CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate
nouhouari opened this issue · 4 comments
I'm trying to connect to a secure websocket over wss to Mosquitto server and publish messages to a MQTT topic.
mqtt_client: ^10.3.1
My server is working fine and I've checked with the mqttx command line.
mqttx pub -t 'hello' -l wss -h 'XXXXXXXXXX' -p 443 -m 'Hello' --ca ca.crt
✔ Connected
✔ Message published
In the flutter application, I'm using the same ca.crt to secure the connection.
Here is my Dart code:
const certificatePath = 'assets/certs/ca.crt';
final client =
MqttServerClient('wss://XXXXXXXXXX', 'flutter_app');
client.port = 443;
client.useWebSocket = true;
client.logging(on: true);
ByteData crtData = await rootBundle.load(certificatePath);
SecurityContext securityContext = SecurityContext(withTrustedRoots: true);
securityContext.setTrustedCertificatesBytes(crtData.buffer.asInt8List());
client.onBadCertificate = onBadCertificate;
client.securityContext = securityContext;
client.setProtocolV31();
try {
await client.connect();
} catch (e) {
if (kDebugMode) {
print('Error while connecting: $e');
}
}
And the workaround to validate the self-signed certificate
bool onBadCertificate(X509Certificate certificate){
print('***** Bad certicicate' + certificate.toString());
return true;
}
Here are the logs of the flutter application running on Android 14 (API 34):
[ +18 ms] I/flutter ( 3136): 1-2024-07-15 16:26:43.947687 -- MqttConnectionHandlerBase::connect - server wss://XXXXXXXXXX, port 443
[ +14 ms] I/flutter ( 3136): 1-2024-07-15 16:26:43.960715 -- SynchronousMqttServerConnectionHandler::internalConnect entered
[ ] I/flutter ( 3136): 1-2024-07-15 16:26:43.962824 -- SynchronousMqttServerConnectionHandler::internalConnect - initiating connection try 0, auto reconnect in progress false
[ +3 ms] I/flutter ( 3136): 1-2024-07-15 16:26:43.965459 -- SynchronousMqttServerConnectionHandler::internalConnect - websocket selected
[ +13 ms] I/flutter ( 3136): 1-2024-07-15 16:26:43.978912 -- SynchronousMqttServerConnectionHandler::internalConnect - calling connect
[ +3 ms] I/flutter ( 3136): 1-2024-07-15 16:26:43.983443 -- MqttWsConnection::connect - entered
[ +25 ms] I/flutter ( 3136): 1-2024-07-15 16:26:44.007883 -- MqttWsConnection::connect - WS URL is wss://XXXXXXXXXX:443, protocols are [mqtt, mqttv3.1, mqttv3.11]
[ +612 ms] I/flutter ( 3136): 1-2024-07-15 16:26:44.619522 -- MqttConnectionBase::_onError - calling disconnected callback
[ +15 ms] I/flutter ( 3136): Error while connecting: HandshakeException: Handshake error in client (OS Error:
[ ] I/flutter ( 3136): CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:393))
Note that the onBadCertificate is not called.
What am I doing wrong?
Thanks
You can't use secure working with websockets, the 'secure' setting is for server side sockets only, please read the clients API documentation.
There is no way of using a cert if you are using websockets, see the Dart API here. You can use the protocol and headers parameters if you need to, again read the clients API documentation.
You can't use secure working with websockets, the 'secure' setting is for server side sockets only, please read the clients API documentation.
There is no way of using a cert if you are using websockets, see the Dart API here. You can use the protocol and headers parameters if you need to, again read the clients API documentation.
I'm not using 'secure'.
From your code above -
SecurityContext securityContext = SecurityContext(withTrustedRoots: true);
securityContext.setTrustedCertificatesBytes(crtData.buffer.asInt8List());
client.securityContext = securityContext;
you're setting a security context whether or not you are setting the secure field, this will not work with websockets, see the Dart API for the SecurityContext class.
It's working now by applying these changes.
client = MqttServerClient(mqttURL, mqttClientId);
client.port = mqttPort;
client.useWebSocket = true;
client.autoReconnect = true;
client.logging(on: true);
SecurityContext securityContext = SecurityContext.defaultContext;
securityContext.setTrustedCertificatesBytes(mqttCertBytes);
client.onBadCertificate = onBadCertificate;
client.securityContext = securityContext;
// Connect to server
await connect(client);
I think the main change is:
SecurityContext securityContext = SecurityContext(withTrustedRoots: true);