Bridge to Azure Event Grid Fails with "SSL_internal:certificate verify failed"

Question

Bridge to Azure Event Grid Fails with "SSL_internal:certificate verify failed"

MichaelSteurer opened this issue 4 months ago · comments

I want to connect a local Mosquitto broker to Azure's Event Grid via bridge but the authentication fails.

I followed the Quickstart Tutorial and I succeed to connect via mosquitto_pub:

$ mosquitto_pub \
    -h my.eventgrid.azure.net -p 8883 -i my_username -u my_username \
    --cafile intermediate_ca.crt --cert client1-authn-ID.pem --key client1-authn-ID.key \
    --tls-use-os-certs \
    -t my/topic -m "my_message"

But when I connect via bridge this is what I see in the logs:

...
1711958586: Bridge my_username sending CONNECT
1711958586: OpenSSL Error[0]: error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
1711958586: Client local.my_username disconnected: Protocol error.
...

This is my config:

listener 1883
log_type all
connection_messages true

persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
password_file /mosquitto/config/passwords.txt

connection azure
address my.eventgrid.azure.net:8883
remote_clientid my_username
remote_username my_username

bridge_cafile /mosquitto/certs/intermediate_ca.crt
bridge_certfile /mosquitto/certs/client1-authn-ID.pem
bridge_keyfile /mosquitto/certs/client1-authn-ID.key

topic my/topic out 0

start_type automatic

I figured out that I can reproduce the error with the mosquitto_pub command by omitting the --tls-use-os-certs. So I guess I need to tell my bridge configuration to use this parameter as well but I couldn't figure out how.

Michael Steurer · Answer 1 · Wed Apr 03 2024 00:18:00 GMT+0800 (China Standard Time)

There is an option to specify the path where the ca can be found. So I manually set the capath in the config file

...
bridge_capath /etc/ssl/certs
bridge_certfile /mosquitto/certs/client1-authn-ID.pem
bridge_keyfile /mosquitto/certs/client1-authn-ID.key
...

I'm running it from the official docker image eclipse-mosquitto:2.0.18, so /etc/ssl/certs/ should be fine.

Now I get another error:
OpenSSL Error[0]: error:0A000126:SSL routines::unexpected eof while reading

Frank · Answer 2 · Fri Apr 05 2024 21:36:17 GMT+0800 (China Standard Time)

Hi Michael, I do have the same issue. So, hope you can give me a answer or i could give one to you soon

Frank · Answer 3 · Mon Apr 08 2024 20:28:48 GMT+0800 (China Standard Time)

Hi Michael, i figured it out, or at least got it working.

$ mosquitto_pub -h my.eventgrid.azure.net -p 8883 -u my_username -i my_username --capath /etc/ssl/certs --cert client1-authn-ID.pem --key client1-authn-ID.key -t my/topic -m "my_message" -q 1

Where all necessary:

--capath /etc/ssl/certs
-q 1
-i my_username

this did the trick for me. I didn't get to send messages from the docker container, could connect but not messages. I could send them from WSL.

Ricardo Vargas · Answer 4 · Thu Apr 18 2024 21:30:31 GMT+0800 (China Standard Time)

Seems to be the same as #2820

Mark · Answer 5 · Wed Jul 17 2024 19:44:17 GMT+0800 (China Standard Time)

Hello everyone,

I have the same error as Michael:

$ mosquitto -v -c misc/mosquitto.conf
1721216122: mosquitto version 2.0.18 starting
1721216122: Config loaded from misc/mosquitto.conf.
1721216122: Starting in local only mode. Connections will only be possible from clients running on this machine.
1721216122: Create a configuration file which defines a listener to allow remote access.
1721216122: For more details see https://mosquitto.org/documentation/authentication-methods/
1721216122: Opening ipv4 listen socket on port 1883.
1721216122: Opening ipv6 listen socket on port 1883.
1721216122: Bridge local.client2-authn-ID doing local SUBSCRIBE on topic #
1721216122: Connecting bridge (step 1) client2-authn-ID (my-hostname.eventgrid.azure.net:8883)
1721216122: mosquitto version 2.0.18 running
1721216122: Connecting bridge (step 2) client2-authn-ID (my-hostname.eventgrid.azure.net:8883)
1721216122: Bridge client2-authn-ID sending CONNECT
1721216123: OpenSSL Error[0]: error:0A000126:SSL routines::unexpected eof while reading
1721216123: Client local.client2-authn-ID closed its connection.
^C1721216125: mosquitto version 2.0.18 terminating

However, mosquitto_pub works, after i did the changes to /etc/ssl/openssl.cnf as mentioned here: https://askubuntu.com/a/1406476
but mosquitto broker bridge does not work. Neither with QoS0 nor QoS1

This looks like a ubuntu error and more related to openssl than mosquitto. anyway I could get it with mosquitto_pub working, but not with mosquitto bridge or mqttx (for testing purpose). However, on windows mqttx works as well.