我在当地的树莓派上有一个蚊子MQTT,它的工作方式很有魅力。我在AWS物联网上创建了一个MQTT代理,它也能正常工作。
在我的树莓派上,我可以使用命令mosquitto_pub和mosquitto_sub"手动"在AWS代理上连接、发布和订阅。当我手动执行此操作时,我会使用所有的证书和其他东西。我使用的命令是:
mosquitto_pub --cafile amazonCA1.pem --cert certificate.cert --key private.key -h XXXXXXXXXXXXXXXXXX.amazonaws.com -p 8883 -q 1 -d -t "iot/test" -m "testing message"
所以,我认为问题不在证书上。
问题是,当我将配置更改为使用"桥接模式"时,我会在蚊子日志上收到以下消息:
1584371971: Connecting bridge (step 1) awsiot (XXXXXXXXXXXXXXXXXXXXX.amazonaws.com:8883)
1584371972: Connecting bridge (step 2) awsiot (XXXXXXXXXXXXXXXXXXXXX.amazonaws.com:8883)
1584371972: Bridge bridgeawsiot sending CONNECT
1584371972: OpenSSL Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
1584371972: Socket error on client local.bridgeawsiot, disconnecting.
1584371977: Bridge local.bridgeawsiot doing local SUBSCRIBE on topic #
这是我的蚊子。conf:
pid_file /var/run/mosquitto.pid
persistence true persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log log_type all
#log_dest topic
log_type error log_type warning log_type notice log_type information
connection_messages true log_timestamp true
include_dir /etc/mosquitto/conf.d
password_file /etc/mosquitto/passwordfile allow_anonymous false
这是我的/etc/mosquitto/conf.d/bridge.conf
connection awsiot
address XXXXXXXXXXXXXXXXXXXX.amazonaws.com:8883
# Specifying which topics are bridged
topic # both 1
# Setting protocol version explicitly
bridge_protocol_version mqttv311
bridge_insecure false
# Bridge connection name and MQTT client Id,
# enabling the connection automatically when the broker starts.
cleansession true
clientid bridgeawsiot
start_type automatic
notifications false
log_type all
# =================================================================
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
#Path to the rootCA
bridge_cafile /home/pi/certs/amazonCA1.pem
# Path to the PEM encoded client certificate
bridge_certfile /home/pi/certs/certificate.cert
# Path to the PEM encoded client private key
bridge_keyfile /home/pi/certs/private.key
所以,总的来说,问题是:当我手动连接/发布/订阅时,一切都正常。。。但是当我使用桥接器conf文件时,我会得到错误:
OpenSSL Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
有什么建议吗?在我的本地代理(树莓皮(上使用用户名/pw的身份验证方法和在AWS上使用证书身份验证有问题吗??
感谢
好吧,我不知道我做了什么,我只知道它解决了问题。
起初,我在Ubuntu虚拟机上干净地安装了mosquito,一切都正常。
然后我从我的树莓派中卸载了Mosquito,并再次安装了它。配置它就像我配置Ubuntu虚拟机一样,但仍然没有运气。我开始觉得问题出在我那粗糙的形象上。。。但是,在对配置进行了一点修改之后,将证书文件从一个目录移动到另一个目录,更改它们的权限,更改bridge.conf文件目录等等。。。它开始工作,现在没事了。
因此,如果你将来遇到这个问题:可能只是文件或目录的权限问题。
EDIT(一天后(:当我试图在另一个代理上复制相同的东西时,我做了所有相同的事情,但当我的本地代理与AWS IoT桥建立连接时,连接就丢失了(下面的消息。这次没有证书错误(:
1584456917: Bridge local.bridgeawsiot doing local SUBSCRIBE on topic #
1584456917: Connecting bridge (step 1) awsiot (XXXXXXXXXXXXXXX.amazonaws.com:8883)
1584456918: Connecting bridge (step 2) awsiot (XXXXXXXXXXXXXXX.amazonaws.com:8883)
1584456918: Bridge bridgeawsiot sending CONNECT
1584456918: Received CONNACK on connection local.bridgeawsiot.
1584456918: Bridge local.bridgeawsiot sending SUBSCRIBE (Mid: 2, Topic: #, QoS: 0, Options: 0x00)
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX', ... (6 bytes))
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX/LWT', ... (6 bytes))
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX/LWT', ... (6 bytes))
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX/LWT', ... (6 bytes))
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX/LWT', ... (6 bytes))
1584456918: Sending PUBLISH to local.bridgeawsiot (d0, q0, r1, m0, 'XXXXX/XXXXX/XXXXX/LWT', ... (6 bytes))
1584456918: Received SUBACK from local.bridgeawsiot
1584456919: Socket error on client local.bridgeawsiot, disconnecting.
我使用了所有主题的桥梁:
topic # both 1
我认为我一连接到网桥,许多设备就发布了很多消息,连接就断了。所以在我改变了桥接的主题后,一切都是正确的
topic iot/test both 1
[另一次编辑:3天后]当我使用"主题#both 1"时,我发现了它断开连接的原因:因为我的一个设备发送了一条RETAIN标志设置为TRUE的消息。
AWS IoT的文档表示,它不支持RETAIN TRUE,如果有任何消息以这种方式发送,则AWS IoT Broker会断开连接。
rootCA.pem无效。在如何将mosquito mqtt broker连接到aws-iot之后,他们在rootCA.pem文件中引用了AmazonRootCA1.pem。然而,使用openssl进行验证时会出现一个错误:
openssl s_client -connect <endpoint>.iot.us-east-1.amazonaws.com:8443 -CAfile rootCA.pem -cert cert.crt -key private.key
...
verify error:num=20:unable to get local issuer certificate
关于openssl Verify返回代码:20(无法获得本地颁发者证书(处的openssl错误,有一些线索,其中强调了CA文件路径。
在另一个配置网桥的教程:Arduino AWS IOT bridge中,有一个不同的rootCA.pem文件参考:Public-Primary-Certification-Authority-G5.pem。最后,使用新的rootCA尝试openssl s_client命令。pem返回:
verify return:1