Client is not authorized to connect

HiveMQ Cloud
41

@DKrueger @Daria_H
Any more suggestion for our issue ? Did you have a chance to have a look at the listeners ?

Regards,

42

I am trying to connect a device from Iotify simulator (web address:iotify.io) to hivemq broker.

when I am using public address and mqtt protocol every thing is ok, but when I am trying to connecting device to MQTT cloud broker for free service and mqtt over TLS, client side says not authorized!

I was searching and reading topics for 2 days but problem not solving still!

Also I want to deploy my local hivemq but after installing, the service of hivemq restart repeatedly each one second!

Please Guide me!

43

Hi @arctrus ,

Thanks for sharing this. Your local deployment might fail due to insufficient resources:

Does your hardware meet Minimum Hardware Requirements?

For connecting to the HiveMQ Cloud broker you need to enable TLS, specify port 8883, supply Username and Password. Your client should have the TLS extension Server Name Indication (SNI) enabled. Please refer to this post that explains how to check this.

I hope this helps,
Dasha from HiveMQ team

44

Any update on this issue? I am facing the same issue. other brokers works, ffree hive MQ works, but HiveMQ Cluster with username not works…

in the discussion is encoding and encryption mentioned. Any reference how HiveMQ CLuster is implemented?

The issue is not in TLS

The issue is on MQTT level during connection.

Mosquitto, Azure, AWS works.

45

I am also having this issue. I’m using BG95 and this is quite frustrating…

46

I found the resolution to be enabling SNI on the BG95 by doing:
AT+QSSLCFG=“SNI”,“Your SSL Context ID”,1 for example:
AT+QSSLCFG=“SNI”,1,1 worked for me

Here’s what SNI is for reference: https://www.cloudflare.com/learning/ssl/what-is-sni/

2 Likes
47

I was having the same symptoms as @chaiyasitr and it was @simon_b who solved this in my case.

To confirm symptoms I had:
TLS Ver1.2 with SNI enabled handshake succeeded.
But CONNECT resulted in CONNACK return value of 5: CONN_REFUSED_NOT_AUTHORIZED

Analyzed wireshark logs as advised in this thread
and inside the TLS Client Hello: server name was being sent (by my client code incorrectly) as an IP address rather than the required server name as shown in the screenshot by simon_b above.

So I changed my client code to use the correct server name rather than the IP address and I now get:
CONNACK return value of 0: “Connection Accepted”

Thank you for the comment that helped me resolve this Simon!

48

That’s what did it for me:

def wrap_socket(self, sock, *args, **kwargs):
    kwargs['server_hostname'] = self._server_hostname
    return super().wrap_socket(sock, *args, **kwargs)

Passing server_hostname as **ssl_params on ssl.wrap_socket().