0

I am having trouble deploying MQTT with SSL over the internet but it works fine with local network. Here is the scenario:

  1. My Eclipse MQTT broker is deployed on client’s machine. Machine is in corporate intranet and has no internet access. Let’s say it’s local IP address is 10.125.22.103, name is Enterprise. Broker is using 8883 port.

  2. Client has external IP address of say 222.111.112.109 and is using port forwarding to forward request to deployment machine.

  3. I used machine name Enterprise as a common name and generated the certificate files using steps at this link

http://www.steves-internet-guide.com/mosquitto-tls/

I imported the ca.crt file in a .jks file using KeyStore Explorer.

I am using sample code at this url: https://github.com/eclipse/paho.mqtt.java/blob/master/org.eclipse.paho.sample.mqttv3app/src/main/java/org/eclipse/paho/sample/mqttv3app/Sample.java

  1. Both broker and client work perfectly when used on same machine.

But when I try to connect to broker from internet through 222.111.112.109:8883 I get following error

2021-04-13 17:02:14:524 [ERROR] [MQTTListener_222.111.112.109:ID=28]:[MQTTListener.java:793] org.eclipse.paho.client.mqttv3.MqttException: MqttException
    at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:149)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertificateException: No subject alternative names present
    at sun.security.util.HostnameChecker.matchIP(Unknown Source)
    at sun.security.util.HostnameChecker.match(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:149)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
    at java.lang.Thread.run(Unknown Source)

How can I fix this error?

Ram
  • 1,225
  • 2
  • 24
  • 48
  • Your certificate does not contain the right SAN values. The name/ip address you use to access the broker with MUST be in the SAN fields of your certificate. (And you really shouldn't be using IP address with TLS/SSL as a rule) – hardillb Apr 13 '21 at 13:18
  • @hardlib Certificates don't contain IP address, they contain name of deployment machine. The only way my client app can access the broker is through external IP address. How can I add the external IP address to SAN ? – Ram Apr 13 '21 at 13:50
  • You go read the openssl doc. Last time I tried you had to create a custom config file for each certificate. – hardillb Apr 13 '21 at 14:25
  • https://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl – hardillb Apr 13 '21 at 14:28
  • But as I said doing TLS/SSL with raw IP addresses is a VERY bad idea, you should set up a DNS entry for the machine and ensure this hostname is the certificate SAN list – hardillb Apr 13 '21 at 14:31

0 Answers0