MQTT Client, SSL Authenticity error: ‘Authenticity is not established by certificate path validation’

pizzuto · February 7, 2024, 7:40pm

Hello,

I’m using the emqtt library to try and create an MQTT client.

emqtt_opts = %{
       host: "mqtt.mybroker.dev",
       port: 1883,
       username: "username",
       password: "password",
       ssl:true,
       clientid: "clientid/+",
       name: String.to_atom("name/+"),
       clean_start: true
     }

{:ok, mqtt_pid} = :emqtt.start_link(emqtt_opts)
{:ok, _} = :emqtt.connect(mqtt_pid)

But I get the following warning:

[warning] Description: 'Authenticity is not established by certificate path validation'
      Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'

I can’t post or listen to any topics.
It is a type of CA signed server connection and should not pass a local cacertfile.

Can anyone help me? I tried to search cases but i don’t find anything

seb3s · February 8, 2024, 7:51am

Hello,
I don’t know for emqtt as I’ve not used it at all.
However, I see that there is a ssl_opts that you should use to give ssl indications to the underlying connection.
Here is a set of options I’m using to connect to amqps (param is ssl_options in amqp library), It is erlang ssl_options under the hood so this should give you a starting point.

...
 ssl_options: [
             versions: [:"tlsv1.3"],
             verify: :verify_peer,
             cacerts: :public_key.cacerts_get(),
             depth: 2,
             customize_hostname_check: [
               match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
             ]
           ]
...

Cheers,
Sébastien.