Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bridge to Azure Event Grid Fails with "SSL_internal:certificate verify failed" #3028

Open
MichaelSteurer opened this issue Apr 1, 2024 · 4 comments
Open

Bridge to Azure Event Grid Fails with "SSL_internal:certificate verify failed" #3028

MichaelSteurer opened this issue Apr 1, 2024 · 4 comments

Comments

@MichaelSteurer
Copy link

I want to connect a local Mosquitto broker to Azure's Event Grid via bridge but the authentication fails.

I followed the Quickstart Tutorial and I succeed to connect via mosquitto_pub:

$ mosquitto_pub \
    -h my.eventgrid.azure.net -p 8883 -i my_username -u my_username \
    --cafile intermediate_ca.crt --cert client1-authn-ID.pem --key client1-authn-ID.key \
    --tls-use-os-certs \
    -t my/topic -m "my_message"

But when I connect via bridge this is what I see in the logs:

...
1711958586: Bridge my_username sending CONNECT
1711958586: OpenSSL Error[0]: error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
1711958586: Client local.my_username disconnected: Protocol error.
...

This is my config:

listener 1883
log_type all
connection_messages true

persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
password_file /mosquitto/config/passwords.txt

connection azure
address my.eventgrid.azure.net:8883
remote_clientid my_username
remote_username my_username

bridge_cafile /mosquitto/certs/intermediate_ca.crt
bridge_certfile /mosquitto/certs/client1-authn-ID.pem
bridge_keyfile /mosquitto/certs/client1-authn-ID.key

topic my/topic out 0

start_type automatic

I figured out that I can reproduce the error with the mosquitto_pub command by omitting the --tls-use-os-certs. So I guess I need to tell my bridge configuration to use this parameter as well but I couldn't figure out how.
@MichaelSteurer
Copy link
Author

There is an option to specify the path where the ca can be found. So I manually set the capath in the config file

...
bridge_capath /etc/ssl/certs
bridge_certfile /mosquitto/certs/client1-authn-ID.pem
bridge_keyfile /mosquitto/certs/client1-authn-ID.key
...

I'm running it from the official docker image eclipse-mosquitto:2.0.18, so /etc/ssl/certs/ should be fine.

Now I get another error:
OpenSSL Error[0]: error:0A000126:SSL routines::unexpected eof while reading

@frank-hulo
Copy link

Hi Michael, I do have the same issue. So, hope you can give me a answer or i could give one to you soon

@frank-hulo
Copy link

frank-hulo commented Apr 8, 2024
edited

Hi Michael, i figured it out, or at least got it working.

$ mosquitto_pub -h my.eventgrid.azure.net -p 8883 -u my_username -i my_username --capath /etc/ssl/certs --cert client1-authn-ID.pem --key client1-authn-ID.key -t my/topic -m "my_message" -q 1

Where all necessary:

--capath /etc/ssl/certs
-q 1
-i my_username

this did the trick for me. I didn't get to send messages from the docker container, could connect but not messages. I could send them from WSL.

@rickvargas
Copy link

Seems to be the same as #2820

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MichaelSteurer @rickvargas @frank-hulo