question

RaviPalaniappan-3311 avatar image
0 Votes"
RaviPalaniappan-3311 asked asergaz commented

MQTT connect fails with code 5 (authorization) [Paho Mqtt, OpenSSL on RaspberryPi 3)

Hi,
I have an issue that MQTT connect always fail with an error code 5 (not authorized) on Raspberry Pi3.

Followed the steps for X.509 CA Signed authentication type, created necessary certificates and verified with AzureIoT.

From PahoMQTT logs, SSL Connection is established and fails in MQTT Connect.

=========================================================
Trace Output
Product name: Eclipse Paho Asynchronous MQTT C Client Library
Version: 1.3.4
Build level: Sun 16 May 21:45:33 CEST 2021
OpenSSL version: OpenSSL 3.0.0-alpha17-dev
OpenSSL flags: compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OpenSSL build timestamp: built on: Sun May 16 18:57:37 2021 UTC
OpenSSL platform: platform: linux-armv4
OpenSSL directory: OPENSSLDIR: "/usr/local/ssl"
/proc/version: Linux version 4.9.35-v7+ (dc4@dc4-XPS13-9333) (gcc version 4.9.3 (crosstool-NG crosstool-ng-1.22.0-88-g8460611) ) #1014 SMP Fri Jun 30 14:47:43 BST 2017

=========================================================
[MQTT]: Connecting:ssl://XXXXXXXXXXXXXXXXXXXXXXX.azure-devices.net:8883
20210516 224137.294 Connecting to serverURI XXXXXXXXXXXXXXXXXXXXXXX.azure-devices.net:8883 with MQTT version 4
20210516 224137.556 SSL cipher available: 0:TLS_AES_256_GCM_SHA384
20210516 224137.556 SSL cipher available: 1:TLS_CHACHA20_POLY1305_SHA256
20210516 224137.556 SSL cipher available: 2:TLS_AES_128_GCM_SHA256
20210516 224137.556 SSL cipher available: 3:ECDHE-ECDSA-AES256-GCM-SHA384
20210516 224137.556 SSL cipher available: 4:ECDHE-RSA-AES256-GCM-SHA384
20210516 224137.616 SSL cipher available: 5:DHE-RSA-AES256-GCM-SHA384
20210516 224137.616 SSL cipher available: 6:ECDHE-ECDSA-CHACHA20-POLY1305
20210516 224137.616 SSL cipher available: 7:ECDHE-RSA-CHACHA20-POLY1305
20210516 224137.616 SSL cipher available: 8:DHE-RSA-CHACHA20-POLY1305
20210516 224137.616 SSL cipher available: 9:ECDHE-ECDSA-AES128-GCM-SHA256
20210516 224137.616 SSL cipher available: 10:ECDHE-RSA-AES128-GCM-SHA256
20210516 224137.616 SSL cipher available: 11:DHE-RSA-AES128-GCM-SHA256
20210516 224137.616 SSL cipher available: 12:ECDHE-ECDSA-AES256-SHA384
20210516 224137.616 SSL cipher available: 13:ECDHE-RSA-AES256-SHA384
20210516 224137.616 SSL cipher available: 14:DHE-RSA-AES256-SHA256
20210516 224137.616 SSL cipher available: 15:ECDHE-ECDSA-AES128-SHA256
20210516 224137.616 SSL cipher available: 16:ECDHE-RSA-AES128-SHA256
20210516 224137.616 SSL cipher available: 17:DHE-RSA-AES128-SHA256
20210516 224137.616 SSL cipher available: 18:ECDHE-ECDSA-AES256-SHA
20210516 224137.616 SSL cipher available: 19:ECDHE-RSA-AES256-SHA
20210516 224137.616 SSL cipher available: 20:DHE-RSA-AES256-SHA
20210516 224137.616 SSL cipher available: 21:ECDHE-ECDSA-AES128-SHA
20210516 224137.616 SSL cipher available: 22:ECDHE-RSA-AES128-SHA
20210516 224137.616 SSL cipher available: 23:DHE-RSA-AES128-SHA
20210516 224137.616 SSL cipher available: 24:RSA-PSK-AES256-GCM-SHA384
20210516 224137.619 SSL cipher available: 25:DHE-PSK-AES256-GCM-SHA384
20210516 224137.619 SSL cipher available: 26:RSA-PSK-CHACHA20-POLY1305
20210516 224137.619 SSL cipher available: 27:DHE-PSK-CHACHA20-POLY1305
20210516 224137.619 SSL cipher available: 28:ECDHE-PSK-CHACHA20-POLY1305
20210516 224137.619 SSL cipher available: 29:AES256-GCM-SHA384
20210516 224137.619 SSL cipher available: 30:PSK-AES256-GCM-SHA384
20210516 224137.619 SSL cipher available: 31:PSK-CHACHA20-POLY1305
20210516 224137.619 SSL cipher available: 32:RSA-PSK-AES128-GCM-SHA256
20210516 224137.619 SSL cipher available: 33:DHE-PSK-AES128-GCM-SHA256
20210516 224137.619 SSL cipher available: 34:AES128-GCM-SHA256
20210516 224137.619 SSL cipher available: 35:PSK-AES128-GCM-SHA256
20210516 224137.619 SSL cipher available: 36:AES256-SHA256
20210516 224137.619 SSL cipher available: 37:AES128-SHA256
20210516 224137.619 SSL cipher available: 38:ECDHE-PSK-AES256-CBC-SHA384
20210516 224137.619 SSL cipher available: 39:ECDHE-PSK-AES256-CBC-SHA
20210516 224137.619 SSL cipher available: 40:SRP-RSA-AES-256-CBC-SHA
20210516 224137.619 SSL cipher available: 41:SRP-AES-256-CBC-SHA
20210516 224137.619 SSL cipher available: 42:RSA-PSK-AES256-CBC-SHA384
20210516 224137.619 SSL cipher available: 43:DHE-PSK-AES256-CBC-SHA384
20210516 224137.619 SSL cipher available: 44:RSA-PSK-AES256-CBC-SHA
20210516 224137.620 SSL cipher available: 45:DHE-PSK-AES256-CBC-SHA
20210516 224137.620 SSL cipher available: 46:AES256-SHA
20210516 224137.620 SSL cipher available: 47:PSK-AES256-CBC-SHA384
20210516 224137.620 SSL cipher available: 48:PSK-AES256-CBC-SHA
20210516 224137.620 SSL cipher available: 49:ECDHE-PSK-AES128-CBC-SHA256
20210516 224137.620 SSL cipher available: 50:ECDHE-PSK-AES128-CBC-SHA
20210516 224137.620 SSL cipher available: 51:SRP-RSA-AES-128-CBC-SHA
20210516 224137.620 SSL cipher available: 52:SRP-AES-128-CBC-SHA
20210516 224137.620 SSL cipher available: 53:RSA-PSK-AES128-CBC-SHA256
20210516 224137.620 SSL cipher available: 54:DHE-PSK-AES128-CBC-SHA256
20210516 224137.620 SSL cipher available: 55:RSA-PSK-AES128-CBC-SHA
20210516 224137.620 SSL cipher available: 56:DHE-PSK-AES128-CBC-SHA
20210516 224137.620 SSL cipher available: 57:AES128-SHA
20210516 224137.620 SSL cipher available: 58:PSK-AES128-CBC-SHA256
20210516 224137.620 SSL cipher available: 59:PSK-AES128-CBC-SHA
20210516 224137.622 SSL handshake started write:unknown:unknown
20210516 224137.622 SSL state connect:before SSL initialization:(NONE)
20210516 224137.622 SSL state connect:SSLv3/TLS write client hello:(NONE)
20210516 224137.622 SSL connect:SSLv3/TLS write client hello
20210516 224137.734 SSL connect:SSLv3/TLS write client hello
20210516 224137.740 SSL connect:SSLv3/TLS write client hello
20210516 224137.741 SSL state connect:SSLv3/TLS write client hello:(NONE)
20210516 224137.741 SSL state connect:SSLv3/TLS read server hello:(NONE)
20210516 224137.741 SSL state connect:SSLv3/TLS read server certificate:(NONE)
20210516 224137.741 SSL state connect:SSLv3/TLS read server key exchange:(NONE)
20210516 224137.748 SSL state connect:SSLv3/TLS read server certificate request:(NONE)
20210516 224137.748 SSL state connect:SSLv3/TLS read server done:(NONE)
20210516 224137.748 SSL state connect:SSLv3/TLS write client certificate:(NONE)
20210516 224137.748 SSL state connect:SSLv3/TLS write client key exchange:(NONE)
20210516 224137.748 SSL state connect:SSLv3/TLS write certificate verify:(NONE)
20210516 224137.748 SSL state connect:SSLv3/TLS write change cipher spec:ECDHE-RSA-AES128-SHA256
20210516 224137.748 SSL state connect:SSLv3/TLS write finished:ECDHE-RSA-AES128-SHA256
20210516 224137.748 SSL connect:SSLv3/TLS write finished
20210516 224138.083 SSL state connect:SSLv3/TLS write finished:ECDHE-RSA-AES128-SHA256
20210516 224138.083 SSL state connect:SSLv3/TLS read change cipher spec:ECDHE-RSA-AES128-SHA256
20210516 224138.083 SSL state connect:SSLv3/TLS read finished:ECDHE-RSA-AES128-SHA256
20210516 224138.083 SSL handshake done write:unknown:unknown
20210516 224138.083 SSL certificate verification: X509_V_OK
20210516 224138.083 SSL connect:SSL negotiation finished successfully
20210516 224138.083 peername from X509_check_host is .azure-devices.net
20210516 224138.085 3 "azure-dev-test2" -> CONNECT version 4 clean: 1 (0)
20210516 224138.206 3 "azure-dev-test2" <- CONNACK rc: 5
*
20210516 224138.206 SSL alert write:warning:close notify
[MQTT]: CB_ConnectFailure: 5,CONNACK return code

Could you please provide some points where to look further?

Thanks

azure-iot-hubazure-iot
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RaviPalaniappan-3311 avatar image
1 Vote"
RaviPalaniappan-3311 answered asergaz commented

@asergaz Thanks for your support!
Found out that there was some additional ("") character in device ID that causes the error.
After correcting the device id, it works as expected.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for sharing @RaviPalaniappan-3311 :) !

Please can you mark this as the answer?
Please reach out if you have further questions on a different thread.

Happy coding.

0 Votes 0 ·
asergaz avatar image
1 Vote"
asergaz answered asergaz commented

Hello @RaviPalaniappan-3311 ,
From the error you shared it looks like the certificates are not properly set or invalid.

Can I please suggest to create self-signed certificates as documented here:

For your case, since you are on a Raspberry Pi3, you will create the certificates using Bash

Though if you want to continue using the certificates you created before please test your Certificate Authentication to determine if your device certificate can authenticate to your IoT Hub (this can be done outside your Raspberry Pi3).

Finally, since I believe you are trying to Communicate with your IoT hub using the MQTT protocol directly (without using Azure IoT SDKs) I would strongly suggest you read the documentation below, specifically the "TLS/SSL configuration"

I hope I could help unblock you. Let me know if you are still having issues in comments below.

Thanks!

Remember:
- Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
- Want a reminder to come back and check responses? Here is how to subscribe to a notification.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi asergaz,

Thanks for your answer. I have verified, validated and confirmed that certificate is properly set.

Is there any option to diagnose why mqtt connect command is rejected with error code 5?

0 Votes 0 ·
asergaz avatar image asergaz RaviPalaniappan-3311 ·

@RaviPalaniappan-3311 to further help you I would need to take a look at the code you use to connect your device. Can you share a snippet to help me run it on my side?

Thanks!

1 Vote 1 ·