ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1123)

Question

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1123)

Closed this issue a year ago · 3 comments

import time
import logging
import paho.mqtt.client as mqtt
from OpenSSL import SSL
import os
import ssl

log = logging.getLogger('RemoTV.hardware.l298n')

logging.basicConfig(level=logging.DEBUG)

sleeptime = 0.2
rotatetimes = 0.4

StepPinForward = None
StepPinBackward = None
StepPinLeft = None
StepPinRight = None


def setup(robot_config):
    global StepPinForward
    global StepPinBackward
    global StepPinLeft
    global StepPinRight
    global sleeptime
    global rotatetimes

    sleeptime = robot_config.getfloat('l298n', 'sleeptime')
    rotatetimes = robot_config.getfloat('l298n', 'rotatetimes')

    log.debug("GPIO mode : %s", str(GPIO.getmode()))

    GPIO.setwarnings(False)
    GPIO.cleanup()

    if robot_config.getboolean('tts', 'ext_chat'):  # ext_chat enabled, add motor commands
        extended_command.add_command('.set_rotate_time', set_rotate_time)
        extended_command.add_command('.set_sleep_time', set_sleep_time)

    # TODO passing these as tuples may be unnecessary, it may accept lists as well.
    StepPinForward = tuple(map(int, robot_config.get('l298n', 'StepPinForward').split(',')))
    StepPinBackward = tuple(map(int, robot_config.get('l298n', 'StepPinBackward').split(',')))
    StepPinLeft = tuple(map(int, robot_config.get('l298n', 'StepPinLeft').split(',')))
    StepPinRight = tuple(map(int, robot_config.get('l298n', 'StepPinRight').split(',')))


def on_message(client, userdata, message):
    payload = message.payload.decode('utf-8')

    GPIO.setmode(GPIO.BOARD)
    GPIO.setup(12, GPIO.OUT)
    GPIO.setup(11, GPIO.OUT)
    GPIO.setup(15, GPIO.OUT)
    GPIO.setup(16, GPIO.OUT)
    GPIO.setup(36, GPIO.OUT)
    GPIO.setup(35, GPIO.OUT)

    if payload == 'f':
        GPIO.output(12, GPIO.HIGH)
        time.sleep(sleeptime)
        GPIO.output(12, GPIO.LOW)
    if payload == 'b':
        GPIO.output(11, GPIO.HIGH)
        time.sleep(sleeptime)
        GPIO.output(11, GPIO.LOW)
    if payload == 'l':
        GPIO.output(15, GPIO.HIGH)
        time.sleep(sleeptime * rotatetimes)
        GPIO.output(15, GPIO.LOW)
    if payload == 'r':
        GPIO.output(16, GPIO.HIGH)
        time.sleep(sleeptime * rotatetimes)
        GPIO.output(16, GPIO.LOW)
    if payload == 'z':
        GPIO.output(36, GPIO.HIGH)
        time.sleep(sleeptime * rotatetimes)
        GPIO.output(36, GPIO.LOW)
    if payload == 'x':
        GPIO.output(35, GPIO.HIGH)
        time.sleep(sleeptime * rotatetimes)
        GPIO.output(35, GPIO.LOW)

ca_cert_path = "fullchain1.pem"
client = mqtt.Client()

# Set the TLS/SSL parameters for the client
client.tls_set(
    ca_certs=ca_cert_path,
    certfile='cert1.pem',
    keyfile='privkey1.pem',
    cert_reqs=ssl.CERT_REQUIRED,
    tls_version=SSL.SSLv23_METHOD
)

client.username_pw_set(username="not posting my passwd", password="lol ahah")

# client.tls_insecure_set(False)

client.on_message = on_message

client.connect('clawclan.co.uk',8083)

client.subscribe("clawmachine/controls")

client.loop_forever()

Thats the python code that I'm using to connect to my mqtt broker, I have been through multiple issues as tlsv1.3 isn't supported by pyopenssl or something, I have spent days trying to get this code to work and fixing issues, and this one has been making me lose my mind hahahahahahahahah.

My mosquitto config:

allow_anonymous false
password_file /home/pi/claw/passwordfile.txt

listener 1883 localhost

listener 8883
certfile /home/pi/claw/cert1.pem
cafile /home/pi/claw/chain1.pem
keyfile /home/pi/claw/privkey1.pem

listener 8083
protocol websockets
certfile /home/pi/claw/cert1.pem
cafile /home/pi/claw/chain1.pem
keyfile /home/pi/claw/privkey1.pem

This is the error I'm getting when I run the .py file

pi@raspberrypi:~/claw $ python3 cac.py
Traceback (most recent call last):
  File "/home/pi/claw/cac.py", line 102, in <module>
    client.connect('clawclan.co.uk', 8083)
  File "/home/pi/.local/lib/python3.9/site-packages/paho/mqtt/client.py", line 914, in connect
    return self.reconnect()
  File "/home/pi/.local/lib/python3.9/site-packages/paho/mqtt/client.py", line 1073, in reconnect
    sock.do_handshake()
  File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1123)

If u want me to add anything, just ask, as I will be just checking for responses, for the rest of the day

Answer 1 · 2023-02-20T22:27:39.000Z

I don't know anything about this mqtt library, but it seems likely to me that you are passing the incorrect parameters to `client.tls_set` -- based on what you indicated, it looks like you're passing the server's private key, but this isn't correct. The keyfile argument there is for use for client certificates.

…

On Sun, Feb 19, 2023 at 5:14 PM Byron Edwards ***@***.***> wrote: import time import logging import paho.mqtt.client as mqtt from OpenSSL import SSL import os import ssl log = logging.getLogger('RemoTV.hardware.l298n') logging.basicConfig(level=logging.DEBUG) sleeptime = 0.2 rotatetimes = 0.4 StepPinForward = None StepPinBackward = None StepPinLeft = None StepPinRight = None def setup(robot_config): global StepPinForward global StepPinBackward global StepPinLeft global StepPinRight global sleeptime global rotatetimes sleeptime = robot_config.getfloat('l298n', 'sleeptime') rotatetimes = robot_config.getfloat('l298n', 'rotatetimes') log.debug("GPIO mode : %s", str(GPIO.getmode())) GPIO.setwarnings(False) GPIO.cleanup() if robot_config.getboolean('tts', 'ext_chat'): # ext_chat enabled, add motor commands extended_command.add_command('.set_rotate_time', set_rotate_time) extended_command.add_command('.set_sleep_time', set_sleep_time) # TODO passing these as tuples may be unnecessary, it may accept lists as well. StepPinForward = tuple(map(int, robot_config.get('l298n', 'StepPinForward').split(','))) StepPinBackward = tuple(map(int, robot_config.get('l298n', 'StepPinBackward').split(','))) StepPinLeft = tuple(map(int, robot_config.get('l298n', 'StepPinLeft').split(','))) StepPinRight = tuple(map(int, robot_config.get('l298n', 'StepPinRight').split(','))) def on_message(client, userdata, message): payload = message.payload.decode('utf-8') GPIO.setmode(GPIO.BOARD) GPIO.setup(12, GPIO.OUT) GPIO.setup(11, GPIO.OUT) GPIO.setup(15, GPIO.OUT) GPIO.setup(16, GPIO.OUT) GPIO.setup(36, GPIO.OUT) GPIO.setup(35, GPIO.OUT) if payload == 'f': GPIO.output(12, GPIO.HIGH) time.sleep(sleeptime) GPIO.output(12, GPIO.LOW) if payload == 'b': GPIO.output(11, GPIO.HIGH) time.sleep(sleeptime) GPIO.output(11, GPIO.LOW) if payload == 'l': GPIO.output(15, GPIO.HIGH) time.sleep(sleeptime * rotatetimes) GPIO.output(15, GPIO.LOW) if payload == 'r': GPIO.output(16, GPIO.HIGH) time.sleep(sleeptime * rotatetimes) GPIO.output(16, GPIO.LOW) if payload == 'z': GPIO.output(36, GPIO.HIGH) time.sleep(sleeptime * rotatetimes) GPIO.output(36, GPIO.LOW) if payload == 'x': GPIO.output(35, GPIO.HIGH) time.sleep(sleeptime * rotatetimes) GPIO.output(35, GPIO.LOW) ca_cert_path = "fullchain1.pem" client = mqtt.Client() # Set the TLS/SSL parameters for the client client.tls_set( ca_certs=ca_cert_path, certfile='cert1.pem', keyfile='privkey1.pem', cert_reqs=ssl.CERT_REQUIRED, tls_version=SSL.SSLv23_METHOD ) client.username_pw_set(username="not posting my passwd", password="lol ahah") # client.tls_insecure_set(False) client.on_message = on_message client.connect('clawclan.co.uk',8083) client.subscribe("clawmachine/controls") client.loop_forever() Thats the python code that I'm using to connect to my mqtt broker, I have been through multiple issues as tlsv1.3 isn't supported by pyopenssl or something, I have spent days trying to get this code to work and fixing issues, and this one has been making me lose my mind hahahahahahahahah. My mosquitto config: allow_anonymous false password_file /home/pi/claw/passwordfile.txt listener 1883 localhost listener 8883 certfile /home/pi/claw/cert1.pem cafile /home/pi/claw/chain1.pem keyfile /home/pi/claw/privkey1.pem listener 8083 protocol websockets certfile /home/pi/claw/cert1.pem cafile /home/pi/claw/chain1.pem keyfile /home/pi/claw/privkey1.pem If u want me to add anything, just ask, as I will be just checking for responses, for the rest of the day — Reply to this email directly, view it on GitHub <#1187>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBAFHYYENCK6YT73YRDWYKLKRANCNFSM6AAAAAAVBGOURM> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

Answer 2 · 2023-02-21T20:09:22.000Z

What should I put there instead then?

Answer 3 · 2023-10-02T09:25:29.000Z

The exception being raised is from Python's ssl module, rather than PyOpenSSL:

 File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1123)

Also, the library paho-mqtt does not use PyOpenSSL. The docs specify that the objects that should be passed as parameters of tls_set are from the ssl module

@alex I think we can close this one.