757: |2| <= read record
[Sat Dec 04 22:25:21.187 2021] ssl_cli.c:1483: |3| dumping 'server hello, version' (2 bytes)
[Sat Dec 04 22:25:21.203 2021] ssl_cli.c:1483: |3| 0000:  03 03                                            ..
[Sat Dec 04 22:25:21.221 2021] ssl_cli.c:1509: |3| server hello, current time: u
[Sat Dec 04 22:25:21.238 2021] ssl_cli.c:1516: |3| dumping 'server hello, random bytes' (32 bytes)
[Sat Dec 04 22:25:21.256 2021] ssl_cli.c:1516: |3| 0000:  61 ab 88 5e 24 89 74 93 3f e6 68 b6 b6 f2 0d a8  a..^$.t.?.h.....
[Sat Dec 04 22:25:21.285 2021] ssl_cli.c:1516: |3| 0010:  5b ea 01 fd 90 56 a5 3b 23 cb e5 4d eb 6c 39 d0  [....V.;#..M.l9.
[Sat Dec 04 22:25:21.301 2021] ssl_cli.c:1586: |3| server hello, session id len.: 32
[Sat Dec 04 22:25:21.317 2021] ssl_cli.c:1587: |3| dumping 'server hello, session id' (32 bytes)
[Sat Dec 04 22:25:21.330 2021] ssl_cli.c:1587: |3| 0000:  5a 37 b9 a2 02 3a e7 93 0f 39 cc fb c7 bd 01 d6  Z7...:...9......
[Sat Dec 04 22:25:21.361 2021] ssl_cli.c:1587: |3| 0010:  6c 47 7a 56 7a 30 9d 7d 34 dc 55 28 df e8 ab fa  lGzVz0.}4.U(....
[Sat Dec 04 22:25:21.397 2021] ssl_cli.c:1623: |3| no session has been resumed
[Sat Dec 04 22:25:21.398 2021] ssl_cli.c:1625: |3| server hello, chosen ciphersuite: 4x
[Sat Dec 04 22:25:21.422 2021] ssl_cli.c:1626: |3| server hello, compress alg.: 0
[Sat Dec 04 22:25:21.442 2021] ssl_cli.c:1640: |3| server hello, chosen ciphersuite: TLS-RSA-WITH-AES-128-CBC-SHA
[Sat Dec 04 22:25:21.460 2021] ssl_cli.c:1671: |2| server hello, total extension length: 9
[Sat Dec 04 22:25:21.475 2021] ssl_cli.c:1741: |3| found extended_master_secret extension
[Sat Dec 04 22:25:21.491 2021] ssl_cli.c:1689: |3| found renegotiation extension
[Sat Dec 04 22:25:21.505 2021] ssl_cli.c:1859: |2| <= parse server hello
[Sat Dec 04 22:25:21.506 2021] ssl_cli.c:3279: |2| client state: 3
[Sat Dec 04 22:25:21.521 2021] ssl_tls.c:2420: |2| => flush output
[Sat Dec 04 22:25:21.537 2021] ssl_tls.c:2432: |2| <= flush output
[Sat Dec 04 22:25:21.537 2021] ssl_tls.c:4227: |2| => parse certificate
[Sat Dec 04 22:25:21.554 2021] ssl_tls.c:3732: |2| => read record
[Sat Dec 04 22:25:21.554 2021] ssl_tls.c:2212: |2| => fetch input
[Sat Dec 04 22:25:21.569 2021] ssl_tls.c:2370: |2| in_left: 0, nb_want: 5
[Sat Dec 04 22:25:21.586 2021] ssl_tls.c:2394: |2| in_left: 0, nb_want: 5
[Sat Dec 04 22:25:21.587 2021] ssl_tls.c:2395: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
[Sat Dec 04 22:25:21.621 2021] ssl_tls.c:2407: |2| <= fetch input
[Sat Dec 04 22:25:21.622 2021] ssl_tls.c:3483: |4| dumping 'input record header' (5 bytes)
[Sat Dec 04 22:25:21.644 2021] ssl_tls.c:3483: |4| 0000:  16 03 03 0f d3                                   .....
[Sat Dec 04 22:25:21.667 2021] ssl_tls.c:3492: |3| input record: msgtype = 22, version = [3:3], msglen = 4051
[Sat Dec 04 22:25:21.682 2021] ssl_tls.c:2212: |2| => fetch input
[Sat Dec 04 22:25:21.682 2021] ssl_tls.c:2370: |2| in_left: 5, nb_want: 4056
[Sat Dec 04 22:25:21.696 2021] ssl_tls.c:2394: |2| in_left: 5, nb_want: 4056
[Sat Dec 04 22:25:21.713 2021] ssl_tls.c:2395: |2| ssl->f_recv(_timeout)() returned 2729 (-0xfffff557)
[Sat Dec 04 22:25:21.729 2021] ssl_tls.c:2394: |2| in_left: 2734, nb_want: 4056
[Sat Dec 04 22:25:21.745 2021] ssl_tls.c:2395: |2| ssl->f_recv(_timeout)() returned 1322 (-0xfffffad6)
[Sat Dec 04 22:25:21.776 2021] ssl_tls.c:2407: |2| <= fetch input
.
.
.
[Sat Dec 04 22:25:36.086 2021] ssl_tls.c:3757: |2| <= read record
[Sat Dec 04 22:25:36.102 2021] ssl_tls.c:5223: |2| <= parse finished
[Sat Dec 04 22:25:36.118 2021] ssl_cli.c:3279: |2| client state: 14
[Sat Dec 04 22:25:36.119 2021] ssl_tls.c:2420: |2| => flush output
[Sat Dec 04 22:25:36.134 2021] ssl_tls.c:2432: |2| <= flush output
[Sat Dec 04 22:25:36.135 2021] ssl_cli.c:3390: |2| handshake: done
[Sat Dec 04 22:25:36.151 2021] ssl_cli.c:3279: |2| client state: 15
[Sat Dec 04 22:25:36.168 2021] ssl_tls.c:2420: |2| => flush output
[Sat Dec 04 22:25:36.168 2021] ssl_tls.c:2432: |2| <= flush output
[Sat Dec 04 22:25:36.184 2021] ssl_tls.c:4973: |3| => handshake wrapup
[Sat Dec 04 22:25:36.201 2021] ssl_tls.c:4946: |3| => handshake wrapup: final free
[Sat Dec 04 22:25:36.214 2021] ssl_tls.c:4966: |3| <= handshake wrapup: final free
[Sat Dec 04 22:25:36.215 2021] ssl_tls.c:5028: |3| <= handshake wrapup
[Sat Dec 04 22:25:36.230 2021] ssl_tls.c:6354: |2| <= handshake
[Sat Dec 04 22:25:36.246 2021] 
[Sat Dec 04 22:25:36.246 2021] [48899]mqtt:ssl handshake success

That mean the problem is probably on MQTT level, why my device receive CONNACK with return code is 5 (The Client is not authorized to connect) on MQTT package level ?

Regards,

@Daria_H
I will share my cluster name & client device id here. Appreciate if you can check with your backend team what happened that make my device unauthorized to connected ?

Cluster name: d67a427597bb4932afaf0bc9d28c3cb8.s2.eu.hivemq.cloud
Client id name: 99edc60e-0ab8-4bbc-88fd-0fc71ac62121
Recently Connection attempt date and time: 8Dec’21 around 4:01PM (UTC +7)

Regards,

Hey @chaiyasitr

As you see a CONNACK, i highly doubt the TLS is the problem - the broker would not be able to receive the CONNECT and sent out the CONNACK in that case.

My best bet right now is a wrong encoding of the password. In order to check this, the easiest way would be to catch a CONNECT packet from your c-library with the password “test” and username “testuser” without TLS. You can set broker.hivemq.com:1883 as the target broker.
Tools like Wireshark should be able to decode the packet and show you the password they see in your CONNECT packet. If the password is “test” and username is “testuser”, we need to dig deeper.
It would really help, if you could do this and share your results.

I do not have the possibility to do an investigation on the cluster logs inside the cloud broker unfortunately.

Best Regards,

Daniel from the HiveMQ Team

@DKrueger
Thank you for your suggestion.

For your information I did verify with others broker with the same code using (AWS, Azure ,EMQX) result are no problem, also connecting to broker.hivemq.com:1883 without any issue.

regards,

Hi chaiyasit,

Thanks for providing more info! At this point it looks like your MQTT library works well with broker.hivemq.com:1883 (no encryption, no authorisation), but has issue with authorisation-using brokers.
To help us figure out what could possibly go wrong with authorisation, let’s first summarise the issue:

  • there is a custom C library implementing a MQTT Client (MQTT/MQTTFreeRTOS.h at master · zhouzj123/MQTT · GitHub)
  • there is a working code, connecting the client to the hivemq cloud broker with TLS
  • the client makes a connection to the broker successfully and receives a CONNACK as connection acknowledgement (== TLS connection established)
  • issue is that CONNACK contains only an error code 5 NOT_AUTHORISED
  • you have proven with another MQTT Client (Websocket client) that the username and password are correct (I did not see your screenshots, but I trust your words)
  • when the same username and password strings are used in your C code – auth fails

The password string should be encoded before being sent to the server. When you are using an app, the app does the encryption for you. When you are writing your own code, you might need to implement the encryption by yourself – it depends on the library you use.

Hence my 1st question: how do you treat the password in your code? Do you encrypt it or the library does it for you?

2nd question: you have mentioned that your code works well with a number of other MQTT brokers. Do you have it working with another similar MQTT Broker, i.e. one that is using encryption and authorisation, for example test.mosquitto.org:8885?

Thanks,
Dasha from HiveMQ Team

@Daria_H
Hi Dasha,

Thank you for support.

I will answer your two question here.

Hence my 1st question: how do you treat the password in your code? Do you encrypt it or the library does it for you?

Username & Password on MQTT level were encrypt via TLS by the library.

2nd question: you have mentioned that your code works well with a number of other MQTT brokers. Do you have it working with another similar MQTT Broker, i.e. one that is using encryption and authorisation, for example test.mosquitto.org:8885?

Yes, I success to connected (http://test.mosquitto.org:8885) with authenticated username & password as below that mention on the https://test.mosquitto.org/

The authenticated listeners require a username / password:
rw/readwrite : read/write access to the # topic hierarchy

Below is the log from my device that can be run MQTT echo without any problem on http://test.mosquitto.org:8885

[Sat Feb 19 15:16:05.366 2022] [5087]mqtt:Connect Network “test.mosquitto.org
[Sat Feb 19 15:16:05.412 2022]
[Sat Feb 19 15:16:05.412 2022] [5125]mqtt:addr = 5.196.95.208
[Sat Feb 19 15:16:08.517 2022]
[Sat Feb 19 15:16:08.518 2022] [8232]mqtt:root_crt parse done
[Sat Feb 19 15:16:08.914 2022]
[Sat Feb 19 15:16:08.914 2022] [8632]mqtt:
[Sat Feb 19 15:16:08.915 2022] Verify requested for (Depth 1):
[Sat Feb 19 15:16:08.931 2022]
[Sat Feb 19 15:16:08.931 2022]
[Sat Feb 19 15:16:08.931 2022] [8647]mqtt:cert. version : 3
[Sat Feb 19 15:16:08.932 2022] serial number : 05:8D:61:94:21:AF:76:3E:0D:84:15:E4:67:FB:8B:51:93:48:2C:0C
[Sat Feb 19 15:16:08.965 2022] issuer name : C=GB, ST=United Kingdom, L=Derby, O=Mosquitto, OU=CA, CN=mosquitto.org, emailAddress=roger@atchoo.org
[Sat Feb 19 15:16:08.995 2022] subject name : C=GB, ST=United Kingdom, L=Derby, O=Mosquitto, OU=CA, CN=mosquitto.org, emailAddress=roger@atchoo.org
[Sat Feb 19 15:16:09.026 2022] issued on : 2020-06-09 11:06:39
[Sat Feb 19 15:16:09.027 2022] expires on : 2030-06-07 11:06:39
[Sat Feb 19 15:16:09.042 2022] signed using : RSA with SHA-256
[Sat Feb 19 15:16:09.057 2022] RSA key size : 2048 bits
[Sat Feb 19 15:16:09.058 2022] basic constraints : CA=true
[Sat Feb 19 15:16:09.073 2022]
[Sat Feb 19 15:16:09.074 2022]
[Sat Feb 19 15:16:09.074 2022] [8790]mqtt: This certificate has no flags
[Sat Feb 19 15:16:09.088 2022]
[Sat Feb 19 15:16:09.088 2022]
[Sat Feb 19 15:16:09.088 2022] [8803]mqtt:
[Sat Feb 19 15:16:09.088 2022] Verify requested for (Depth 0):
[Sat Feb 19 15:16:09.089 2022]
[Sat Feb 19 15:16:09.104 2022]
[Sat Feb 19 15:16:09.104 2022] [8818]mqtt:cert. version : 1
[Sat Feb 19 15:16:09.105 2022] serial number : 7D:D3:9B:4F:DC:5B:F7:2D:0F:0C:04:7E:B8:F3:23:9E:C1:9B:B7:B7
[Sat Feb 19 15:16:09.121 2022] issuer name : C=GB, ST=United Kingdom, L=Derby, O=Mosquitto, OU=CA, CN=mosquitto.org, emailAddress=roger@atchoo.org
[Sat Feb 19 15:16:09.153 2022] subject name : C=GB, ST=United Kingdom, L=Derby, O=Mosquitto, OU=Public server, CN=test.mosquitto.org
[Sat Feb 19 15:16:09.184 2022] issued on : 2020-06-09 11:21:56
[Sat Feb 19 15:16:09.200 2022] expires on : 2030-06-06 11:21:56
[Sat Feb 19 15:16:09.215 2022] signed using : RSA with SHA-256
[Sat Feb 19 15:16:09.216 2022] RSA key size : 2048 bits
[Sat Feb 19 15:16:09.232 2022]
[Sat Feb 19 15:16:09.232 2022]
[Sat Feb 19 15:16:09.232 2022] [8949]mqtt: This certificate has no flags
[Sat Feb 19 15:16:09.247 2022]
[Sat Feb 19 15:16:09.999 2022]
[Sat Feb 19 15:16:10.000 2022] [9717]mqtt:ssl handshake success
[Sat Feb 19 15:16:10.018 2022]
[Sat Feb 19 15:16:10.018 2022] [9729]mqtt:“test.mosquitto.org” Connected
[Sat Feb 19 15:16:10.020 2022]
[Sat Feb 19 15:16:10.034 2022] [9741]mqtt:Start MQTT connection
[Sat Feb 19 15:16:10.350 2022]
[Sat Feb 19 15:16:10.350 2022] [10073]mqtt:Read packet type: 2
[Sat Feb 19 15:16:10.372 2022]
[Sat Feb 19 15:16:10.372 2022] [10082]mqtt:MQTT Connected
[Sat Feb 19 15:16:10.373 2022]
[Sat Feb 19 15:16:10.373 2022] [10090]mqtt:Subscribe to Topic: Topic/Test/Device/#
[Sat Feb 19 15:16:10.716 2022]
[Sat Feb 19 15:16:10.716 2022] [10439]mqtt:Read packet type: 9
[Sat Feb 19 15:16:10.738 2022]
[Sat Feb 19 15:16:10.739 2022] [10448]mqtt:Publish on topic Topic/Test/Device/Device001: hello from Device001 1
[Sat Feb 19 15:16:10.763 2022]
[Sat Feb 19 15:16:11.082 2022]
[Sat Feb 19 15:16:11.083 2022] [10801]mqtt:Read packet type: 3
[Sat Feb 19 15:16:11.104 2022]
[Sat Feb 19 15:16:11.104 2022] [10810]mqtt:Message arrived on topic Topic/Test/Device/Device001: hello from Device001 1
[Sat Feb 19 15:16:11.123 2022]
[Sat Feb 19 15:16:11.123 2022]
[Sat Feb 19 15:16:11.123 2022] [10838]mqtt:Read packet type: 4
[Sat Feb 19 15:16:12.133 2022]
[Sat Feb 19 15:16:13.135 2022]
[Sat Feb 19 15:16:13.136 2022] [12859]mqtt:Publish on topic Topic/Test/Device/Device001: hello from Device001 2
[Sat Feb 19 15:16:13.166 2022]
[Sat Feb 19 15:16:13.500 2022]
[Sat Feb 19 15:16:13.500 2022] [13218]mqtt:Read packet type: 3
[Sat Feb 19 15:16:13.501 2022]
[Sat Feb 19 15:16:13.501 2022] [13227]mqtt:Message arrived on topic Topic/Test/Device/Device001: hello from Device001 2
[Sat Feb 19 15:16:13.532 2022]
[Sat Feb 19 15:16:13.532 2022]
[Sat Feb 19 15:16:13.532 2022] [13255]mqtt:Read packet type: 4
[Sat Feb 19 15:16:14.537 2022]
[Sat Feb 19 15:16:15.556 2022]
[Sat Feb 19 15:16:15.557 2022] [15276]mqtt:Publish on topic Topic/Test/Device/Device001: hello from Device001 3
[Sat Feb 19 15:16:15.581 2022]
[Sat Feb 19 15:16:15.923 2022]
[Sat Feb 19 15:16:15.924 2022] [15635]mqtt:Read packet type: 3
[Sat Feb 19 15:16:15.926 2022]
[Sat Feb 19 15:16:15.926 2022] [15644]mqtt:Message arrived on topic Topic/Test/Device/Device001: hello from Device001 3
[Sat Feb 19 15:16:15.952 2022]
[Sat Feb 19 15:16:15.952 2022]
[Sat Feb 19 15:16:15.952 2022] [15672]mqtt:Read packet type: 4

Hope this will help us to narrow down for the root cause.

Regards,

Hi chaiyasitr,

Thanks for the info. It is great that you can confirm that your code works with at least one broker successfully. Now please think, what is that you are doing differently when attempting a connection to HiveMQ broker:

  • source code (share the working version)
  • server certificate (how exactly you get and use it)

Thanks
Dasha from HiveMQ Team

@Daria_H
Thank you for your supprt.

Below is information you request.

  1. This picture to confirmed that my cluster work for web socket port 8884.

  2. Here is the source code that I used for evaluate. As you can see that it is very easily to switch between HiveMQ Cloud cluster & http://test.mosquitto.org:8885 by just comment out #define USE_HIVEMQ_CLOUD

#define USE_HIVEMQ_CLOUD

#ifdef USE_HIVEMQ_CLOUD
#define MQTT_BROKER “a02edcfce43443e09599dbb82cbc2672.s1.eu.hivemq.cloud”
#define MQTT_PORT (8883)
#define MQTT_USER_NAME “TestDevice001”
#define MQTT_PASSWORD “xxxxxxxx”

char* rootCABuff = "-----BEGIN CERTIFICATE-----\n" \
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n" \
"-----END CERTIFICATE-----\n";

#else
#define MQTT_BROKER “test.mosquitto.org
#define MQTT_PORT (8885)
#define MQTT_USER_NAME “rw”
#define MQTT_PASSWORD “readwrite”

char* rootCABuff = "-----BEGIN CERTIFICATE-----\n" \
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n" \
"-----END CERTIFICATE-----\n";

#endif

char* address = MQTT_BROKER;
char * username = MQTT_USER_NAME;
char * password = MQTT_PASSWORD;

NetworkInit(&network);
network.rootCA = (char*)rootCABuff;
network.clientCA = NULL;
network.private_key = NULL;
network.use_ssl = 1;
MQTTClientInit(&client, &network, 30000, sendbuf, sizeof(sendbuf), readbuf,sizeof(readbuf));

mqtt_printf(MQTT_INFO, “Connect Network “%s””, address);
while ((rc = NetworkConnect(&network, address, MQTT_PORT)) != 0){
mqtt_printf(MQTT_INFO, “Return code from network connect is %d\n”, rc);
vTaskDelay(1000 / portTICK_PERIOD_MS);
}
mqtt_printf(MQTT_INFO, “”%s" Connected", address);

connectData.username.cstring = username;
connectData.password.cstring = password;
connectData.MQTTVersion = 4; // 4 = Version 3.1.1
connectData.clientID.cstring = “Device001”;
connectData.cleansession = 1;

mqtt_printf(MQTT_INFO, “Start MQTT connection”);
while ((rc = MQTTConnect(&client, &connectData)) != 0){
mqtt_printf(MQTT_INFO, “Return code from MQTT connect is %d\n”, rc);
vTaskDelay(1000 / portTICK_PERIOD_MS);
}
mqtt_printf(MQTT_INFO, “MQTT Connected”);

  1. For the server certificate.
    Below is for test.mosquitto.org
    https://test.mosquitto.org/ssl/mosquitto.org.crt

And for HiveMQ Cloud Cluster I picked up follow below FAQs.

My device requires a server CA file to connect via TLS. How can I generate this for my HiveMQ Cloud instance?

https://community.hivemq.com/t/frequently-asked-questions/514

Then, server certificate embed to above char* rootCABuff code.

Regards,

Hi chaiyasitr,

The fastest way would be to get a packet level record of the actual connect packet sent out by the client and inspect that. This can be done with wireshark. And then compare the output produced by these tools with the output captured from mqtt.fx.
I would guess that the library has an encoding issue along the way. One way to prove this would be to give the password in the client implementation as a char * type and not as a string.

The passwords in the public mosquitto test broker are hard coded and use ASCII characters only. This is why it has no encoding issue.

Kind regards,
Dasha from HiveMQ Team

Any updates on this issue. I am facing the same problem

in MQTT.FX I can’t connect to the cloud HIVE broker I get NOT_AUTHORIZED reply

@nofan I’m very busy with on hand job still do not have time to continue evaluate this issue.
I will try to use MQTT.FX soon.

@Daria_H Do you have any more suggestion for @nofan ?

Regards,

@chaiyasitr I’m not using HiveMQ MQTT.FX version … I am using the original version from SoftBlade.
Connected to Mosquitto 8884 and 8883 with neither TLS nor credential problems but when connecting to my Hivemq cluster in 8883 I get NOT_AUTHENTICATED reply. Connections to 1883 is good. I think it has to do with something with the encoding and the way they read incoming Data.

@Daria_H I have used char * , strings and every other way you can think of with no luck on connecting to port 8883 with TLS and credentials.

@chaiyasitr which modem are you using ? Quectel?

@nofan I’m using Realtek Wi-Fi development board.

Can you connected to test.mosquitto.org:8885 with authenticated username & password as below that mention on the https://test.mosquitto.org/ ?

*** rw / readwrite : read/write access to the # topic hierarchy**
*** ro / readonly : read only access to the # topic hierarchy**
*** wo / writeonly : write only access to the # topic hierarchy**

Regards,