Currently, I am working on a MQTT test project. So I have set up a Mosquitto MQTT broker that must work with TLS. The Problem is, that I cant establish a connection through the PAHO MQTT client using a secure TLS connection, because I use self-signed certificates.

To enable TLS, I used openssl and followed these steps:

1. Generate a fake CAs signing key: $ openssl genrsa -des3 -out ca.key 2048

2. Generate a certificate signing request for the fake CA: $ openssl req -new -key ca.key -out ca.csr -sha256

3. Create the fake CA’s root certificate: $ openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt -days 365 -sha256

4. Create the server / mqtt broker’s keypair: $ openssl genrsa -out server.key 2048

5. Create a certificate signing request using the server key to send to the fake CA for identity verification: $ openssl req -new -key server.key -out server.csr -sha256

   • I set the common name to the specific ip of my Broker.

6. Now acting as the fake CA, I received the server’s request for my signature. I have verified the server is who it says it is (an MQTT broker operating on a specific ip), so I created a new certificate & signed it with all the power of my fake authority: $ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

After I created the server certificate and key, I placed these files in the respective folders and configured Mosquitto to use these to enable TLS. To do so, I modified the default.conf:

listener 8883

cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key

require_certificate true

password_file /etc/mosquitto/passwd

Now I wrote a python script with the help of the paho mqtt library to create a mqtt subscriber client. To enable a two way secure connection I also generated a certificate for the client with these three commands:

1. Create a key pair for the client: openssl genrsa -out client.key 2048
2. Create a certificate signing request using the client key to send to the fake CA for identity verification: openssl req -new -out client.csr -key client.key
3. Acting as the fake CA: openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360

My python code uses the CA certificate (ca.crt), Client certificate (client.crt) and the Key of the client (client.key) in the TLS setup of the paho mqtt library. The code looks like this:

import paho.mqtt.client as mqtt
import ssl

def on_message(client, userdata, msg):
    print(f"Received message '{msg.payload.decode()}' on topic '{msg.topic}'")

def on_connect(client, userdata, flags, rc):
    if rc == 0:
        print("Connected to MQTT Broker!")
        client.subscribe("test")
    else:
        print(f"Failed to connect, return code {rc}n")

client = mqtt.Client()

client.on_connect = on_connect
client.on_message = on_message

username = "x"
password = "x"
client.username_pw_set(username, password)

client.tls_set(ca_certs="certs/ca.crt",
               certfile="certs/client.crt",
               keyfile="certs/client.key",
               tls_version=ssl.PROTOCOL_TLSv1_2)

client.tls_insecure_set(False)  # Ensure this is False for security


broker_address = 'my_ip'  
port = 8883 
client.connect(broker_address, port)

client.loop_forever()

Note that I execute this python script on a different computer and copied the certificates and the client key to this machine. I also tried the general functionality of the MQTT Broker by using the connection without TLS beforehand. That worked just fine.

However, if I want to execute the python script (with TLS) to subscribe to a topic I get the following:

mqtt_sub.py:17: DeprecationWarning: Callback API version 1 is deprecated, update to latest version
  client = mqtt.Client()
Traceback (most recent call last):
  File "mqtt_sub.py", line 39, in <module>
    client.connect(broker_address, port)
  File "/home/lutz/.local/lib/python3.8/site-packages/paho/mqtt/client.py", line 1435, in connect
    return self.reconnect()
  File "/home/lutz/.local/lib/python3.8/site-packages/paho/mqtt/client.py", line 1598, in reconnect
    self._sock = self._create_socket()
  File "/home/lutz/.local/lib/python3.8/site-packages/paho/mqtt/client.py", line 4612, in _create_socket
    sock = self._ssl_wrap_socket(sock)
  File "/home/lutz/.local/lib/python3.8/site-packages/paho/mqtt/client.py", line 4671, in _ssl_wrap_socket
    ssl_sock.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1338, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1145)

So my question is, how can I get the paho mqtt library to work with a self-signed certificate, or are there different solutions I can use to achieve a secured mqtt communication?