Проблемы с сертификатом SSL с сертификатом, сгенерированным сценарием Python и используемым в Mosquitto ⇐ Python

[Anonymous]

Я пытаюсь использовать SSL с комаром.

Код: Выделить всё

# This script will generate a CA's private key and self-signed certificate,
# a server's private key and CSR, and finally, a server's certificate signed by the CA.
# You can then use these certificates for secure communication in your applications.

from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
from datetime import datetime, timedelta

print("Generate the CA's private key and self-signed certificate (ca_cert.pem,ca_key.pem)")
print("\tGenerate CA's private key")
ca_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)

print("\tGenerate CA's self-signed certificate")
ca_subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"BE"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Wallonia"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Herstal"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My CA"),
x509.NameAttribute(NameOID.COMMON_NAME, u"localhost"), #u"myca.example.com"),
])
ca_certificate = x509.CertificateBuilder().subject_name(
ca_subject
).issuer_name(
ca_subject
).public_key(
ca_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.utcnow()
).not_valid_after(
datetime.utcnow() + timedelta(days=365)
).add_extension(
x509.BasicConstraints(ca=True, path_length=None), critical=True,
).sign(ca_key, hashes.SHA256())

print("\tSave CA's private key and certificate to files")
with open("ca_key.pem", "wb") as f:
f.write(ca_key.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption()
))

with open("ca_cert.pem", "wb") as f:
f.write(ca_certificate.public_bytes(Encoding.PEM))

print("Generate the server's private key and certificate signing request (CSR) (server_csr.pem,server_key.pem)")

print("\tGenerate server's private key")
server_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)

print("\tGenerate server's CSR")
server_subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"BE"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Wallonia"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Herstal"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Server"),
x509.NameAttribute(NameOID.COMMON_NAME, u"mmqttmaster"),#u"myserver.example.com"),
])
csr = x509.CertificateSigningRequestBuilder().subject_name(
server_subject
).sign(server_key, hashes.SHA256())

print("\tSave server's private key and CSR to files")
with open("server_key.pem", "wb") as f:
f.write(server_key.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption()
))

with open("server_csr.pem", "wb") as f:
f.write(csr.public_bytes(Encoding.PEM))

print("Sign the server's CSR with the CA's private key to generate the server's certificate (server_cert.pem)")
print("\tSign server's CSR with CA's private key")
server_certificate = x509.CertificateBuilder().subject_name(
csr.subject
).issuer_name(
ca_certificate.subject
).public_key(
csr.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.utcnow()
).not_valid_after(
datetime.utcnow() + timedelta(days=365)
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
).sign(ca_key, hashes.SHA256())

print("\tSave server's certificate to file")
with open("server_cert.pem",  "wb") as f:
f.write(server_certificate.public_bytes(Encoding.PEM))
< /code>
Тогда я пытаюсь использовать их в виртуальной машине (debian12 на гипервиве) < /p>
sudo nano /etc/mosquitto/mosquitto.conf
cafile /etc/mosquitto/ca_certificates/ca_cert.pem
certfile /etc/mosquitto/ca_certificates/server_cert.pem
keyfile /etc/mosquitto/ca_certificates/server_key.pem

sudo systemctl restart mosquitto
< /code>
Затем, когда я делаю < /p>
cd /etc/mosquitto/ca_certificates/
mosquitto_pub -h localhost -p 8883 -t test_topic -m "I am healthy" --cafile ca_cert.pem -d
< /code>
У меня есть следующая ошибка: < /p>
Client (null) sending CONNECT
OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed
Error: A TLS error occurred.

common_name, вероятно, неверны, но я не уверен, что я должен использовать

Подробнее здесь: https://stackoverflow.com/questions/794 ... -used-in-m