Hi all,
I´m trying a MQTT client but a I get next error and I confirmed that ARN target is correct. So , I´d need to know how to invoke private key from mqtt command:
sudo mosquitto_pub --cafile iotRootCA_Symantec.pem --cert raspberry.crt --key nonzymkey.key -h XXXXXXX.iot.eu-west-1.amazonaws.com -p 8883 -q 1 -t iot/location -i raspberry-PI --tls-version tlsv1.2 -m “IoT TEST” -d
Error: Problem setting TLS options.
Thanks
Add the --tls-engine options to your command line:
--tls-engine zymkey_ssl --keyform engine
I´m afraid a I get other error. It seems private key it´s not accesible even though It does through openssl when We create CSR file.
sudo mosquitto_pub --cafile iotRootCA_Symantec.pem --cert rasp.crt --key nonzymkey.key --tls-engine zymkey_ssl --keyform engine -h XXXX.iot.eu-west-1.amazonaws.com -p 8883 -q 1 -t iot/location -i rasp -m “TESTING” -d
Error: Problem setting TLS options: File not found.
I wonder if I must set zymkey engine before execute an this mqtt comand
~ $ openssl engine
(dynamic) Dynamic engine loading support
~ $ openssl engine zymkey_ssl
(zymkey_ssl) Zymkey SSL engine
Thanks
Does the file nonzymkey.key exist and is it located in the same directory that you are making the mosquitto_pub call from? This should be the file that you used when creating the CSR using Zymkey.
Sorry, but I understood that nonzymkey.key was a dummy and non a real file. In fact, when I create a CSR this “nonzymkey.key” file isn´t been created.
pi@raspberrypi:~ $ openssl req -key nonzymkey.key -new -out zymkey.csr -engine zymkey_ssl -keyform e -subj “/C=XX/ST=XX/L=MADL/O=TES/OU=SEG/CN=rasp”
Stack frame dump (0):
engine “zymkey_ssl” set.
Stack frame dump (0):
And if I try to create it empty I got the following errors
First, there isn´t any nonzymkey.key file
pi@raspberrypi:~/MQTT/certs $ sudo mosquitto_pub --cafile iotRootCA_Symantec.pem --cert raspberryPi.crt --key nonzymkey.key --tls-engine zymkey_ssl --keyform engine -h XXXX.iot.eu-west-1.amazonaws.com -p 8883 -q 1 -t iot/location -i rasp -m “TESTING” -d
Error: Problem setting TLS options: File not found.
Now I create it.
pi@raspberrypi:~/MQTT/certs $ touch nonzymkey.key
pi@raspberrypi:~/MQTT/certs $ sudo mosquitto_pub --cafile iotRootCA_Symantec.pem --cert raspberryPi.crt --key nonzymkey.key --tls-engine zymkey_ssl --keyform engine -h XXXXt.iot.eu-west-1.amazonaws.com -p 8883 -q 1 -t iot/location -i rasp -m “TESTING” -d
Error: Problem setting key form, it must be one of ‘pem’ or ‘engine’.
Thanks
Actually, I think you are correct. Older versions of OpenSSL required an actual dummy key file, even when going through a hardware engine. It looks like the latest version that I’m testing against in Buster no longer require the file.
However, when I get mosquitto-clients from apt, the version from the repo does not support hardware engines. Did you build mosquitto on your own?
Also, what distro are you running?
Do you have information about how make curl command work for client authentication with zymkey? Only I got zymkey working in openssl operation for CSR creation. I´d need either curl or mosquitto_pub in a client authentication proccess. Both ways don´t work due to zymkey_ssl engine is not found.
pi@raspberrypi:~/MQTT/certs $ curl --tlsv1.2 --cacert iotRootCA_Symantec.pem --cert raspb.crt --key nonzymkey.key --engine zymkey_ssl --key-typ ENG -v POST -d “{“hello”: “world”}” “http://XXXXXX.iot.iot.eu-west-1.amazonaws.com/topics/hello/world”
*** SSL Engine ‘zymkey_ssl’ not found**
curl: (53) SSL Engine ‘zymkey_ssl’ not found
For Mosquitto installation I followed these setps.
To use the new repository you should first import the repository package signing key:
wget http://repo.mosquitto.org/debian/mosquitto-repo.gpg.key
sudo apt-key add mosquitto-repo.gpg.key
Then make the repository available to apt:
cd /etc/apt/sources.list.d/
Then one of the following, depending on which version of debian you are using:
sudo wget http://repo.mosquitto.org/debian/mosquitto-wheezy.list
sudo wget http://repo.mosquitto.org/debian/mosquitto-jessie.list
sudo wget http://repo.mosquitto.org/debian/mosquitto-stretch.list
Then update apt information:
sudo apt-get update
And discover what mosquitto packages are available:
sudo apt-cache search mosquitto
sudo apt-get install mosquitto
Finally install the Mosquitto Clients:
sudo apt-get install mosquitto-clients