SSL: CERTIFICATE_VERIFY_FAILED with isrg-root-x2.pem

HiveMQ Cloud
1

Hi,
I am trying to connect using ECC root CA from Let’s Encrypt. It doesn’t look like the server supports this cert.

self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)

I could establish a connection with the RSA root isrg-root-x1.pem, but my project requires ECC (meaning I will have to connect from an IoT device that does not support RSA).

Q: Does the server support ECC or am I doing something wrong here?

2

BTW, neither paho C client nor Python works out of the box from your 'Getting started page.

Getting started with Paho C

x86$ make
[ 77%] Built target common_obj_static
[ 83%] Built target paho-mqtt3c-static
Consolidate compiler generated dependencies of target hello
[ 87%] Building CXX object CMakeFiles/hello.dir/src/hello.cpp.o
[ 90%] Linking CXX executable hello
[ 90%] Built target hello
[100%] Built target paho-mqtt3a-static
x86$ ./hello
callback: -1
is connected -1
Segmentation fault (core dumped)

Getting started with Paho Python

py$ python alexd.hivemq.cloud.py
Traceback (most recent call last):
  File "alexd.hivemq.cloud.py", line 52, in <module>
    client.connect("38065fa2b86143379f23f413f1476a92.s2.eu.hivemq.cloud", 8883)
  File "/home/ad/.local/lib/python3.8/site-packages/paho/mqtt/client.py", line 914, in connect
    return self.reconnect()
  File "/home/ad/.local/lib/python3.8/site-packages/paho/mqtt/client.py", line 1073, in reconnect
    sock.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)

For the python example, I was able to run it with the certificate provided or by disabling the check.

client.tls_set(tls_version=mqtt.client.ssl.PROTOCOL_TLS, ca_certs="isrg-root-x1.pem")

client.tls_set(tls_version=mqtt.client.ssl.PROTOCOL_TLS, cert_reqs=mqtt.client.ssl.CERT_NONE)

But as for the C-example, I couldn’t make it work.

I would say it is not a very good advertisement for your product!

3

Hi @alex.d

  1. your MQTT client library must support and use TLS-SNI extension (Server Name Indication). It is adding the Server Name to the TLS Client Hello packet
    1339×590 112 KB
  2. HiveMQ Cloud Free & PayG uses Lets Encrypt certificates, those certificates are no longer trusted by some older browsers/devices. If the certificate is not in the Truststore of your MQTT client library You can download the root certificate here: https://letsencrypt.org/certs/isrgrootx1.pem

I hope this helps
Kind regards,
Dasha

4

Thanks, Dasha, but that is not what I asked!

Let’s Encrypt has two certs as root. One is RSA (isrg-root-x1), and the other is ECC (isrg-root-x2).

You say and I quote here:

HiveMQ Cloud Free & PayG uses Lets Encrypt certificates

‘certificates’ plural which assumes to support both, but I couldn’t make it work with ECC. That is where my question originated:

Q: Does the server support ECC cert (isrg-root-x2)? b/c I wasn’t able to make it work with ECC, but it works fine with RSA.