Core: MQTT: CloudMQTT certificate verify failed
Make sure you are running the latest version of Home Assistant before reporting an issue.
You should only file an issue if you found a bug. Feature and enhancement requests should go in the Feature Requests section of our community forum:
Home Assistant release (hass --version):
0.22.1 on AiO installer on Pi3 running Raspbian Jessie.
Python release (python3 --version):
3.4.2
Component/platform:
MQTT using CloudMQTT as a broker.
Description of problem:
hass cannot connect to CloudMQTT over the SSL port.
Expected:
For hass to connect to MQTT over SSL port.
Problem-relevant configuration.yaml entries and steps to reproduce:
All values pulled from https://api.cloudmqtt.com/sso/cloudmqtt/websocket
mqtt:
broker: m*.cloudmqtt.com
port: 2000-range
username: <user with # ACL set>
password: <pass>
Traceback (if applicable):
Jun 29 09:57:35 LennyR3-Hass hass[2365]: ERROR:homeassistant.components.mqtt:Can't connect to the broker. Please check your settings and the broker itself.
Jun 29 09:57:35 LennyR3-Hass hass[2365]: Traceback (most recent call last):
Jun 29 09:57:35 LennyR3-Hass hass[2365]: File "/srv/hass/hass_venv/lib/python3.4/site-packages/homeassistant/components/mqtt/__init__.py", line 238, in setup
Jun 29 09:57:35 LennyR3-Hass hass[2365]: client_cert, tls_insecure, protocol)
Jun 29 09:57:35 LennyR3-Hass hass[2365]: File "/srv/hass/hass_venv/lib/python3.4/site-packages/homeassistant/components/mqtt/__init__.py", line 324, in __init__
Jun 29 09:57:35 LennyR3-Hass hass[2365]: self._mqttc.connect(broker, port, keepalive)
Jun 29 09:57:35 LennyR3-Hass hass[2365]: File "/home/hass/.homeassistant/deps/paho/mqtt/client.py", line 612, in connect
Jun 29 09:57:35 LennyR3-Hass hass[2365]: return self.reconnect()
Jun 29 09:57:35 LennyR3-Hass hass[2365]: File "/home/hass/.homeassistant/deps/paho/mqtt/client.py", line 747, in reconnect
Jun 29 09:57:35 LennyR3-Hass hass[2365]: ciphers=self._tls_ciphers)
Jun 29 09:57:35 LennyR3-Hass hass[2365]: File "/usr/lib/python3.4/ssl.py", line 887, in wrap_socket
Jun 29 09:57:35 LennyR3-Hass hass[2365]: ciphers=ciphers)
Jun 29 09:57:35 LennyR3-Hass hass[2365]: File "/usr/lib/python3.4/ssl.py", line 577, in __init__
Jun 29 09:57:35 LennyR3-Hass hass[2365]: self.do_handshake()
Jun 29 09:57:35 LennyR3-Hass hass[2365]: File "/usr/lib/python3.4/ssl.py", line 804, in do_handshake
Jun 29 09:57:35 LennyR3-Hass hass[2365]: self._sslobj.do_handshake()
Jun 29 09:57:35 LennyR3-Hass hass[2365]: ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
Jun 29 09:57:35 LennyR3-Hass hass[2365]: ERROR:homeassistant.bootstrap:component mqtt failed to initialize
Additional info:
Per the documentation,
Home Assistant will automatically load the correct certificate if you connect to an encrypted channel of CloudMQTT (port range 20 000 - 30 000).
This doesn't happen in my case. The broker works perfectly on the non-SSL port (10,000 range), so I know that all other settings are valid.
SlothCroissant
All 9 comments
Similar issue: https://community.home-assistant.io/t/help-setting-up-cloudmqtt/1219
Works for me on Fedora 23.
mqtt:
broker: m16.cloudmqtt.com
port: 25897
username: ha
password: hapassword
Perhaps Jessie is missing the CA root files.
fabaff
on 29 Jun 2016
the certificate is included with HA. Maybe it's out of date?
On Wed, Jun 29, 2016, 09:01 Fabian Affolter [email protected]
wrote:
Similar issue:
https://community.home-assistant.io/t/help-setting-up-cloudmqtt/1219Works for me on Fedora 23.
mqtt:# embedded:# broker: 127.0.0.1# protocol: 3.1.1# broker: 10.100.0.32# discovery_topic: "home/discovery"
broker: m16.cloudmqtt.com
port: 25897
username: ha
password: hapasswordPerhaps Jessie is missing the CA root files.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/home-assistant/home-assistant/issues/2389#issuecomment-229403330,
or mute the thread
https://github.com/notifications/unsubscribe/ABYJ2tfdPiL699dPauD3_UCJEr37EUNRks5qQpbGgaJpZM4JBO1T
.
balloob
on 29 Jun 2016
How should I go about checking or troubleshooting this?
Per CloudMQTT's documentation:
Our server cert is signed by Comodo, which has the AddTrust CA as root. Most OSs comes with it by default, so can you point to your default trust/CA store. (example: --cafile=/etc/ssl/certs/ca-certificates.crt)
Can confirm that I have a ca-certificates.crt file, can also confirm that manually specifying that file in the yaml doesnt solve the problem.
SlothCroissant
on 30 Jun 2016
Hello everyone,
I have 2 questions:
1 - config YAML and spaces with Windows names:
I have HA running under Win10, do i need to add/enclose code with ("C:\path with spaces") to a paths with spaces?
the path to my HA is C:/users/My Name/AppData.... (notice the space between My and Name..."My Name", which I think is breaking something on my HA config!)
2 - My Win10 HA wont connect to the Pi mqtt.
I have a private mqtt setup on my Pi-running jessie and node red (A) and HA running on a different Windows10 computer (B):
I have mqtt setup on (A):
1.2.3.4 port 8883... everything seems to work. Like owntracks connect to example.com:8883 with TLS certificate, tested from my cell, outside my network. Self signed cert using:
'https://github.com/owntracks/tools/tree/master/TLS'
I created users for each device and assigned passwords using (with -c for the first user, without for every other after):
'sudo mosquitto_passwd -c /etc/mosquitto/passwd user1'
I have sensor mqtt setup on HA (B):
mqtt:
broker: example.com
port: 8883
client_id: HA-1
keepalive: 60
username: user1
password: passwd
certificate: "C:/Users/name with spaces/AppData/Roaming/.homeassistant/certs/ssl.crt"
client_key: "C:/Users/name with spaces/AppData/Roaming/.homeassistant/certs/ssl.key"
client_cert: "C:/Users/name with spaces/AppData/Roaming/.homeassistant/certs/ssl.crt" -note the " begining and end - I have tried with and without
protocol: 3.1 (because of an "issue with mosquito", as per HA info)
With certificates exported from computer A, the self signed that works with owntrack!
Does it look about right? it does to me, however, HA fails to connect.
With error shown below: ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)
error log:
16-07-05 10:06:44 homeassistant.components.mqtt: Can't connect to the broker. Please check your settings and the broker itself.
Traceback (most recent call last):
File "C:\Usersname with spaces\AppData\Local\Programs\Python\Python35\lib\site-packages\homeassistant\components\mqtt__init__.py", line 238, in setup
client_cert, tls_insecure, protocol)
File "C:\Usersname with spaces\AppData\Local\Programs\Python\Python35\lib\site-packages\homeassistant\components\mqtt__init__.py", line 324, in init
self._mqttc.connect(broker, port, keepalive)
File "C:\Usersname with spaces\AppData\Roaming.homeassistant\deps\paho\mqtt\client.py", line 612, in connect
return self.reconnect()
File "C:\Usersname with spaces\AppData\Roaming.homeassistant\deps\paho\mqtt\client.py", line 747, in reconnect
ciphers=self._tls_ciphers)
File "C:\Usersname with spaces\AppData\Local\Programs\Python\Python35\lib\ssl.py", line 1064, in wrap_socket
ciphers=ciphers)
File "C:\Usersname with spaces\AppData\Local\Programs\Python\Python35\lib\ssl.py", line 747, in __init__
self.do_handshake()
File "C:\Usersname with spaces\AppData\Local\Programs\Python\Python35\lib\ssl.py", line 983, in do_handshake
self._sslobj.do_handshake()
File "C:\Usersname with spaces\AppData\Local\Programs\Python\Python35\lib\ssl.py", line 628, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)
16-07-05 10:06:44 homeassistant.bootstrap: component mqtt failed to initialize
aelg305
on 5 Jul 2016
I'm running into this too. It looks like there's a thread on the forums too: https://community.home-assistant.io/t/help-setting-up-cloudmqtt/1219/8~~
_Home Assistant release (hass --version):_
0.25.0 on Pi3 running Raspbian Jessie.
_Python release (python3 --version):_
Python 3.4.2
_edit: added hass and python versions, and crossed out reference to forums already mentioned_
technicalpickles
on 1 Aug 2016
@aelg305, the
[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version
error is mosquitto's being too old fault. I've just experienced it yesterday and did extensive investigation on my Pi 3, even compiled python 3.5.2 just to check, but the fault was the mqtt broker being too old. Just fetch the most recent version of whatever you're using.
If you're on Pi, raspbian repositories are just a bit outdated, but there's a nice guide out there to add apt-get sources to fetch current ver.
Also protocol should be 3.1.1, not 3.1. The "issue" only exists with HASS's integrated mqtt broker
d-rez
on 5 Aug 2016
I'm seeing some related errors when trying to use Mosquitto as a private broker with TLS.
https://community.home-assistant.io/t/owntracks-and-mosquitto-private-broker-with-tls/3931
sgauche
on 14 Sep 2016
@d-rez yup, can confirm this. Upgraded mosquitto from Debian 1.3.4-2 (stable) to 1.4.10-2 (testing) and this fixed the problem.
elsbrock
on 18 Dec 2016
Closing, please feel free to reopen if this is still an issue.
infamy
on 25 Jan 2017
Related issues
flsabourin
·
3Comments
YellowMonster76
·
3Comments
neonandu
·
3Comments
sibbl
·
3Comments
ofuangka
·
3Comments