azure - 通过 MQTT 将数据发送到 azure iot-hub 中经过 x509 身份验证的设备时，SSL 验证失败

Question

我正在尝试将传感器数据发送到在我的 iot-hub 中创建的 X509 ca 签名设备，并使用以下链接生成的证书进行验证:

https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md

我在发送数据时附加了创建的根证书、设备证书和设备 key ，如下代码所示:

from paho.mqtt import client as mqtt
import ssl

path_to_root_cert = "<local path to the generated testonly-rootca.pem>"
device_cert = "<local path to the generated newdevice-cert.pem>"
device_key = "<local path to the generated newdevice-key.pem>

HubName = "iothub.azure-devices.net"
devicename = "device001"

def on_connect(client, userdata, flags, rc):
print ("Connected with result code: " + str(rc))
client.subscribe("devices/" + devicename + "/messages/devicebound/#")

def on_disconnect(client, userdata, rc):
print ("Disconnected with result code: " + str(rc))

def on_message(client, userdata, msg):
print (msg.topic+" "+str(msg.payload))

client.publish("devices/" + devicename + "/messages/events/", "{id=1}",qos=1)

def on_publish(client, userdata, mid):
print ("Sent message")

client = mqtt.Client(client_id=devicename, protocol=mqtt.MQTTv311)
client.on_connect = on_connect

client.on_disconnect = on_disconnect
client.on_message = on_message
client.on_publish = on_publish
client.username_pw_set(username=HubName + "/" + devicename, password=None)
client.tls_insecure_set(False)

client.tls_set(ca_certs=path_to_root_cert, certfile=device_cert, keyfile=device_key, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None)
client.connect(HubName, port=8883)
client.publish("devices/" + devicename + "/messages/events/", "{id=MQTT Test}", qos=1)
client.loop_forever()

我得到的输出为:

SSL_Verification_failed

我使用 Paho 直接连接到 azure iothub，而不使用 azure-iothub-sdk。

Answer 1

将“创建的根证书”更改为 DigiCert 巴尔的摩根证书 the document指出:

In order to establish a TLS connection, you may need to download and reference the DigiCert Baltimore Root Certificate. This certificate is the one that Azure uses to secure the connection. You can find this certificate in the Azure-iot-sdk-c repository. More information about these certificates can be found on Digicert's website.

对于代码示例，您可以引用 this reply 中的“x509 已验证设备的示例代码”部分.