MQT: TLS connection error: 56 - BR_ERR_X509_BAD_SERVER_NAME X.509 status: expected server name was not found in the chain

[wewa00]

Hello everyone,

I updated now to tasmota 14.4.1 (where I had 9.2.0 before; CFG_HOLDER was increased). For MQTT I use TLS with fingerprint. Therefore I use custom builds of tasmota where TLS is enabled according https://tasmota.github.io/docs/TLS/#compiling-tls-for-esp8266.

This was working fine with tasmota 9.2.0 and the device connected to the MQTT server. But now with 14.4.1, I can not connect anymore. The connection to the MQTT server fails with MQT: TLS connection error: 56 (or BR_ERR_X509_BAD_SERVER_NAME X.509 status: expected server name was not found in the chain).

How can this be resolved?

Best regards
wewa

[s-hadinger]

TLS mandates that the CN matches the domain name. Re-issue a certificate with the correct domain name

[wewa00]

So, generating a new certificate where the servers IP is added as CN should help.

I'll give it a try.

[wewa00]

Sorry, I missed the "without" :D.

Thank you, this is a really good hint from you. Creating a certificate without SAN works. As a workaround, I now created one certificate with SAN and one without SAN. Then I made mosquitto on the server listening on two ports were on one port the certificate without SAN is used and on the otherport the SAN version is used.

But still I don't get why the SAN is making issues. Maybe we can find this out. Here you can find on how the different certificates are generated.

Here are the two ways on how the certificates are generated.

# create the CA key and certificate
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt

# create the key for the server's certificate
openssl genrsa -out server.key 2048

# Certificate without SAN
# create the server's certificate - use "192.168.1.1" when asked for the CN
openssl req -new -out server_wo_SAN.csr -key server.key
# sign the server's certificate
openssl x509 -req -in server_wo_SAN.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server_wo_SAN.crt -days 36500

# Certificate with SAN
# create the server's certificate - Make sure to uncomment "req_extensions = v3_req" in "/etc/ssl/openssl.cnf"
openssl req -new -out server.csr -key server.key -sha256 -subj /CN=192.168.1.1 -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=IP:192.168.1.1'))
# sign the server's certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 36500 -extfile <(printf "subjectAltName=IP:192.168.1.1") 

And here are the certificates. First the one without SAN server_wo_SAN.crt (which works with Tasmota 14.4.1 and BerrySSL).

-----BEGIN CERTIFICATE-----
MIIDKTCCAhECFBG9bONSsJJEKzyoS4F4qfVxxmvrMA0GCSqGSIb3DQEBCwUAMEUx
CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQwIBcNMjUwMjAxMTI0NDEzWhgPMjEyNTAxMDgx
MjQ0MTNaMFsxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMMCzE5Mi4xNjgu
MS4xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tVe0imP/ZtDmcGg
qecyGEOghtFEEWJ0q9BaLWmc/d9XjSxuH/p8dvwv8bXopEt9esmo7GTQ0KmO4syv
ykB0LeWlXgIxec6ml0Yr99+w6sjUyJfRpqYxLg1z2Xr02N58IYITXgEs1vzIMtYn
R/aHEpHewIAx2hJ3A09svtNSKRLlLuhDN6yHCLDyaYLAQl6myC8cWrKxzlm+OgK9
Vx7P22EUpf0cy8C53d/0XjxuqJGiULSZ9n46cTgS+8y1fZoOPSgsqvkp1N5G1B1+
y5hMYOkHaiYqDHOyFC8CvPdZ19GHFKLGew28tjxMuzBKI1UJczluBL9xXJLSJ6U2
dECgpQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBlSlM8QsmO6ZdEn8+APT+p2lnL
tynJkZh2XVQXZ6h9ddBbuzW666fvTGDSYfJOGOj8FaYufRb2QYIAyWoQq+J0agud
sBroHPvW9E604ScdXJJ6tSGzPPbGTp1qYiygU/Wq2SoEDiIgin6xeetprTinnxd7
g88SqbjX5PNThsGYiEvzHZkwwORU11pfSl7QdSRBV7MFqxqhYym2/3W/M6uczizA
mwDvqM1EjASdFQFlbccWoyN40fJVt/eq9oUo0ZWfUQUAVjo5ASrotvmM/EM04d36
Sn1WEXwzK6lG++e/VCLDIsjeYf0NpxIvmJNAg2vdApOsX9oJ563uPcz0QenG
-----END CERTIFICATE-----

And here the one with SAN server.crt (which is not working with Tasmota 14.4.1).

-----BEGIN CERTIFICATE-----
MIIDPjCCAiagAwIBAgIUEb1s41KwkkQrPKhLgXip9XHGa+wwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNTAyMDExMjQ0MzhaGA8yMTI1
MDEwODEyNDQzOFowFjEUMBIGA1UEAwwLMTkyLjE2OC4xLjEwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDW1V7SKY/9m0OZwaCp5zIYQ6CG0UQRYnSr0Fot
aZz931eNLG4f+nx2/C/xteikS316yajsZNDQqY7izK/KQHQt5aVeAjF5zqaXRiv3
37DqyNTIl9GmpjEuDXPZevTY3nwhghNeASzW/Mgy1idH9ocSkd7AgDHaEncDT2y+
01IpEuUu6EM3rIcIsPJpgsBCXqbILxxasrHOWb46Ar1XHs/bYRSl/RzLwLnd3/Re
PG6okaJQtJn2fjpxOBL7zLV9mg49KCyq+SnU3kbUHX7LmExg6QdqJioMc7IULwK8
91nX0YcUosZ7Dby2PEy7MEojVQlzOW4Ev3FcktInpTZ0QKClAgMBAAGjUzBRMA8G
A1UdEQQIMAaHBMCoAQEwHQYDVR0OBBYEFEtA66uRPHK8FpKaZuzXW+0PgR78MB8G
A1UdIwQYMBaAFMQHW5DDELDPF6pVG1Q74RI0LOY8MA0GCSqGSIb3DQEBCwUAA4IB
AQCTEKoG5VdVdHs2mgC2vMvRvsxIwLaYOYvKRpXEnMjacJb/N2nP4xN7zzUIRD+s
byZ4pMtmWHntT1BYTbmrgLLBxOjS/HVgAbO39FgozEyvyd9x2Wo0kHcgg7ONmdGw
H5ctnPchtl5Cy2N3DFKESNF92tI/wvsKzZ4EZiq+nxoPfypgQ0A0f/qa+/RBZmdL
n1iG1vkGRBo5GuRP7nc7p57m33LflIcMl9Na4ij9YNZ9wcWTzMwDvUZUEuSmyCie
ZShnpiRTytP3g8ibUlP0xxxadzj59GnYxawA2KODu31L033Ex6F9M/kq4HGdKe8L
A8zJLH3dpr8BfM/GvHxt40sv
-----END CERTIFICATE-----

[s-hadinger]

I remember reading that SAN if present takes precedence over the CN. In your example below, you did not repeat the CN value in the SAN section. Maybe adding the IP or domain name in SAN would solve it.

[wewa00]

But I have presented the IP in the SAN section. This is this part when creating the csr: [SAN]\nsubjectAltName=IP:192.168.1.1.
Or do you have something else in mind?

[wewa00]

@s-hadinger I now managed to create a certificate with SAN, which also works for Tasmota 14.4.1.

These are the steps:

# create the CA key and certificate
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt

# create the key for the server's certificate
openssl genrsa -out server.key 2048

# Certificate with SAN
# create the server's certificate - Make sure to uncomment "req_extensions = v3_req" in "/etc/ssl/openssl.cnf"
openssl req -new -out server.csr -key server.key -sha256 -subj /CN=192.168.1.1 -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=IP:192.168.1.1,DNS=192.168.1.1'))
# sign the server's certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 36500 -extfile <(printf "subjectAltName=IP:192.168.1.1,DNS=192.168.1.1") 

The crucial part is, that also the IP is provided as DNS for the SAN (DNS=192.168.1.1).

Thank you for your support.

[wewa00]

Somehow this is not working. I ensured that the server.crt is created with the correct CN. The commands used were:

// create CA key
openssl genrsa -des3 -out ca.key 2048

// create CA certificate
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt

// create key for MQTT server
openssl genrsa -out server.key 2048

// create certificate for MQTT server 192.168.1.1
openssl req -new -sha256 \
-key server.key \
-subj /CN=192.168.1.1 \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS:raspberrypi.local,IP:192.168.1.1')) \
-out server.csr

// sign the MQTT server's certifcate using the CA certificate
openssl x509 -req -days 36500 -sha256 -extfile <(printf "subjectAltName=DNS:raspberrypi.local,IP:192.168.0.3") -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

// enable mosqitto to use the certificate
sudo cp {server.crt,ca.crt,server.key} /etc/mosquitto/ca_certificates/
sudo chown mosquitto -R /etc/mosquitto/ca_certificates/
sudo service mosquitto restart

I also verified, that the server's certificate is containing the correct CN.

user@server:~ $ openssl x509 -noout -subject -in /etc/mosquitto/ca_certificates/server.crt
subject=CN = 192.168.1.1

But still, tasmota is showing the error.

MQT: TLS connection error: 56
MQT: Connect failed to 192.168.1.1:8800, rc -2. Retry in 10 sec

What can be the issue here?

[Noschvie]

MQT: Connect failed to 192.168.1.1:8800, rc -2. Retry in 10 sec

Why are you using port 8800 ?

[wewa00]

Just some custom mosquito configuration. And as you can see according the log, the port is not the issue. But please see the other thread (#22893 (comment)) there we are already deep in the analysis.

[Noschvie]

Yes, I read it ... works with Tasmota 14.4.1

[Noschvie]

@wewa00 which defines are you using with Tasmota? Thanks

[wewa00]

These are the options I use currently in user_config_override.h for configuring MQTT_TLS:

#ifndef USE_MQTT_TLS 
#define USE_MQTT_TLS                             // Use TLS for MQTT connection (+34.5k code, +7.0k mem and +4.8k additional during connection handshake)
#define MQTT_TLS_ENABLED       true              // [SetOption103] Enable TLS mode (requires TLS version)
#define USE_MQTT_TLS_CA_CERT                     // Force full CA validation instead of fingerprints, slower, but simpler to use.  (+2.2k code, +1.9k mem during connection handshake)
#define USE_MQTT_AWS_IOT                         // This includes the LetsEncrypt CA in tasmota_ca.ino for verifying server certificates
//  #define USE_MQTT_TLS_FORCE_EC_CIPHER           // Force Elliptic Curve cipher (higher security) required by some servers (automatically enabled with USE_MQTT_AWS_IOT) (+11.4k code, +0.4k mem)
#define INCLUDE_LOCAL_CERT
#define OMIT_LETS_ENCRYPT_CERT
#define OMIT_AWS_CERT
#endif

#if defined(USE_MQTT_TLS) || defined(USE_TELEGRAM) || defined(USE_WEBCLIENT_HTTPS)
  #define USE_TLS                                // flag indicates we need to include TLS code
#endif

I changed to full CA validation, because I got TLS Error 62 - X509 not trusted, the server certificate is not signed by the CA (AWS IoT or LetsEncrypt) after I used a certificate without SAN (to get rid of TLS Error 56 - BR_ERR_X509_BAD_SERVER_NAME X.509 status: expected server name was not found in the chain).

[Noschvie]

Looks like I managed that too, right?

08:16:28.713 MQT: Attempting connection...
08:16:29.792 MQT: TLS connected in 1024 ms, stack low mark 1280
08:16:29.793 MQT: Connected

[s-hadinger]

Yes

[wewa00]

@Noschvie are you also using the full CA validation or have you managed to get the fingerprint version working? I'm asking because the fingerprint version results in error 62 - X509 not trusted, the server certificate is not signed by the CA (AWS IoT or LetsEncrypt).

[wewa00]

My fault, SetOption132 1 is needed to enable the fingerprint validation.

[Noschvie]

I‘m using the full CA validation.