unable to get local issuer certificate for openSSL

Question

I used openssl to generate a rootca certificate, device certificate and key for connecting to azure iot hub by following this documentation.

https://github.com/dotnet/samples/blob/main/iot/dotnet-iot-and-nanoframework/create-certificate.md

I also uploaded the rootca certificate to azure iot hub and verified it using proof of posession. However when i try running a python code using this ca certificate i get error, unable to get local issuer certificate for openSSL . I added the rootca and device certificate to the windows trusted root certificate store but it didnt solve the issue. I also installed pip_system_certs and python-certifi-win32 but to no avail.

from paho.mqtt import client as mqtt
import ssl
#import os

path_to_root_cert = "C:\\Users\\prana\\Downloads\\rootca.pem"
path_to_client_cert = "C:\\Users\\prana\\Downloads\\device.pem"
path_to_private_key = "C:\\Users\\prana\\Downloads\\device.key"
device_id = "iotdevice02"
iot_hub_name = "PASSDEMO1"

# Callback function when the client connects to the MQTT broker
def on_connect(client, userdata, flags, rc):
    print("Device connected with result code: " + str(rc))

# Callback function when the client disconnects from the MQTT broker
def on_disconnect(client, userdata, rc):
    print("Device disconnected with result code: " + str(rc))

# Callback function when a message is published
def on_publish(client, userdata, mid):
    print("Device sent message")

# Create an MQTT client instance
client = mqtt.Client(client_id=device_id, protocol=mqtt.MQTTv311, clean_session=0)

# Set the callback functions
client.on_connect = on_connect
client.on_disconnect = on_disconnect
client.on_publish = on_publish


# Set TLS/SSL configuration
client.tls_set(ca_certs=path_to_root_cert, certfile=path_to_client_cert, keyfile=path_to_private_key, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None)
client.tls_insecure_set(False)

# Connect to the MQTT broker
client.connect(iot_hub_name + ".azure-devices.net", port=8883)

# Publish a message to a topic
client.publish("devices/" + device_id + "/messages/events/", '{"hello":129029}', qos=1, retain=True)

# Start the MQTT client loop
client.loop()

Answer 1

The error message "unable to get local issuer certificate for OpenSSL" typically occurs when OpenSSL is unable to verify the certificate chain. This means that OpenSSL cannot find a trusted root certificate authority (CA) that can verify the certificate presented by the remote server.

Steps to resolve the issue.

• Verify the root CA certificate is installed properly.

• Verify the root CA certificate is added to the trusted root certificate store, which OpenSSL references for verification. and also check the certificate is not expired or revoked.

• OpenSSL depends on a CA certificate bundle to verify certificates. Sometimes, the default CA bundle may be outdated or missing necessary certificates.

Set the SSL_CERT_FILE environment variable to point to the downloaded CA certificate bundle file.

    import os
    os.environ['SSL_CERT_FILE'] = '/path/to/cacert.pem'

import ssl
context = ssl.create_default_context(cafile='/path/to/rootca.crt')

Proxy settings Check the proxy settings that are properly configured, allowing OpenSSL to access the necessary certificates.

Browsers automatically download the Intermediate Certificate using the URL in "Authority Info Access" section in the Certificate, whereas Python and openssls_client cannot. They depend on the server by sending them the intermediate certificate.

For more information refer to MS Doc and also check this SO Link.