Hello There it’s me again.
Currently a bit stuck with the mqtt client to OpenRemote Broker part.
Getting this when connecting:
openremote-proxy-1 | 95.90.235.243:2209 [20/Jun/2023:09:42:46.386] mqtt/1: SSL handshake failure
The OpenRemote instance has a valid LetsEncrypt certificate.
But I am not sure what I need to provide for the mqtt client to connect successfully.
From: Tutorial: Connect your MQTT Client · openremote/openremote Wiki · GitHub
I have an Asset:
The Service Account:
Which is provided in the mqtt client with username
=> master:7Ex08DCLmRYlFyah7gL0sx
and password the redacted secret from the screenshot.
What ca_certs
do I need to provide the mqtt client with? The LetsEncrypt ca? Bit confused here.
Denis
June 20, 2023, 11:13am
2
Depends on: What kind of Client are you using? Is HAProxy really running your cert or is it get back to the Demo Cert?
Self coded python paho mqtt client.
And I am already connecting to my own mqtt broker with client/cert auth.
Good question! Will have a look at that.
The https:// web call is returning the valid LetsEncrypt cert.
Looks like the default haproxy.cfg is being used.
From my docker-compose.yaml
file:
proxy:
image: openremote/proxy:${PROXY_VERSION:-latest}
restart: always
depends_on:
manager:
condition: service_healthy
ports:
- "80:80"
- "${OR_SSL_PORT:-443}:443"
- "8883:8883"
volumes:
- proxy-data:/deployment
environment:
LE_EMAIL: ${OR_EMAIL_ADMIN:-}
DOMAINNAME: ${OR_HOSTNAME:-localhost}
DOMAINNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
# USE A CUSTOM PROXY CONFIG - COPY FROM https://raw.githubusercontent.com/openremote/proxy/main/haproxy.cfg
#HAPROXY_CONFIG: '/data/proxy/haproxy.cfg'
Maybe I should add this as a little explanation.
I wish to publish messages to OpenRemote from my Python MQTT Client.
The Python MQTT Client has knowledge about the asset and service user for the asset.
Which SSL protocol is the OpenRemote using?
My Python client does the following:
tls_version
specifies the version of the SSL/TLS protocol to be used. By default (if the python version supports it) the highest TLS version is detected. If unavailable, TLS v1.2 is used. Previous versions (all versions beginning with SSL) are possible but not recommended due to possible security problems.
The TLS protocol version does not seem to be the issue.
Appending to that:
If I use tls_set_context
I get this log:
openremote-proxy-1 | 20/Jun/2023:13:21:12 +0000 mqtt~ CLIENT=95.90.235.243:2149 BACKEND=172.18.0.4:48428 -- 8/1/1/1/0 0/0
openremote-keycloak-1 | 2023-06-20 15:21:12,724 WARN [org.keycloak.events] (executor-thread-20) type=CLIENT_LOGIN_ERROR, realmId=93e7505d-2fc0-4b25-913c-a771ddaa0714, clientId=7Ex08DCLmRYlFyah7gL0sx, userId=null, ipAddress=172.18.0.5, error=invalid_client_credentials, grant_type=client_credentials
openremote-manager-1 | 2023-06-20 15:21:12.725 WARN [Thread-3 (ActiveMQ-serve..774)] TenantClientCredentialsGrantsLoginModule : Login failed.Invalid status: 400, OAuth2 error. Error: invalid_client, Error description: Invalid client credentials
openremote-manager-1 | 2023-06-20 15:21:12.727 WARN [Thread-3 (ActiveMQ-serve..774)] org.apache.activemq.artemis.core.server : AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.18.0.4:48428. Username: master:7Ex08DCLmRYlFyah7gL0sx; SSL certificate subject DN: unavailable
Well this is at least a bit more.
But the CLIENT_LOGIN_ERROR
is odd since the username and password is correct.
The realm is also just default master
Denis
June 20, 2023, 2:01pm
6
you have a own ssl-cert.pem placed in /deployment/certs/ ?
also you can post the log:
docker logs openremote_proxy_1
docker exec -ti cdbc225d2b61 /bin/sh
/var/lib/haproxy # ls -lah /deployment/certs/
-rw-r--r-- 1 root root 5.6K Jun 19 05:17 /deployment/certs/openremote.ready2plugin.dev
openremote_proxy.log (1.4 MB)
ehh no need in hiding the domain
Denis
June 20, 2023, 2:05pm
8
ah you use it still at localhost? ok, paho checks the ssl cert, if you have a selfsigned cert, it won’t work.
Sorry for the confusion, I understood if I placed a custom SSL/TLS Cert.
There is the LetsEncrypt cert there.
Denis
June 20, 2023, 2:10pm
10
you could try in your py code:
client.tls_set(cert_reqs=ssl.CERT_NONE)
then he connects even with a untrusted cert
1 Like
Denis:
cert_reqs=ssl.CERT_NONE
Same error.
openremote-proxy-1 | 20/Jun/2023:14:11:40 +0000 mqtt~ CLIENT=95.90.235.243:2163 BACKEND=172.18.0.4:59732 -- 3/1/1/1/0 0/0
openremote-keycloak-1 | 2023-06-20 16:11:40,191 WARN [org.keycloak.events] (executor-thread-25) type=CLIENT_LOGIN_ERROR, realmId=93e7505d-2fc0-4b25-913c-a771ddaa0714, clientId=7Ex08DCLmRYlFyah7gL0sx, userId=null, ipAddress=172.18.0.5, error=invalid_client_credentials, grant_type=client_credentials
openremote-manager-1 | 2023-06-20 16:11:40.192 WARN [Thread-3 (ActiveMQ-serve..774)] TenantClientCredentialsGrantsLoginModule : Login failed.Invalid status: 400, OAuth2 error. Error: invalid_client, Error description: Invalid client credentials
openremote-manager-1 | 2023-06-20 16:11:40.193 WARN [Thread-3 (ActiveMQ-serve..774)] org.apache.activemq.artemis.core.server : AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /172.18.0.4:59732. Username: master:7Ex08DCLmRYlFyah7gL0sx; SSL certificate subject DN: unavailable
Since its for testing and all.
Here are the credentials.
host: openremote.ready2plugin.dev
port: 8883
User: master:7ex08dclmrylfyah7gl0sx
Password: V684sfcK7Nscf2CWUpnU30uNz79P7z0F
I will invalidate them later, since its only for testing anyway.
Rich
June 20, 2023, 2:21pm
13
That username looks incorrect to me as it looks like a user ID rather than username:
Use whatever is shown in the manager users page.
Service user’s in keycloak are actually a special type of client which probably explains why your keycloak log says client not found
BrutalBirdie:
The Service Account:
That is the Username I know it looks odd.
The userid
is 560c6e0d-a66e-43c2-a18a-7cdd5a00d925
for this user.
Denis
June 20, 2023, 2:24pm
15
@Rich Username is correct, i can connect.
Did you have a crts files attached to your paho script?
client.tls_set(ca_certs="path/zertifikat.crt", certfile="path/zertifikat.pem", keyfile="path/privaten/schlussel.pem"
I had similiar problems, i do not know anymore how i solved this…
No I don’t.
orClient = mqtt.MqttConnector(mqtt_id='master:7Ex08DCLmRYlFyah7gL0sx', mqtt_password='V684sfcK7Nscf2CWUpnU30uNz79P7z0F', config_file="or-client.ini")
getLogger(__name__).debug(f"{orClient.mqtt_id} {orClient.mqtt_password}")
orClient.client.tls_set()
Just because I am getting frustrated I just installed MQTT Browser
and . . . look at this:
Without the Validate certificate
it works o.O
Denis
June 20, 2023, 2:33pm
19
I have the same problem with my Broker and MQTT Explorer too… dunno why
btw. leave me your tip char somewhere so I can pay for a coffee / beer whatever you like more
Denis
June 20, 2023, 2:37pm
21
Alles gut, mache mer wenn du mal in Frankfurt bist oder ich in Berlin bin
1 Like