ssl.SSLContext invalid cert

[HendrikThePendric]

Before initializing a MQTT Client I initialize an SSLContext as below. I am getting a ValueError: invalid cert error from file ssl.py in function load_verify_locations.

from umqtt.simple import MQTTClient
import ssl


def mqtt_connect():
    ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    ssl_context.load_verify_locations(cafile="./ca.crt")
    ssl_context.load_cert_chain(certfile="./client.crt", keyfile="./client.key")
    client = MQTTClient(
        client_id="test_id",
        server="192.168.68.99",
        port=8883,
        keepalive=60,
        ssl=ssl_context,
    )
    client.connect()
    print(f"Connected to MQTT Broker {SERVER}")
    return client

I'm not sure what I am doing wrong, because:

1. When I do mpremote fs cat <FILENAME> I can see the files have been successfully copied to my Pico
2. When I use the mosquitto_pub command from my dev machine, using the same cert-files, I can successfully connect to my MQTT Broker over SLL. (I get no errors, and can subscribe to the topic on another connected device and see the topic being published)
   mosquitto_pub --cafile ./ca.crt --cert ./client.crt --key ./client.key -d -h 192.168.68.99 -p 8883 -t hello -m "world"

So the cert-files aren't invalid per se but they are seen as invalid by the MicroPython ssl/tls module. Are there specific requirements in place regarding the type of certificates I can use?

For what it's worth I'll also share the commands I used to generate the certificates:

# CA
openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt
# CLIENT
openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360

[Carglglz]

@HendrikThePendric
see official docs https://docs.micropython.org/en/latest/library/ssl.html
TLDR: use DER format

Also some resources that may help:

• https://github.com/JustinS-B/Mosquitto_CA_and_Certs
• https://github.com/orgs/micropython/discussions/10559

[HendrikThePendric]

Thanks, I did actually see that discussion topic and certificate generation repo, but since it was already a few years old and because I also saw a few examples elsewhere that seemed to be using .crt and .key files, I wasn't sure if it was still relevant. In the docs I did also see a mention of DER files, but it looked to be specific to the cadata param for ssl.wrap_socket. In the end, I did suspect I needed to use different cert files but I wasn't completely sure what my options were. So thanks a lot for clearing this up.

[HendrikThePendric]

Just to confirm: using DER format resolved the issue for me. Perhaps to help other facing the same issue in the future I will list the steps I took:

1. I used the scripts in https://github.com/JustinS-B/Mosquitto_CA_and_Certs to generate the various files. All I had to do was change the mosquitto_dir and subjectAltName to values appropriate for me. For some reason it didn't work correctly the first time around when I tried to generate client certificates from the ca_maker script by uncommenting these lines. However, when I called the client_maker script separately, verything worked as expected.
2. After running ca_maker once and client_maker for both my dev machine and my pico (client_maker pem <dev_machine_name> and client_maker der <pico_device_name>) I had all the files I needed.
3. I copied the server_crt.pem, server_key.pem and ca_crt.pem to the server running mosquitto, and updated the mosquitto conf and then restarted.
4. I then tested from my dev machine using an MQTT client and was able to connect using the pem files in the appropriatte client dir.
5. When I found that worked I copied the DER files to my pico, updated the filepaths in my code, and I saw the print(f"Connected to MQTT Broker") message appear. 🎉