mosquitto_pub rejecting iot.eclipse.org mqtt server certificate saying “Unknown CA”

Question

I am trying to run mosquitto_pub on a Ubuntu linux machine as follows:

vbhadra@vbhadra-VirtualBox:~$ mosquitto_pub  -h iot.eclipse.org -p 8883 --capath /etc/ssl/         


        

Answer 1

When you run the echo | openssl s_client -showcerts -connect iot.eclipse.org:8883 command and look at the output, it contains multiple certificates which I believe may be an issue with the way you are chopping it up with ex.

You will need both of these certs to provide a full certificate chain to verify the end user certificate for iot.eclipse.org.

Also did you run ca_rehash (or c_rehash on ubuntu) in the directory with your ca files?

--capath

Define the path to a directory containing PEM encoded CA certificates that are trusted. Used to enable SSL communication.

For --capath to work correctly, the certificate files must have ".crt" as the file ending and you must run "c_rehash " each time you add/remove a certificate.

I had to rename the files to end with .pem (since this is what they actually are) and copy the DST_Root_CA_X3.pem file into the ca directory from /etc/ssl/certs as well.

Also if you want to use your own private CA then using --cafile might be a bit simpler.