Hello! I am using the nRF5340 dev board with an nRF7002ek wifi shield to connect to MQTT using the Zephyr MQTT library and MQTT 3.1.1 (the only supported version by Zephyr). I am connecting with TLS over MQTT (not web sockets TLS/SSL), and I'm attempting to connect to my private secure serverless EMQX broker but I keep getting the MQTT 3.1.1 Error code 5 (Connection Refused - Not Authorized).
My current approach:
- I followed the Wifi Fundamentals course and used portions of code samples here: github.com/.../lesson4 to implement MQTT and wifi connection
- I first connect to wifi and set a 30 second timeout to let wifi fully initialize
- I then use the connection details provided by my EMQX dashboard to initialize the client and connect to MQTT
- the details I use are the ones included, which are the broker hostname: {omitted}.emqxsl.com, the port 8883, and the CA certificate I downloaded directly from my EMQX dashboard
- I also included my username and password that I set in my EMQX dashboard
- here are the additional configs I set when I attempt to connect that I am suspicious of:
tls_cfg->peer_verify = TLS_PEER_VERIFY_OPTIONAL;
tls_cfg->cipher_count = 0;
tls_cfg->cipher_list = NULL;
tls_cfg->sec_tag_count = ARRAY_SIZE(sec_tag_list);
tls_cfg->sec_tag_list = sec_tag_list;
tls_cfg->session_cache = TLS_SESSION_CACHE_DISABLED;
tls_cfg->hostname = {omitted}.ala.us-east-1.emqxsl.com; (should I be setting a host name or just leaving it as NULL)? - Additionally, my keep-alive value for my MQTT client is 60 seconds and am creating a clean session (CONFIG_MQTT_CLEAN_SESSION=y) each time I connect to MQTT
- I have printed out the MQTT client details after initializing them and it looks like the IPv4 address is correctly retrieved and assigned, so DNS server resolution isn't the problem here either
- I also am running out of memory on my dev board (running at 97% FLASH and 94% RAM) so I am also worried this may be a problem
The problem:
- I am able to successfully connect to MQTT with my current connection details, but then I hit the CONNACK case and get error code 5 (Connection Refused - Not Authorized)
- I have confirmed that this is only an issue I have with EMQX and the way I'm setting up my TLS config because I am able to connect and send/receive messages to the public EMQX server without TLS (broker.emqx.io) and I also have been able to securely connect with TLS using the test.mosquitto.org broker along with their provided CA cert HOWEVER I have not tested my code using a password + username with another CA cert + MQTT broker so I'm wondering if I'm also incorrectly setting my password and username.
- I have also tested using my EMQX connection details with my EMQX CA certificate and username/password on the MQTTX desktop app and the MQTT Explorer desktop app and was able to connect through there.
Here are the serial monitor error logs I am seeing:
wifi connect -s "{omitted wifi name}" -k 1 -p "{omitted wifi password}"
Connection requested
Connected
[00:00:40.750,183] <inf>: Added CA certificate, size: 1339 bytes
[00:00:40.750,183] <inf>: Initializing MQTT client
[00:00:40.851,776] <inf>: IPv4 address of MQTT broker found {omitted ipv4 address}
[00:00:40.851,806] <inf>: Successfully initialized broker connection
[00:00:40.852,172] <inf>: Now establishing a connection to the MQTT broker
[00:00:41.988,433] <inf>: Successfully established a connection to the MQTT broker
[00:00:42.068,237] <inf>: CA certificate size: 1339
[00:00:42.068,237] <err>: MQTT connect failed: 5, return code: 5
[00:00:42.076,721] <inf>: MQTT client disconnected: -111
[00:00:42.076,721] <err>: Error in mqtt_input: -111
[00:00:42.076,721] <inf>: Disconnecting MQTT client
[00:00:42.076,751] <err>: Could not disconnect MQTT client: -128
[00:00:42.076,782] <inf>: Reconnecting in 60 seconds...
and here are some snippets of code I am unsure if is correct:
err = tls_credential_add(MQTT_TLS_SEC_TAG, TLS_CREDENTIAL_CA_CERTIFICATE, ca_certificate, sizeof(ca_certificate));
int client_init(struct mqtt_client *client)
{
int err;
mqtt_client_init(client);
client->broker = &server;
client->evt_cb = mqtt_evt_handler;
client->protocol_version = MQTT_VERSION_3_1_1;
client->client_id.utf8 = (uint8_t *)CONFIG_MQTT_CLIENT_ID;
client->client_id.size = strlen(CONFIG_MQTT_CLIENT_ID);
// client->password= NULL;
// client->user_name= NULL;
static struct mqtt_utf8 password = {
.utf8 = (uint8_t *)CONFIG_MQTT_PASSWORD,
.size = strlen(CONFIG_MQTT_PASSWORD)
};
client->password = &password;
static struct mqtt_utf8 username = {
.utf8 = (uint8_t *)CONFIG_MQTT_USERNAME,
.size = strlen(CONFIG_MQTT_USERNAME)
};
client->user_name = &username;
client->rx_buf = rx_buffer;
client->rx_buf_size = sizeof(rx_buffer);
client->tx_buf = tx_buffer;
client->tx_buf_size = sizeof(tx_buffer);
client->transport.type = MQTT_TRANSPORT_SECURE;
struct mqtt_sec_config *tls_cfg = &(client->transport).tls.config;
static sec_tag_t sec_tag_list[] = { MQTT_TLS_SEC_TAG };
tls_cfg->peer_verify = TLS_PEER_VERIFY_OPTIONAL;
tls_cfg->cipher_count = 0;
tls_cfg->cipher_list = NULL;
tls_cfg->sec_tag_count = ARRAY_SIZE(sec_tag_list);
tls_cfg->sec_tag_list = sec_tag_list;
tls_cfg->session_cache = TLS_SESSION_CACHE_DISABLED;
tls_cfg->hostname = CONFIG_MQTT_BROKER_HOSTNAME;
err = server_resolve();
if (err) {
LOG_ERR("Failed to initialize broker connection");
return err;
}
LOG_INF("Successfully initialized broker connection");
return err;
}
I would really appreciate any help or ideas because I've been wrangling this issue for a while now and would be eternally grateful for any suggestions!! Thank you so much in advance :)
