paho-mqtt-python publish single with TLS ca_certs from server

Question

I'm trying to connect to "mqtts://broker.emqx.io:8883" using paho mqtt but getting the invalid certificate error.

tls = { 'ca_certs': "certificate.pem", 'insecure': False, 'tls_version': ssl.PROTOCOL_TLS_CLIENT }
publish.single( topic="testtopic\", payload=payload, hostname="broker.emqx.io", auth={}, port=8883, tls=tls, protocol=mqtt.MQTTv311 )

I don't want it to be insecure and want to get the certificate from the server instead of providing a certificate file manually. It would be a great help if someone could guide me in a right direction.

score 0 · Answer 1 · answered Oct 01 '20 at 14:40

The ca_certs file should not come from the server, it's suppose to contain the certs for the Certificate Authority chain that signed the certificate used by the broker.

So in this case it should hold¹ the certificate chain from:

Sectigo RSA Domain Validation Secure Server CA
USERTrust RSA Certification Authority
AAA Certificate Services

You need to provide the full chain or a file containing all the trusted public CA certs.

¹ found with openssl s_client see here

paho-mqtt-python publish single with TLS ca_certs from server

1 Answers1