Hi,
I am trying to connect using ECC root CA from Let’s Encrypt. It doesn’t look like the server supports this cert.
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
I could establish a connection with the RSA root isrg-root-x1.pem, but my project requires ECC (meaning I will have to connect from an IoT device that does not support RSA).
Q: Does the server support ECC or am I doing something wrong here?
BTW, neither paho C client nor Python works out of the box from your 'Getting started page.
Getting started with Paho C
x86$ make
[ 77%] Built target common_obj_static
[ 83%] Built target paho-mqtt3c-static
Consolidate compiler generated dependencies of target hello
[ 87%] Building CXX object CMakeFiles/hello.dir/src/hello.cpp.o
[ 90%] Linking CXX executable hello
[ 90%] Built target hello
[100%] Built target paho-mqtt3a-static
x86$ ./hello
callback: -1
is connected -1
Segmentation fault (core dumped)
Getting started with Paho Python
py$ python alexd.hivemq.cloud.py
Traceback (most recent call last):
File "alexd.hivemq.cloud.py", line 52, in <module>
client.connect("38065fa2b86143379f23f413f1476a92.s2.eu.hivemq.cloud", 8883)
File "/home/ad/.local/lib/python3.8/site-packages/paho/mqtt/client.py", line 914, in connect
return self.reconnect()
File "/home/ad/.local/lib/python3.8/site-packages/paho/mqtt/client.py", line 1073, in reconnect
sock.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
For the python example, I was able to run it with the certificate provided or by disabling the check.
HiveMQ Cloud Free & PayG uses Lets Encrypt certificates, those certificates are no longer trusted by some older browsers/devices. If the certificate is not in the Truststore of your MQTT client library You can download the root certificate here: https://letsencrypt.org/certs/isrgrootx1.pem