HiveMQ

Ssl: certificate_verify_failed]

I have been trying to publish and subscribe but i keep on getting this errorssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)
And we have been using Hivemq since last week, but today it gives me this error

Hi @TGKunene,

Welcome to the HiveMQ community forum.
Would you mind telling what HiveMQ product you are using exactly?

Thanks,
Florian

What do you mean by product? because we are using the free version

Hi @TGKunene,

Thank you for the response. This means you are using HiveMQ Cloud free (there is also HiveMQ Community Edition, Professional Edition and Enterprise Edition)
HiveMQ Cloud free uses lets encrypt certificates, those certificates are no longer trusted by some older browsers/devices.
See this post

If you provide an API or have to support IoT devices, you’ll need to make sure of two things: (1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.

In short: You need to make sure to update your devices trust store so that it trusts the LetsEncrypt certificate used by HiveMQ Cloud again.

Kind regards,
Florian

Hi @fraschbi

I’ve the same issue with HiveMQ.Cloud (Free version). tested on Windows 10 with MQTT Explorer (last version) it cannot connect if “Validate Certificate” is checked.
A client on a Windows Server is not able to connect to.
Android Application (Xamarin tech stack) on Android 11 seems to have the same issue.
Is the certificate used currently on the HiveMQ Cloud could still be one that use the former root cert?

Hi @smartskills,

  • Here are the current certificates for LetsEncrypt
  • Update from LetsEncrypt
  • Deep Dive on the topic

What you can also always do is follow our instructions on creating CA file in the FAQ post.

Kind regards,
Florian

Hi all,

In case it help others,

MQTT Explorer use electron and has an issue with the certificate expiration: [Bug]: Let's Encrypt root CA isn't working properly · Issue #31212 · electron/electron · GitHub

And For Xamarin Apps it’s related to Mono:

Solution I’ve applied temporarly to have my android-Xamarin-Mono client working is to change settings of each client:

  • Go to “Settings > Security > Encryption & credentials” > Trusted credentials"
  • Scroll down and disable “Digital Signature Trust Co. - DST Root CA X3”

waiting a long term solution.

1 Like