Python MQTT Client to OpenRemote - mqtt/1: SSL handshake failure

Hello There it’s me again.

Currently a bit stuck with the mqtt client to OpenRemote Broker part.

Getting this when connecting:

openremote-proxy-1       | 95.90.235.243:2209 [20/Jun/2023:09:42:46.386] mqtt/1: SSL handshake failure

The OpenRemote instance has a valid LetsEncrypt certificate.
But I am not sure what I need to provide for the mqtt client to connect successfully.

From: Tutorial: Connect your MQTT Client · openremote/openremote Wiki · GitHub
I have an Asset:

image1759×998 205 KB

The Service Account:

image2094×1114 87.1 KB

Which is provided in the mqtt client with username => master:7Ex08DCLmRYlFyah7gL0sx and password the redacted secret from the screenshot.

What ca_certs do I need to provide the mqtt client with? The LetsEncrypt ca? Bit confused here.

Depends on: What kind of Client are you using? Is HAProxy really running your cert or is it get back to the Demo Cert?

Self coded python paho mqtt client.
And I am already connecting to my own mqtt broker with client/cert auth.

Good question! Will have a look at that.
The https:// web call is returning the valid LetsEncrypt cert.

Looks like the default haproxy.cfg is being used.
From my docker-compose.yaml file:

proxy:
image: openremote/proxy:${PROXY_VERSION:-latest}
restart: always
depends_on:
manager:
condition: service_healthy
ports:
- "80:80"
- "${OR_SSL_PORT:-443}:443"
- "8883:8883"
volumes:
- proxy-data:/deployment
environment:
LE_EMAIL: ${OR_EMAIL_ADMIN:-}
DOMAINNAME: ${OR_HOSTNAME:-localhost}
DOMAINNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
# USE A CUSTOM PROXY CONFIG - COPY FROM https://raw.githubusercontent.com/openremote/proxy/main/haproxy.cfg
#HAPROXY_CONFIG: '/data/proxy/haproxy.cfg'

Maybe I should add this as a little explanation.
I wish to publish messages to OpenRemote from my Python MQTT Client.
The Python MQTT Client has knowledge about the asset and service user for the asset.

Which SSL protocol is the OpenRemote using?
My Python client does the following:

tls_version

    specifies the version of the SSL/TLS protocol to be used. By default (if the python version supports it) the highest TLS version is detected. If unavailable, TLS v1.2 is used. Previous versions (all versions beginning with SSL) are possible but not recommended due to possible security problems.

The TLS protocol version does not seem to be the issue.

Appending to that:
If I use tls_set_context I get this log:

openremote-proxy-1       | 20/Jun/2023:13:21:12 +0000 mqtt~ CLIENT=95.90.235.243:2149 BACKEND=172.18.0.4:48428 -- 8/1/1/1/0 0/0
openremote-keycloak-1    | 2023-06-20 15:21:12,724 WARN  [org.keycloak.events] (executor-thread-20) type=CLIENT_LOGIN_ERROR, realmId=93e7505d-2fc0-4b25-913c-a771ddaa0714, clientId=7Ex08DCLmRYlFyah7gL0sx, userId=null, ipAddress=172.18.0.5, error=invalid_client_credentials, grant_type=client_credentials
openremote-manager-1     | 2023-06-20 15:21:12.725  WARN    [Thread-3 (ActiveMQ-serve..774)] TenantClientCredentialsGrantsLoginModule : Login failed.Invalid status: 400, OAuth2 error. Error: invalid_client, Error description: Invalid client credentials
openremote-manager-1     | 2023-06-20 15:21:12.727  WARN    [Thread-3 (ActiveMQ-serve..774)] org.apache.activemq.artemis.core.server  : AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.18.0.4:48428. Username: master:7Ex08DCLmRYlFyah7gL0sx; SSL certificate subject DN: unavailable

Well this is at least a bit more.
But the CLIENT_LOGIN_ERROR is odd since the username and password is correct.
The realm is also just default master

you have a own ssl-cert.pem placed in /deployment/certs/ ?

also you can post the log:
docker logs openremote_proxy_1

docker exec -ti cdbc225d2b61 /bin/sh
/var/lib/haproxy # ls -lah /deployment/certs/
-rw-r--r--    1 root     root        5.6K Jun 19 05:17 /deployment/certs/openremote.ready2plugin.dev

openremote_proxy.log (1.4 MB)

ehh no need in hiding the domain

ah you use it still at localhost? ok, paho checks the ssl cert, if you have a selfsigned cert, it won’t work.

Sorry for the confusion, I understood if I placed a custom SSL/TLS Cert.
There is the LetsEncrypt cert there.

you could try in your py code:

client.tls_set(cert_reqs=ssl.CERT_NONE)

then he connects even with a untrusted cert

Same error.

openremote-proxy-1       | 20/Jun/2023:14:11:40 +0000 mqtt~ CLIENT=95.90.235.243:2163 BACKEND=172.18.0.4:59732 -- 3/1/1/1/0 0/0
openremote-keycloak-1    | 2023-06-20 16:11:40,191 WARN  [org.keycloak.events] (executor-thread-25) type=CLIENT_LOGIN_ERROR, realmId=93e7505d-2fc0-4b25-913c-a771ddaa0714, clientId=7Ex08DCLmRYlFyah7gL0sx, userId=null, ipAddress=172.18.0.5, error=invalid_client_credentials, grant_type=client_credentials
openremote-manager-1     | 2023-06-20 16:11:40.192  WARN    [Thread-3 (ActiveMQ-serve..774)] TenantClientCredentialsGrantsLoginModule : Login failed.Invalid status: 400, OAuth2 error. Error: invalid_client, Error description: Invalid client credentials
openremote-manager-1     | 2023-06-20 16:11:40.193  WARN    [Thread-3 (ActiveMQ-serve..774)] org.apache.activemq.artemis.core.server  : AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.18.0.4:59732. Username: master:7Ex08DCLmRYlFyah7gL0sx; SSL certificate subject DN: unavailable

Since its for testing and all.
Here are the credentials.

host: openremote.ready2plugin.dev
port: 8883
User: master:7ex08dclmrylfyah7gl0sx
Password: V684sfcK7Nscf2CWUpnU30uNz79P7z0F

I will invalidate them later, since its only for testing anyway.

That username looks incorrect to me as it looks like a user ID rather than username:

Use whatever is shown in the manager users page.

Service user’s in keycloak are actually a special type of client which probably explains why your keycloak log says client not found

That is the Username I know it looks odd.
The userid is 560c6e0d-a66e-43c2-a18a-7cdd5a00d925 for this user.

@Rich Username is correct, i can connect.

Did you have a crts files attached to your paho script?
client.tls_set(ca_certs="path/zertifikat.crt", certfile="path/zertifikat.pem", keyfile="path/privaten/schlussel.pem"

I had similiar problems, i do not know anymore how i solved this…

No I don’t.

    orClient = mqtt.MqttConnector(mqtt_id='master:7Ex08DCLmRYlFyah7gL0sx', mqtt_password='V684sfcK7Nscf2CWUpnU30uNz79P7z0F', config_file="or-client.ini")
    getLogger(__name__).debug(f"{orClient.mqtt_id} {orClient.mqtt_password}")
    orClient.client.tls_set()

Just because I am getting frustrated I just installed MQTT Browser
and . . . look at this:

image1536×1140 105 KB

Without the Validate certificate it works o.O

I have the same problem with my Broker and MQTT Explorer too… dunno why

btw. leave me your tip char somewhere so I can pay for a coffee / beer whatever you like more

Alles gut, mache mer wenn du mal in Frankfurt bist oder ich in Berlin bin