Bug: MQTT SSL certificate error

[DeerMaximum]

Describe the bug
When I want to connect the agent via MQTT and SSL to a MQTT broker the connection fails with a certificate error. If I enter the same login data and settings in another MQTT client the connections work without problems.
I use self created certificates. With and without the setting "allow untrusted certificates" this error occurs.

To Reproduce
Steps to reproduce the behavior:

1. Enter MQTT data and enable SSL.
2. Restart agent
3. See error

Expected behavior
Successful connection to the MQTT broker

Screenshots
MQTT settings:

Other MQTT Broker:

Misc info (please complete the following information):

• Windows build (ideally screenshot/info of winver.exe output):
• Windows' UI language: English
• HASS.Agent version: 2022.11.4

Please check what's applicable (multiple answers possible):

• Installed via installer
• Installed manually
• Problem occurs in HASS.Agent
• Problem occurs in Satellite Service

Logs

2022-06-11 16:12:22.951 +02:00 [INF] [MAIN] Extended logging enabled
2022-06-11 16:12:22.956 +02:00 [INF] [SETTINGS] Config storage path: C:\Users\*******\AppData\Roaming\LAB02 Research\HASS.Agent\config
2022-06-11 16:12:23.055 +02:00 [INF] [SETTINGS] Configuration loaded
2022-06-11 16:12:23.058 +02:00 [INF] [LOCALIZATION] Selected UI culture: [en] English
2022-06-11 16:12:23.269 +02:00 [INF] [SETTINGS_QUICKACTIONS] Loaded 3 entities
2022-06-11 16:12:23.271 +02:00 [INF] [SETTINGS_COMMANDS] Config not found, no entities loaded
2022-06-11 16:12:23.278 +02:00 [INF] [SETTINGS_SENSORS] Loaded 0 entities
2022-06-11 16:12:23.282 +02:00 [INF] [MQTT] Identifying as device: *******-PC
2022-06-11 16:12:23.282 +02:00 [INF] [SERVICE] Local install path: C:\Program Files (x86)\LAB02 Research\HASS.Agent Satellite Service
2022-06-11 16:12:23.282 +02:00 [INF] [NOTIFIER] Initializing local API ..
2022-06-11 16:12:23.285 +02:00 [INF] [HOTKEY] Completed bind for global quickaction hotkey
2022-06-11 16:12:23.294 +02:00 [INF] [MQTT] Connecting ..
2022-06-11 16:12:23.377 +02:00 [FTL] [PROGRAM] FirstChanceException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

[LAB02-Admin]

Hey @DeerMaximum,

Don't actually use certs myself, so it's hard for me to determine exactly what's going wrong. I'll setup a test environment with mqtt certs, and see if I can reproduce/fix it :)

[hassagent-103]

[LAB02-Admin]

Can you please show me the exact tls configuration of the working broker, ie. what certificates have you configured where? Perhaps a screenshot of the entire config.

Thanks!

[DeerMaximum]

Here is the config:

{
  "ConnectionManager_connections": {
    "6437028b-465e-45de-a3ea-4e4911bf4fa6": {
      "certValidation": true,
      "clientId": "mqtt-explorer-1d816df6",
      "encryption": true,
      "host": "homeassistant.local",
      "id": "6437028b-465e-45de-a3ea-4e4911bf4fa6",
      "name": "Home Assistant",
      "password": "***",
      "port": "8883",
      "protocol": "mqtt",
      "selfSignedCertificate": {
        "data": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzekNDQXB1Z0F3SUJBZ0lKQUpHNFpJUHNDekt0TUEwR0NTcUdTSWIzRFFFQkN3VUFNSDh4Q3pBSkJnTlYKQkFZVEFrUkZNUXN3Q1FZRFZRUUlFd0pDVnpFTE1Ba0dBMVVFQnhNQ1FsY3hFakFRQmdOVkJBb1RDVWhsZUdWdQphR0YxY3pFU01CQUdBMVVFQ3hNSlNHVjRaVzVvWVhWek1SRXdEd1lEVlFRREV3aElaWGhsYmlCRFFURWJNQmtHCkNTcUdTSWIz*****************************************************************************nNsNUsxUEx1K0lLSVhhaXZid0pmcGlIMTB2MFRnbFg5NithSnFpelM0YjlGOTVkZjljNAp3UWVjNXM0cTlTZ3VTMVhCdzBLVWxtMFZIUGRnd01tQmYwYmIyM3F0K2NTaU1yTVZJTjFHQm9WVWRCM0ZqNTI0Ckh0N2xkc1JXNUMxa09WbUluWnd3RDJMTGh6VzUvMnNIVDhXbDFiMDlWU3dLM2ZDMlJuZFcrcXRiQWdNQkFBR2oKTWpBd01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZKZDJqOU9RcjdnRW04MWZyS1l0ck9vWgpRdnBPTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCUHE2dVg4ZlNTaUpDemNwRXNFVTJpZnVkekF5aXlNc09qCnZPSEp3SzRZb0ZmVTB5YzU5Z0IzU2dReFp0WElMTENwSFJ4UkhSby96c01sSkgrUkNXTVVmanFrZSsxUm56ZEgKZGM0SEVGS2pLaERxdWd3WXFhQ1E4a2Jpc3c2TzRVbU1vNUF4c1FOQVJpNk9ZQmNhNnpDWkhyMWN3WU5MaGRzRgp1eHpFTFo2NnFOQjB5ZWc5NkM5ZjFHU3BhMXJXR3IyeHRPYnBaNlJHa3BNUDBYUlgxZkc5cGxlQ1QyVmRnbG9KCnJPdmJJeTBCYzB1d0FUZXFDZ2RrNFppSTJRNWdyMzVhUFVwait5VExRTndHQy9hZUlqbzRXcFJzVWZUdWZodU4KbG1FTStoWVFSTEhDd2ovTWpycm9oUUVCaCtiaHdhRW5ZSDJKYU9ha1pNeTBrVzNHWDQ0egotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
        "name": "CA.crt"
      },
      "subscriptions": [
        "#",
        "$SYS/#"
      ],
      "type": "mqtt",
      "username": "***"
    }
  }
}

The functioning broker is this one: Link

[LAB02-Admin]

Well I can't for the life of me get it working with my staging setup, but that one's pretty messed up config-wise anyway.

I've made some changes in the mqtt connector, that should allow for self-signed certs when allow untrusted certificates is checked.

Could you please follow these steps:

• Completely close HASS.Agent
• Download the test version: https://shares.lab02-research.org/tests/82/hass.agent.zip
• Extract to your install path (default %appdata%\LAB02 Research\HASS.Agent)
  • Overwrite all current files
• Start HASS.Agent and see if it works

[DeerMaximum]

With the test version it works if allow untrusted certificates is enabled. When disabled the same error still occurs.

[LAB02-Admin]

Ok, glad it's working. I presume the cert is self-signed, seeing as how you're using homeassistant.local as the host, so it won't be a trusted certificate. You could locally import the CA cert as a root authority to have it trusted I guess.

Closing this, but feel free to reopen if you think it should be implemented differently.

[DeerMaximum]

I have imported the CA certificate into Windows and also imported it in the agent and in the other broker as root certificate. The certificate is validated and recognized in the other broker, but not in the agent.

[Flightkick]

@LAB02-Admin
@DeerMaximum

Can confirm as well, allow untrusted certificates works in the test version but not in the latest release.
I also have the CA and intermediate certs installed in the Windows certificate store.
With the latest stable version I see the following error in the mqtt broker:

New connection from REDACTED on port REDACTED.
OpenSSL Error[0]: error:1404C412:SSL routines:ST_OK:sslv3 alert bad certificate
Client <unknown> closed its connection.

The message from OpenSSL seems to be a client error. I'm able to verify the certificate chain using openssl s_client -showcerts -servername REDACTED -connect REDACTED manually on WSL, with the certs installed in it's own certificate store.
Other clients are also able to connect without issues.

Maybe something down the MQTTnet stack uses OpenSSL which doesn't use the Windows certificate store?

[LAB02-Admin]

@Flightkick, did you install the latest beta?

https://github.com/LAB02-Research/HASS.Agent/releases/tag/2022.13.0-beta2

[Flightkick]

@LAB02-Admin, no I replaced the binaries with the test version as per your previous instructions.
Are you suggesting I should use the latest beta instead?

[LAB02-Admin]

As a test, yes please

[Flightkick]

@LAB02-Admin

Test results with the latest beta 2022.13.0-beta2
I am only able to connect to my self signed instance when allow untrusted certificates is ticked in the MQTT options. With that option disabled I get the following stacktrace:

MQTTnet.Exceptions.MqttCommunicationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at MQTTnet.Implementations.MqttTcpChannel.ConnectAsync(CancellationToken cancellationToken)
   at MQTTnet.Implementations.MqttTcpChannel.ConnectAsync(CancellationToken cancellationToken)
   at MQTTnet.Internal.MqttTaskTimeout.WaitAsync(Func`2 action, TimeSpan timeout, CancellationToken cancellationToken)
   at MQTTnet.Adapter.MqttChannelAdapter.ConnectAsync(TimeSpan timeout, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at MQTTnet.Adapter.MqttChannelAdapter.WrapAndThrowException(Exception exception)
   at MQTTnet.Adapter.MqttChannelAdapter.ConnectAsync(TimeSpan timeout, CancellationToken cancellationToken)
   at MQTTnet.Client.MqttClient.ConnectAsync(IMqttClientOptions options, CancellationToken cancellationToken)
   at MQTTnet.Client.MqttClient.ConnectAsync(IMqttClientOptions options, CancellationToken cancellationToken)
   at MQTTnet.Extensions.ManagedClient.ManagedMqttClient.ReconnectIfRequiredAsync(CancellationToken cancellationToken)

The MQTT module doesn't seem to use the Windows certificate store in which the self signed root CA and intermediate certificates are installed.
In my tests it did not matter whether a CA file was provided in the MQTT options or not.

The Home Assistant API module however does seem to honor the Windows certificate store, as unchecking the allow untrusted certificates option works without any issues.

[ghost]

Hi, Is this issue resolved? I have the same problem.

[JiDoan]

I have the same issue as well. I am using mqtts with clients using only username and password auth but Home Assistant is using a self signed cert to secure the auth. The root cert is trusted in Windows and works everywhere else, but not in HASS Agent. I also see OpenSSL Error[0]: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate on the Home Assistant MQTT logs but do not have HASS Agent configured to use a client cert. Maybe it is trying to send an empty cert which causes the issue?

[romanad]

Can't make work self-signed cert on latest stable agent version. MQTT Explorer and MQTTX work fine with mosquito broker. Please fix if possible.