Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client Cert auth not working with Hono #3178

Open
d0b3rm4n opened this issue Dec 3, 2024 · 0 comments
Open

Client Cert auth not working with Hono #3178

d0b3rm4n opened this issue Dec 3, 2024 · 0 comments
Labels
Status: Available No one has claimed responsibility for resolving this issue.

Comments

@d0b3rm4n
Copy link

d0b3rm4n commented Dec 3, 2024

Not sure if Hono is broken or Mosquitto, but since it is working with MQTTX tool and in Python with Paho library (not demonstrated that it works here), and with HTTP Hono Adapter, I report it to Mosquitto. It seems that mosquitto_pub is doing something different than MQTTX and Paho, but so far I could not figure out what and I suspect a bug.

Hono documents that mosquitto_pub should work:
https://eclipse.dev/hono/docs/user-guide/mqtt-adapter/#publish-telemetry-data-authenticated-device

Env:

uname -a
Linux FOO 6.11.10-300.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 23 00:51:20 UTC 2024 x86_64 GNU/Linux

mosquitto_pub --version
mosquitto_pub version 2.0.20 running on libmosquitto 2.0.20.

cat /etc/os-release 
NAME="Fedora Linux"
VERSION="41 (Forty One)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=41
VERSION_CODENAME=""
PLATFORM_ID="platform:f41"
PRETTY_NAME="Fedora Linux 41 (Forty One)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:41"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f41/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=41
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=41
SUPPORT_END=2025-12-15

openssl --version
OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)

Script used:

#!/bin/bash

NORMAL='\033[0m'
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[1;34m'


SCRIPT_DIR=$(dirname "$(readlink -f "$0")")

log_red() {
    printf "\033[0;31m%s\033[0m\n" "${@}"
}


log_yellow() {
    printf "\033[1;33m%s\033[0m\n" "${@}"
}


log_green() {
    printf "\033[0;32m%s\033[0m\n" "${@}"
}


log_blue() {
    printf "\033[1;34m%s\033[0m\n" "${@}"
}

set -e

rm -f *.key *.crt *.csr


REGISTRY_IP=hono.eclipseprojects.io
HTTP_ADAPTER_IP=hono.eclipseprojects.io
MQTT_ADAPTER_IP=hono.eclipseprojects.io
KAFKA_IP=hono.eclipseprojects.io
APP_OPTIONS="--sandbox"
CURL_OPTIONS="--silent --show-error --fail-with-body"
MOSQUITTO_OPTIONS='--cafile /etc/ssl/certs/ca-certificates.crt'

TENANT_ID=$(tr -dc a-z0-9 </dev/urandom | head -c 13; echo)
RND_STR_ONE=$(tr -dc a-z0-9 </dev/urandom | head -c 13; echo)
log_blue "TENANT_ID: ${TENANT_ID} - RND_STR_ONE: ${RND_STR_ONE}"

DEVICE_ID=$(tr -dc a-z0-9 </dev/urandom | head -c 13; echo)
RND_STR_TWO=$(tr -dc a-z0-9 </dev/urandom | head -c 13; echo)
log_blue "DEVICE_ID: ${DEVICE_ID} - RND_STR_TWO: ${RND_STR_TWO}"

log_green "Create new tenant ${TENANT_ID}"
curl -X POST ${CURL_OPTIONS} -H "content-type: application/json" --data-binary '{
  "ext": {
    "messaging-type": "kafka"
  }
}' https://${REGISTRY_IP}:28443/v1/tenants/${TENANT_ID} | jq .

log_yellow "Created Tenant: ${TENANT_ID}"
curl ${CURL_OPTIONS} https://${REGISTRY_IP}:28443/v1/tenants/${TENANT_ID} | jq .

log_green "Create CA cert"
# Works: HTTP: ok; MQTT; nok
openssl req -subj "/OU=${RND_STR_ONE} CA/CN=${RND_STR_ONE}" -x509 -sha256 -days 7300 -noenc -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt -addext keyUsage=keyCertSign,cRLSign  -addext basicConstraints=critical,CA:true -addext authorityKeyIdentifier=keyid:always,issuer:always
# EC Key: Works: HTTP: ok; MQTT; nok
# openssl ecparam -name secp384r1 -genkey -noout | openssl pkcs8 -topk8 -nocrypt -inform PEM -outform PEM -out rootCA.key
# openssl req -subj "/OU=${TENANT_ID} CA/CN=${TENANT_ID}" -x509 -days 7300 -new -key rootCA.key -out rootCA.crt -addext keyUsage=keyCertSign,cRLSign  -addext basicConstraints=critical,CA:true -addext authorityKeyIdentifier=keyid:always,issuer:always

log_yellow "CA cert content:"
openssl x509 -noout -text -in rootCA.crt

CA_CERT=$(openssl x509 -in rootCA.crt -outform PEM | sed /^---/d | sed -z 's/\n//g')

log_green "Upload CA cert to tenant:"
curl ${CURL_OPTIONS} -X PUT --header 'content-type: application/json' --json "{ \"trusted-ca\": [ { \"cert\": \"${CA_CERT}\" }], \"ext\": { \"messaging-type\": \"kafka\" }}" "https://${REGISTRY_IP}:28443/v1/tenants/${TENANT_ID}" | jq .

log_yellow "Updated Tenant: ${TENANT_ID}"
curl ${CURL_OPTIONS} https://${REGISTRY_IP}:28443/v1/tenants/${TENANT_ID} | jq .

log_green "Create Device: ${DEVICE_ID}"
curl -X POST ${CURL_OPTIONS} https://${REGISTRY_IP}:28443/v1/devices/${TENANT_ID}/${DEVICE_ID} | jq .

log_yellow "Created Device: ${DEVICE_ID}"
curl ${CURL_OPTIONS} https://${REGISTRY_IP}:28443/v1/devices/${TENANT_ID}/${DEVICE_ID} | jq .


log_green "Create client cert CSR with key:"

# as Mosquitto creates the cert...
# openssl req -subj "/OU=Device/CN=${RND_STR_TWO}" -newkey rsa:2048 -noenc -keyout ${DEVICE_ID}.key -out ${DEVICE_ID}.csr -addext keyUsage=nonRepudiation,keyEncipherment,digitalSignature  -addext basicConstraints=CA:false -addext subjectKeyIdentifier=none -addext authorityKeyIdentifier=none

# works: HTTP: ok; MQTT: nok
openssl req -subj "/OU=Device/CN=${RND_STR_TWO}" -newkey rsa:2048 -noenc -keyout ${DEVICE_ID}.key -out ${DEVICE_ID}.csr -addext keyUsage=keyAgreement,keyEncipherment,digitalSignature  -addext basicConstraints=CA:false -addext extendedKeyUsage=clientAuth

# EC keys: works: HTTP: ok; MQTT: nok
# openssl ecparam -name secp384r1 -genkey -noout | openssl pkcs8 -topk8 -nocrypt -inform PEM -outform PEM -out ${DEVICE_ID}.key
# openssl req -subj "/OU=Device/CN=${DEVICE_ID}" -new -key ${DEVICE_ID}.key -out ${DEVICE_ID}.csr

# works: HTTP: ok; MQTT: nok
# openssl req -subj "/OU=Device/CN=${DEVICE_ID}" -newkey rsa:2048 -noenc -keyout ${DEVICE_ID}.key -out ${DEVICE_ID}.csr

# works: HTTP: ok; MQTT: nok
# openssl req -subj "/OU=Device/CN=${DEVICE_ID}" -newkey rsa:2048 -noenc -keyout ${DEVICE_ID}.key -out ${DEVICE_ID}.csr -addext keyUsage=keyAgreement,keyEncipherment,digitalSignature

# works: HTTP: ok; MQTT: nok
# openssl req -subj "/OU=Device/CN=${DEVICE_ID}" -newkey rsa:2048 -noenc -keyout ${DEVICE_ID}.key -out ${DEVICE_ID}.csr -addext keyUsage=keyAgreement,keyEncipherment,digitalSignature  -addext basicConstraints=CA:false

log_yellow "Cert Signing Request (CSR) content:"
openssl req -noout -text -in ${DEVICE_ID}.csr

log_green "Sign client cert CSR with CA cert:"
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in ${DEVICE_ID}.csr -out ${DEVICE_ID}.crt -days 7299 -CAcreateserial -copy_extensions copy

log_yellow "Client cert content:"
openssl x509 -noout -text -in ${DEVICE_ID}.crt

CLIENT_CERT=$(openssl x509 -in ${DEVICE_ID}.crt -outform PEM | sed /^---/d | sed -z 's/\n//g')

log_green "Upload the client cert to the device ${DEVICE_ID}:"
curl -X PUT ${CURL_OPTIONS} --json "[ { \"type\": \"x509-cert\", \"cert\":\"${CLIENT_CERT}\" } ]"  https://${REGISTRY_IP}:28443/v1/credentials/${TENANT_ID}/${DEVICE_ID} | jq .

log_yellow "The updated device with cert: ${DEVICE_ID}"
curl ${CURL_OPTIONS} https://${REGISTRY_IP}:28443/v1/credentials/${TENANT_ID}/${DEVICE_ID} | jq .

log_red "Send Telemetry with CURL over HTTP-Adapter:"
set -x
curl -v --cert ${DEVICE_ID}.crt --key ${DEVICE_ID}.key -H 'content-type: application/json' --data-binary '{"temp": 5}' https://hono.eclipseprojects.io:8443/telemetry
set +x

log_red "Send Telemetry with MQTTX over MQTT-Adapter:"
if [[ ! -x "${SCRIPT_DIR}/mqttx-cli-linux-x64" ]]; then
    log_blue "Download mqttx-cli-linux-x64"
    curl -LO https://www.emqx.com/en/downloads/MQTTX/v1.11.0/mqttx-cli-linux-x64
    chmod 755 "${SCRIPT_DIR}/mqttx-cli-linux-x64"
fi

set -x
${SCRIPT_DIR}/mqttx-cli-linux-x64 pub --debug --topic t --message '{"temp": 5}' --protocol mqtts --cert ${DEVICE_ID}.crt --key ${DEVICE_ID}.key --mqtt-version 3.1.1 --hostname hono.eclipseprojects.io --port 8883
set +x

log_red "Send Telemetry with mosquitto_pub over MQTT-Adapter:"
set -x
mosquitto_pub -h hono.eclipseprojects.io -p 8883 --cert ${DEVICE_ID}.crt --key ${DEVICE_ID}.key -t /t -m '{"temp": 5}' --qos 1
set +x

Output:

TENANT_ID: 054ewxsthfdgt - RND_STR_ONE: a5p437u5qocut
DEVICE_ID: six9q53ppysw8 - RND_STR_TWO: m1dtqz6xnmm2w
Create new tenant 054ewxsthfdgt
{
  "id": "054ewxsthfdgt"
}
Created Tenant: 054ewxsthfdgt
{
  "ext": {
    "messaging-type": "kafka"
  }
}
Create CA cert
.............+....+++++++++++++++++++++++++++++++++++++++*..+......+...+..+....+...+++++++++++++++++++++++++++++++++++++++*........+.+.........+.....+......+...+.+...........+.............+..+............+...+...+.........+............++++++
..........+.+..............+.+...+......+...........+............+......+......+.+...+......+.....+.+++++++++++++++++++++++++++++++++++++++*....+++++++++++++++++++++++++++++++++++++++*.......+......+..+...+....+.........+...........+...+.......+...+..+......+.......+....................+.............+..+.+............+..+......+....+...............+........+.........+...+.+......+......+...+......+.....+...+.+......+.........+..+....+...+...............+...+...+.................+....+........+...++++++
-----
CA cert content:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            43:1c:3e:7f:6f:ea:d2:1d:e3:ae:e3:c0:a6:41:a0:5b:02:c6:83:84
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU=a5p437u5qocut CA, CN=a5p437u5qocut
        Validity
            Not Before: Dec  3 18:49:23 2024 GMT
            Not After : Nov 28 18:49:23 2044 GMT
        Subject: OU=a5p437u5qocut CA, CN=a5p437u5qocut
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ac:5d:a3:37:ea:bd:ee:8b:09:39:23:6e:f5:a4:
                    31:a4:d2:55:11:6d:f7:81:78:3a:f3:5b:56:c2:2e:
                    ba:ce:62:b0:87:4e:16:ac:b8:2a:ef:85:dd:9c:0a:
                    33:30:f4:3b:78:5a:93:d8:7c:5b:99:21:16:b2:54:
                    30:d6:b9:0d:41:e6:79:07:08:1d:f7:b1:93:2d:ed:
                    3d:50:19:c2:bd:88:e6:2f:64:22:4e:81:d0:08:1c:
                    d5:17:6e:21:68:7b:42:25:4b:cd:5a:0c:d9:19:6f:
                    27:c7:79:e9:7d:94:fa:e1:80:60:47:6d:d6:16:eb:
                    d4:b0:32:e2:19:ac:45:87:36:da:3e:50:b6:11:a0:
                    19:77:29:1c:45:83:8a:4d:81:fd:3c:b3:d1:94:07:
                    5b:30:bb:36:c5:e5:56:fe:c8:b0:03:70:6d:4c:ac:
                    13:a6:37:24:a9:0a:ff:09:3c:99:0f:53:ae:a0:c7:
                    69:6a:bc:56:22:df:08:15:17:5e:90:59:b4:7d:c9:
                    fd:d0:7f:23:94:4a:f0:f3:e7:bd:09:03:14:86:28:
                    4b:5c:96:2f:18:d0:71:52:91:c9:5b:33:1c:83:2c:
                    4e:95:39:57:5a:16:27:6f:dd:30:5c:e1:a6:1c:68:
                    19:a1:62:e2:76:17:25:8a:44:db:40:03:46:0f:b3:
                    16:3b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                28:45:EA:FA:CB:6A:43:51:C2:DF:E3:ED:BB:78:46:95:1D:AB:64:9C
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier: 
                keyid:28:45:EA:FA:CB:6A:43:51:C2:DF:E3:ED:BB:78:46:95:1D:AB:64:9C
                DirName:/OU=a5p437u5qocut CA/CN=a5p437u5qocut
                serial:43:1C:3E:7F:6F:EA:D2:1D:E3:AE:E3:C0:A6:41:A0:5B:02:C6:83:84
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        13:e3:19:1f:2a:6c:6b:2f:69:2c:0b:18:35:55:a1:8c:a9:1e:
        bc:22:13:88:6a:18:65:eb:8e:6d:7a:f1:59:2a:4c:11:05:b4:
        66:bc:db:03:93:ac:11:2e:c3:60:fc:04:fe:81:e5:4f:cb:d3:
        ab:a0:0c:63:6c:8a:c5:d8:53:4f:17:7b:13:14:95:4b:7f:07:
        84:b2:13:58:7f:91:f3:0a:2e:fa:fd:55:4a:65:e5:c4:89:1f:
        a3:85:e1:07:f0:55:77:22:6e:3e:d2:6d:10:80:79:31:54:d4:
        9b:3b:c3:b0:34:53:09:6b:e3:6d:d4:2f:18:d4:89:06:23:99:
        89:5e:9f:a1:d3:0b:28:2c:3e:2a:cf:f0:dd:23:f2:64:81:0c:
        cc:00:29:dc:d4:4d:dd:93:54:c6:24:c4:26:8f:38:06:f9:76:
        1e:8f:ae:b3:7f:61:e0:66:40:09:36:c0:20:81:39:e4:e5:d5:
        f6:11:0c:c1:44:a8:76:15:4e:70:05:26:2e:c4:7a:25:25:94:
        7b:cd:38:0a:d7:7f:04:01:47:7c:8f:cd:01:43:3b:de:8c:6a:
        c8:37:d8:2f:cd:7a:bb:8a:fc:51:98:0b:39:9c:b4:06:2f:ce:
        ab:37:4f:b7:d6:85:d3:be:16:a7:22:2b:0b:fd:72:9b:8b:ab:
        db:91:bb:78
Upload CA cert to tenant:
Updated Tenant: 054ewxsthfdgt
{
  "ext": {
    "messaging-type": "kafka"
  },
  "trusted-ca": [
    {
      "id": "c1c6980e-d65d-499c-ba68-ca55c794f800",
      "subject-dn": "CN=a5p437u5qocut,OU=a5p437u5qocut CA",
      "subject-dn-bytes": "MDMxGTAXBgNVBAsMEGE1cDQzN3U1cW9jdXQgQ0ExFjAUBgNVBAMMDWE1cDQzN3U1cW9jdXQ=",
      "public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArF2jN+q97osJOSNu9aQxpNJVEW33gXg681tWwi66zmKwh04WrLgq74XdnAozMPQ7eFqT2HxbmSEWslQw1rkNQeZ5Bwgd97GTLe09UBnCvYjmL2QiToHQCBzVF24haHtCJUvNWgzZGW8nx3npfZT64YBgR23WFuvUsDLiGaxFhzbaPlC2EaAZdykcRYOKTYH9PLPRlAdbMLs2xeVW/siwA3BtTKwTpjckqQr/CTyZD1OuoMdparxWIt8IFRdekFm0fcn90H8jlErw8+e9CQMUhihLXJYvGNBxUpHJWzMcgyxOlTlXWhYnb90wXOGmHGgZoWLidhclikTbQANGD7MWOwIDAQAB",
      "algorithm": "RSA",
      "not-before": "2024-12-03T18:49:23Z",
      "not-after": "2044-11-28T18:49:23Z",
      "auto-provisioning-enabled": false,
      "auto-provision-as-gateway": false
    }
  ]
}
Create Device: six9q53ppysw8
{
  "id": "six9q53ppysw8"
}
Created Device: six9q53ppysw8
{
  "status": {
    "created": "2024-12-03T18:49:25Z"
  }
}
Create client cert CSR with key:
.....+......+......+.....+...+....+...+..+............+.+..............+...+................+...........+...+.+..+.......+......+..+...+....+...+++++++++++++++++++++++++++++++++++++++*..+.+..+..................+.+...+......+.....+......+....+..+++++++++++++++++++++++++++++++++++++++*....++++++
...............+...+.......+..+.+...........+.........+.+...+...+..+.+++++++++++++++++++++++++++++++++++++++*.+...+++++++++++++++++++++++++++++++++++++++*..+..+.+..+............+...............+...+.+....................+.+...+......+..+....+......+..+.+.....+.+........+..........+............+.....+.+........+....+...+.....+.......+..+.............+......+.....+....+......+......+......+..+.+..+............+......+......+.........+....+........+.........+.........++++++
-----
Cert Signing Request (CSR) content:
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: OU=Device, CN=m1dtqz6xnmm2w
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d9:48:d9:3a:13:8d:5a:20:01:05:70:e7:6a:8c:
                    99:71:78:ec:59:57:a0:4b:54:7d:81:1a:97:47:e7:
                    c9:ea:85:fb:7c:38:d4:76:3b:39:ea:6d:bd:45:20:
                    fa:a3:50:2d:19:49:f3:fd:37:62:83:d0:d4:37:b4:
                    22:70:4d:ce:41:2c:cd:1b:0f:5f:6b:37:01:40:97:
                    3d:ad:b2:0f:6a:bf:d1:d6:9f:1e:1f:50:90:19:e7:
                    af:ac:b3:af:71:00:dc:16:32:94:d7:c0:d6:15:1c:
                    7e:59:b8:7b:8d:6b:77:e4:1a:b8:91:06:3e:9b:34:
                    ec:2a:30:b4:41:29:9d:f7:37:35:d4:e1:5d:ed:db:
                    08:a8:3d:7c:ef:46:85:06:a0:60:d1:49:80:e8:b4:
                    e2:dd:1c:b4:17:75:30:25:06:a5:9e:bb:e2:2c:f0:
                    da:a0:e9:96:f7:04:b1:f6:be:b5:6f:7a:5a:b4:b9:
                    eb:7e:02:89:86:2a:c1:7c:62:9d:e6:53:8f:90:0a:
                    12:0e:34:3c:ac:19:fe:5e:f4:a7:2a:2f:54:16:08:
                    b4:83:6c:0a:96:93:a2:00:ba:4e:8d:a4:cc:34:0f:
                    87:f9:f5:68:d0:91:2b:36:03:89:cd:02:5b:7e:1e:
                    c5:5f:72:01:9d:c6:0b:4a:bb:77:fd:39:fd:9b:35:
                    a1:ff
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Key Usage: 
                    Digital Signature, Key Encipherment, Key Agreement
                X509v3 Basic Constraints: 
                    CA:FALSE
                X509v3 Extended Key Usage: 
                    TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        b4:07:10:3a:91:bb:b4:66:d4:83:13:c1:f4:d7:5c:d1:55:65:
        b8:36:28:11:43:0c:56:da:39:17:05:83:18:74:ac:32:11:67:
        ce:56:a2:54:cf:9c:51:e3:45:05:d6:17:20:ff:bd:48:8c:9c:
        2d:05:63:c8:7c:13:fb:b6:0b:1f:28:5d:4c:d1:d4:7e:85:93:
        e5:35:97:97:e9:6f:e3:52:f6:06:e3:62:e5:94:ef:3d:d1:2a:
        18:b9:46:48:5a:1c:f1:ff:51:68:63:62:d9:6c:a6:5a:f9:2f:
        7c:c1:b9:74:ee:0b:c2:6b:96:96:1b:e5:51:ca:0b:82:a4:3a:
        f7:fd:1b:70:d0:6b:30:88:b6:e4:2a:ad:b8:68:16:91:6c:1f:
        26:e1:b6:d1:e3:cc:8c:53:f6:f1:ca:1c:be:42:79:22:bd:08:
        67:bf:cf:18:fe:e5:21:a7:4b:be:91:5f:3c:f6:6e:1c:33:fd:
        d9:80:0a:31:eb:79:4b:bf:90:d5:6c:71:4b:6c:73:bc:c2:9b:
        62:88:f3:3b:cd:8b:e5:41:78:bb:a5:99:ee:ce:aa:28:a4:42:
        d3:cc:46:f0:cb:a1:b9:01:ea:cf:bb:d1:d3:eb:1a:c0:2d:3b:
        a0:06:c9:b2:ce:fc:03:57:9b:18:93:86:d9:83:e2:25:a1:cc:
        49:43:14:4e
Sign client cert CSR with CA cert:
Certificate request self-signature ok
subject=OU=Device, CN=m1dtqz6xnmm2w
Client cert content:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3f:24:4e:54:70:c4:27:d5:09:ac:eb:82:d7:7e:89:43:8b:cd:02:d4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU=a5p437u5qocut CA, CN=a5p437u5qocut
        Validity
            Not Before: Dec  3 18:49:27 2024 GMT
            Not After : Nov 27 18:49:27 2044 GMT
        Subject: OU=Device, CN=m1dtqz6xnmm2w
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d9:48:d9:3a:13:8d:5a:20:01:05:70:e7:6a:8c:
                    99:71:78:ec:59:57:a0:4b:54:7d:81:1a:97:47:e7:
                    c9:ea:85:fb:7c:38:d4:76:3b:39:ea:6d:bd:45:20:
                    fa:a3:50:2d:19:49:f3:fd:37:62:83:d0:d4:37:b4:
                    22:70:4d:ce:41:2c:cd:1b:0f:5f:6b:37:01:40:97:
                    3d:ad:b2:0f:6a:bf:d1:d6:9f:1e:1f:50:90:19:e7:
                    af:ac:b3:af:71:00:dc:16:32:94:d7:c0:d6:15:1c:
                    7e:59:b8:7b:8d:6b:77:e4:1a:b8:91:06:3e:9b:34:
                    ec:2a:30:b4:41:29:9d:f7:37:35:d4:e1:5d:ed:db:
                    08:a8:3d:7c:ef:46:85:06:a0:60:d1:49:80:e8:b4:
                    e2:dd:1c:b4:17:75:30:25:06:a5:9e:bb:e2:2c:f0:
                    da:a0:e9:96:f7:04:b1:f6:be:b5:6f:7a:5a:b4:b9:
                    eb:7e:02:89:86:2a:c1:7c:62:9d:e6:53:8f:90:0a:
                    12:0e:34:3c:ac:19:fe:5e:f4:a7:2a:2f:54:16:08:
                    b4:83:6c:0a:96:93:a2:00:ba:4e:8d:a4:cc:34:0f:
                    87:f9:f5:68:d0:91:2b:36:03:89:cd:02:5b:7e:1e:
                    c5:5f:72:01:9d:c6:0b:4a:bb:77:fd:39:fd:9b:35:
                    a1:ff
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                B8:46:74:40:9B:8C:C3:D7:68:FB:AB:0A:F9:15:D9:B6:61:EF:5B:E3
            X509v3 Authority Key Identifier: 
                28:45:EA:FA:CB:6A:43:51:C2:DF:E3:ED:BB:78:46:95:1D:AB:64:9C
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        03:bb:22:0b:4a:90:27:1e:d0:39:11:5c:a2:95:df:cd:72:66:
        0a:5d:3a:6b:93:6e:12:c2:55:15:77:2d:1d:ea:ba:86:a0:f3:
        b5:0d:f5:60:0d:4b:4f:b1:e9:b0:50:f3:ee:59:a5:60:47:e3:
        ea:12:4f:94:ac:96:d7:a6:17:78:57:39:9c:25:44:a9:be:fb:
        9b:22:a5:8b:50:44:fb:c9:80:da:88:11:56:ec:39:ff:63:34:
        c4:43:19:60:3c:dd:9d:a0:72:33:a5:02:79:9b:d7:9c:40:fa:
        82:18:d2:f8:17:94:3b:85:dc:a1:0e:27:7d:22:5e:ed:22:45:
        af:8c:0f:12:55:ea:af:05:21:5c:8a:5f:aa:28:af:f4:81:6d:
        a0:97:cc:ab:55:db:23:e5:dc:43:17:2c:c3:45:e7:85:91:9d:
        a2:f8:09:ab:3f:3b:a7:13:61:22:c7:b9:95:60:8c:40:2e:be:
        1f:38:dd:ad:60:99:98:2f:19:71:b1:97:82:b0:b0:54:34:ee:
        42:39:09:ef:96:ba:6c:c8:c1:45:8a:24:11:28:bf:9a:69:d7:
        02:1a:33:bc:02:9e:f1:3e:a5:21:07:dd:e1:e9:a9:3d:3d:aa:
        06:80:e5:33:61:06:d4:e7:4b:84:62:04:cf:a2:96:83:9c:d6:
        0f:e2:42:58
Upload the client cert to the device six9q53ppysw8:
The updated device with cert: six9q53ppysw8
[
  {
    "type": "x509-cert",
    "auth-id": "CN=m1dtqz6xnmm2w,OU=Device",
    "secrets": [
      {
        "id": "281d6b49-0959-4359-845f-f4a17a063815",
        "not-before": "2024-12-03T18:49:27Z",
        "not-after": "2044-11-27T18:49:27Z"
      }
    ]
  }
]
Send Telemetry with CURL over HTTP-Adapter:
+ curl -v --cert six9q53ppysw8.crt --key six9q53ppysw8.key -H 'content-type: application/json' --data-binary '{"temp": 5}' https://hono.eclipseprojects.io:8443/telemetry
* Host hono.eclipseprojects.io:8443 was resolved.
* IPv6: (none)
* IPv4: 104.196.140.16
*   Trying 104.196.140.16:8443...
* Connected to hono.eclipseprojects.io (104.196.140.16) port 8443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=hono.eclipseprojects.io
*  start date: Sep 25 17:04:06 2024 GMT
*  expire date: Dec 24 17:04:05 2024 GMT
*  subjectAltName: host "hono.eclipseprojects.io" matched cert's "hono.eclipseprojects.io"
*  issuer: C=US; O=Let's Encrypt; CN=R11
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> POST /telemetry HTTP/1.1
> Host: hono.eclipseprojects.io:8443
> User-Agent: curl/8.9.1
> Accept: */*
> content-type: application/json
> Content-Length: 11
> 
* upload completely sent off: 11 bytes
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 202 Accepted
< content-length: 0
< 
* Connection #0 to host hono.eclipseprojects.io left intact
+ set +x
Send Telemetry with MQTTX over MQTT-Adapter:
+ /home/rzingg/tmp-hono/from-scratch/mqttx-cli-linux-x64 pub --debug --topic t --message '{"temp": 5}' --protocol mqtts --cert six9q53ppysw8.crt --key six9q53ppysw8.key --mqtt-version 3.1.1 --hostname hono.eclipseprojects.io --port 8883
  mqttjs connecting to an MQTT broker... +0ms
  mqttjs:client MqttClient :: options.protocol mqtts +0ms
  mqttjs:client MqttClient :: options.protocolVersion 4 +0ms
  mqttjs:client MqttClient :: options.username null +0ms
  mqttjs:client MqttClient :: options.keepalive 30 +0ms
  mqttjs:client MqttClient :: options.reconnectPeriod 1000 +1ms
  mqttjs:client MqttClient :: options.rejectUnauthorized undefined +0ms
  mqttjs:client MqttClient :: options.topicAliasMaximum undefined +0ms
  mqttjs:client MqttClient :: clientId mqttx_6fab7016 +0ms
  mqttjs:client MqttClient :: setting up stream +0ms
  mqttjs:client _setupStream :: calling method to clear reconnect +0ms
  mqttjs:client _clearReconnect : clearing reconnect timer +0ms
  mqttjs:client _setupStream :: using streamBuilder provided to client to create stream +0ms
  mqttjs calling streambuilder for mqtts +1ms
  mqttjs:tls port 8883 host hono.eclipseprojects.io rejectUnauthorized %b true +0ms
  mqttjs:client _setupStream :: pipe stream to writable stream +14ms
  mqttjs:client _setupStream: sending packet `connect` +0ms
  mqttjs:client sendPacket :: packet: { cmd: 'connect' } +0ms
  mqttjs:client sendPacket :: emitting `packetsend` +1ms
  mqttjs:client sendPacket :: writing to stream +0ms
  mqttjs:client sendPacket :: writeToStream result true +8ms
⠙ Connecting...  mqttjs:client writable stream :: parsing buffer +946ms
  mqttjs:client parser :: on packet push to packets array. +0ms
  mqttjs:client work :: getting next packet in queue +0ms
  mqttjs:client work :: packet pulled from queue +0ms
  mqttjs:client _handlePacket :: emitting packetreceive +0ms
  mqttjs:client _handleConnack +1ms
  mqttjs:client _setupPingTimer :: keepalive 30 (seconds) +0ms
  mqttjs:client connect :: sending queued packets +0ms
  mqttjs:client deliver :: entry undefined +0ms
  mqttjs:client _resubscribe +0ms
✔ Connected
⠋ Message publishing...  mqttjs:client publish :: message `{"temp": 5}` to topic `t` +1ms
  mqttjs:client publish :: qos 0 +0ms
  mqttjs:client MqttClient:publish: packet cmd: publish +0ms
  mqttjs:client _sendPacket :: (mqttx_6fab7016) ::  start +0ms
  mqttjs:client sendPacket :: packet: {
  mqttjs:client   cmd: 'publish',
  mqttjs:client   topic: 't',
  mqttjs:client   payload: '{"temp": 5}',
  mqttjs:client   qos: 0,
  mqttjs:client   retain: undefined,
  mqttjs:client   messageId: 0,
  mqttjs:client   dup: undefined
  mqttjs:client } +0ms
  mqttjs:client sendPacket :: emitting `packetsend` +1ms
  mqttjs:client sendPacket :: writing to stream +0ms
  mqttjs:client sendPacket :: writeToStream result true +0ms
  mqttjs:client sendPacket :: invoking cb +0ms
✔ Message published
  mqttjs:client end :: (mqttx_6fab7016) +0ms
  mqttjs:client end :: cb? true +0ms
  mqttjs:client _clearReconnect : clearing reconnect timer +0ms
  mqttjs:client end :: (mqttx_6fab7016) :: immediately calling finish +0ms
  mqttjs:client end :: (mqttx_6fab7016) :: finish :: calling _cleanUp with force false +0ms
  mqttjs:client _cleanUp :: done callback provided for on stream close +0ms
  mqttjs:client _cleanUp :: forced? false +0ms
  mqttjs:client _cleanUp :: (mqttx_6fab7016) :: call _sendPacket with disconnect packet +1ms
  mqttjs:client _sendPacket :: (mqttx_6fab7016) ::  start +0ms
  mqttjs:client sendPacket :: packet: { cmd: 'disconnect' } +0ms
  mqttjs:client sendPacket :: emitting `packetsend` +0ms
  mqttjs:client sendPacket :: writing to stream +0ms
  mqttjs:client sendPacket :: writeToStream result true +0ms
  mqttjs:client sendPacket :: invoking cb +0ms
  mqttjs:client _cleanUp :: clearing pingTimer +0ms
  mqttjs:client _sendPacket :: (mqttx_6fab7016) ::  end +0ms
  mqttjs:client (mqttx_6fab7016)stream :: on close +304ms
  mqttjs:client flushVolatile :: deleting volatile messages from the queue and setting their callbacks as error function +1ms
  mqttjs:client stream: emit close to MqttClient +0ms
  mqttjs:client close :: connected set to `false` +0ms
  mqttjs:client close :: clearing connackTimer +0ms
  mqttjs:client close :: clearing ping timer +0ms
  mqttjs:client close :: calling _setupReconnect +0ms
  mqttjs:client _setupReconnect :: doing nothing... +0ms
  mqttjs:client end :: finish :: calling process.nextTick on closeStores +0ms
  mqttjs:client end :: closeStores: closing incoming and outgoing stores +0ms
  mqttjs:client end :: closeStores: emitting end +0ms
  mqttjs:client end :: closeStores: invoking callback with args +0ms
  mqttjs:client nop :: undefined +0ms
+ set +x
Send Telemetry with mosquitto_pub over MQTT-Adapter:
+ mosquitto_pub -h hono.eclipseprojects.io -p 8883 --cert six9q53ppysw8.crt --key six9q53ppysw8.key -t /t -m '{"temp": 5}' --qos 1
Connection error: Connection Refused: bad user name or password.
Error: The connection was refused.

Expected outcome:
The mosquitto_pub command works and it's authenticated and can publish messages.

What works:
Client Auth against test.mosquitto.org works just fine. So it might be that Hono is not acting well, but MQTTX and Paho can handle it.
@github-actions github-actions bot added the Status: Available No one has claimed responsibility for resolving this issue. label Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Available No one has claimed responsibility for resolving this issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@d0b3rm4n