MQTT Broker Certificate

AsafTvito

i'm using flespi as mqtt broker/
what is the certificate that i need to use for set secured connection?
advice

shal

AsafTvito flespi MQTT broker use the same SSL certificate as https://flespi.io. This is client-name based certificate supplied by the broker automatically during SSL handshake.

If you really need to use it in your client you may just download the certificate via web browser from https://flespi.io (on the address bar should be some kind of lock icon where you can click to view/export certificate).

See posts below if you need more details

AsafTvito

Hi,
where can i find flespi certificate?

dexif

AsafTvito

Hi,
i try to connect with secured connection port 8883 with this certificate downloaded from the browser without success.
i succeeded to connect with not secured connection to port 1883.
can help me to understand why?

AsafTvito

What is the root CA?

kial

AsafTvito, see the Certificate Hierarchy in the browser's export dialog - there is a tree like this:

GlobalSign Root CA
    AlphaSSL CA
        *.flespi.io

Just select each tree element and export it to separate file. Then open them using your text editor and join into one new text file in the order from top to bottom.
This way you will get a full-chain certificate file.

AsafTvito

i have done it and i get error : Handshake Failed regard to certificate.
advice

kial

AsafTvito, you may test your full-chain certificate using curl like this:

curl --cacert full-chain.p7c -v https://flespi.io

where full-chain.p7c is your filename with 3 certificates.

If curl will output you a lot of HTML code - then your certificate file is ok.

AsafTvito

What is the root CA of flespi?
Can be found on certmgr under Trusted Root Certificate
Advice
Thanks

shal

AsafTvito You can check this yourself using browser after navigating to https://flespi.io - the certificate in broker is the same.

AsafTvito

i use it on my IOT and i get handshake error the error point on the root CA

AsafTvito

i do not need the broker certificate i need the root certificate CA.
advice
thanks

kial

@AsafTvito, please read again the post #9 above

AsafTvito

thank you all for the help.
the root CA of flespi is globalSign.cer

HonzaPoboril

It is not production-ready we need to update ca_cert manually every year and be notified only when the devices stopped working. (Because we cannot embed all possible certificates in the firmware.)

For others how to fetch it:

openssl s_client -showcerts -connect flespi.io:443

Then get the last certificate in the chain.