We are using a custom Certificate Authority (signing certificates) to make sure http (s) and mqtt (s) is secure.
I’ve been trying to add the custom root ca file to the FX-30 system, but can’t get it to work.
It seems like the root ca file (custom_CA.crt) shall be added to /usr/share/ca-certificates/, but that path is readonly and I don’t know know how to make it writable, or if there is a way to include the custom_CA.crt in the build process. If someone knows if this possible, please share.
The connection and SSL verification works properly if I specify the custom CA like this:
SSL handshake has read 2410 bytes and written 335 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
But it doesn’t work if I don’t specify the -CAfile option.
Due to the problems with accepting the server certificate I get an error if I try to connect the MQTT using the secure connection with the “ssl://hostname:8883” format. Connecting to the MQTT broker using plain (1883) works fine.
If anyone has stumbled across something similar, please share you experience. The same will apply if you are trying to access a https server with a customer CA.
I can actually run my application with sandboxed: true. The solution was to change the Legato mqttClient sandboxed property to false.
The code (mqttClient, part of the legato framework) is written and documented to support SSL and also using domain names.
As a new developer getting used to the legato framework it would be much better if the sandboxed attribute is set to false. Then it will also match the code and documentation.
I’m new to the Legato framework and not sure if there is anyone picking up issues like this and will feed it back to the Legato framework. Does anyone know?
I looked around in the forum and there are a couple of similar issues related to the MQTT setup. Addressing the above might help them as well.
Here is what the documentation looks like in the mqttClientService:
//--------------------------------------------------------------------------------------------------
/**
* Creates an MQTT session object.
*
* @return
* LE_OK on success or LE_FAULT on failure
*/
//--------------------------------------------------------------------------------------------------
le_result_t mqtt_CreateSession
(
const char* brokerURIPtr, ///< [IN] The URI of the MQTT broker to connect to. Should be in
/// the form protocol://host:port. eg. tcp://1.2.3.4:1883 or
/// ssl://example.com:8883
It seems like the mqttClient/mqttClientService can access the /etc/ssl/certs/ca-certificates.crt file without my app running in a sandbox environment. Maybe it’s because the mqttClient/mqttClientService is running with sandboxed: false and hence can access the /etc/ssl/* files.
It would be great if there is a way to update the /etc/ssl/certs/ca-certificates.crt file as part of my application deployment. I can use the “mount trick” that @jyijyi showed above, but it’s not ideal.
The process to add a new intermediate/root CA certificate is to first add it to /usr/share/ca-certificates, update /etc/ca-certificates.conf and then run update-ca-certificates, but I can pre-generate the /etc/ssl/certs/ca-certificates.crt and make it available in the /etc/ssl/certs folder.
Is it possible to add files to the file system outside of the application structure?