Client can not verify server certificate

Answer these questions to help the Community help you with Security questions.

What are the steps to reproduce the error:

  1. Generate origin server certificate.
  2. Copy server ca, root chain (from docs), and server key
  3. setup rabbitmq.conf via
loopback_users = none
listeners.ssl.default = 5671
mqtt.listeners.tcp = none
mqtt.listeners.ssl.default = 8883
ssl_options.cacertfile = /etc/rabbitmq/cert/ca_certificate.pem
ssl_options.certfile   = /etc/rabbitmq/cert/server_certificate.pem
ssl_options.keyfile    = /etc/rabbitmq/cert/server_key.pem
ssl_options.password   = changeme 
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2
ssl_options.versions.3 = tlsv1.1
  1. Deploy on EC2 & Route EC2 to domain via DNS and CNAME

  2. Write python mqtt code:

import ssl
import paho.mqtt.client as mqtt

def on_connect(client, userdata, flags, reason_code, properties):
    print(f"Connected with result code {reason_code}")
    client.publish("paho/temperature", "10")

def on_message(client, userdata, msg):
    print(msg.topic+" "+str(msg.payload))

client = mqtt.Client(mqtt.CallbackAPIVersion.VERSION2)
client.tls_set(ca_certs='./ca.pem', certfile='./client.pem', keyfile='./client.key')
mqtt.on_connect = on_connect
mqtt.on_message = on_message
print("Connecting to broker")
client.connect("mq.example.server", 8883, 5) # hidden
print("Connected to broker")
client.loop_forever()

Errors I get:

On client:
ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1129)

On server:
TLS server: In state certify at ssl_handshake.erl:2134 generated SERVER ALERT: Fatal - Unknown CA

Is there something I am missing here? I’ve been really looking around and there are no source on anyone else having this problem.

Is this a Cloudflare origin certificate?

If so, see…

3 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.