Error [SSL] PEM lib (_ssl.c:4022) when using Paho for MQTT TLS

Question

I am trying to connect my MQTT Broker using Paho library. But now I am stucking with this error. My code is below:

import os
import paho.mqtt.publish as publish
import paho.mqtt.client as mqtt
import ssl
from configparser import ConfigParser
.....
    try:
        publishInfo = {
            "parking": "test"
        }
        config = ConfigParser()
        config.read('config.ini')
        ipAddressMQTT = config['MQTT']['ipaddress']
        port = config['MQTT']['port']
        auth = {
            'username': config['MQTT']['username'],
            'password': config['MQTT']['password']
        }
        tls = {
            'ca_certs': config['MQTT']['cakeypath'],
            'certfile': config['MQTT']['certKeyPath'],
            'keyfile': config['MQTT']['clientkeypath'],
            'tls_version': ssl.PROTOCOL_TLSv1
        }
        
        publish.single(topic='parkingStatus', payload=publishInfo, retain=True, hostname=ipAddressMQTT, port=port, keepalive=60, auth=auth, tls=tls, protocol=mqtt.MQTTv311, transport='tcp')
    except Exception as e:
        self.showMessage(QMessageBox.Critical, "Error...", "Error "+str(e), "Error ")

and my config.ini file looks like:

[MQTT]
ipaddress = 172.18.0.3
port = 8883
username = parking
password = public
cakeypath = /home/atn/Documents/IUK/Abschlussarbeit/emqx_mqtt_cert/ca.pem
clientkeypath = /home/atn/Documents/IUK/Abschlussarbeit/emqx_mqtt_cert/parkingspot.pem
certkeypath = /home/atn/Documents/IUK/Abschlussarbeit/emqx_mqtt_cert/parkingspot.csr

[Geofence]
ipaddress = 172.18.0.4
port = 9851

The certificate was generated with the following commands:

openssl genrsa -out parkingspot.key 2048
openssl req -new -key parkingspot.key -out parkingspot.csr -subj "/C=DE/ST=NRW/L=Dortmund/O=EMQX/CN=client"
openssl x509 -req -days 3650 -in parkingspot.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out parkingspot.pem

After trying for hours, I decided to ask you guys. Give me a hand, pls.

score 2 · Answer 1 · answered Jun 02 '21 at 20:09

2

In your config file you have:

certkeypath = /home/atn/Documents/IUK/Abschlussarbeit/emqx_mqtt_cert/parkingspot.csr

A csr file is generally a Certificate Signing Request (the request you send to a CA asking for a certificate to be issued). I would expect the file used here to have a .key extension (this does assume you used the standard extensions when creating the certificate).

More info can be found in the answers to this question.

answered Jun 02 '21 at 20:09

Brits

14,829
2
18
31

I changed to .key file but it repeated same error. – Anh Tu Jun 02 '21 at 20:52
You would need to provide more info (i.e. how you generated the key/certificate); as per the linked question the error relates to an invalid key. – Brits Jun 02 '21 at 21:42
I used these following commands to generate client key and certificate: openssl genrsa -out parkingspot.key 2048, openssl req -new -key parkingspot.key -out parkingspot.csr -subj "/C=DE/ST=NRW/L=Dortmund/O=EMQX/CN=client", openssl x509 -req -days 3650 -in parkingspot.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out parkingspot.pem. Is that what you need? – Anh Tu Jun 02 '21 at 21:53
Please amend your question when adding detail rather than posting code in the comments. See @hardillb's answer (I had not noticed that the param 'certfile' is being pulled from the 'certKeyPath' in your config - as he says this is quite confusing because its a certificate not a key!). – Brits Jun 02 '21 at 23:07

score 1 · Accepted Answer · answered Jun 02 '21 at 23:00

1

I'll guess based on the field names (which at best are confusing) that the values should be

cakeypath = /.../ca.pem
clientkeypath = /.../parkingspot.key
certkeypath = /.../parkingspot.pem

answered Jun 02 '21 at 23:00

hardillb

54,545
11
67
105

Error [SSL] PEM lib (_ssl.c:4022) when using Paho for MQTT TLS

2 Answers2