英文:
Cannot to EMQX Cloud Broker via unsecure Web Sockets - secure ws works
问题
这是您提供的代码部分的中文翻译:
// 获取EMQX Cloud连接配置
getEmqxCloudConnection(): IMqttServiceOptions {
return {
hostname: 'xx.xx.xx.182',
port: 8083,
path: '/mqtt',
clean: true, // 保留
connectTimeout: 4000,
reconnectPeriod: 4000,
clientId: 'HarBrowserTest1',
username: 'myUser',
password: 'myPass',
protocol: 'ws',
connectOnCreate: false,
};
}
根据他们的Broker仪表板,可用的端口包括:
- 端口:1883(mqtt),8883(mqtts),8083(ws),8084(wss)
我已经将我们的SSL证书导入到EMQX仪表板,但当我将连接字符串更改为 port: 8084 和 protocol: 'wss' 时,它却无法连接!
在我的Chrome浏览器网络选项卡中,这是对于标准的不安全ws连接的查看 - 成功连接到Mqtt Broker的ws连接。
这是我用于导入PEM编码证书主体和密钥的证书界面:
*********** 更新 **************
根据下面的评论,“将IP绑定到您的域名”是允许我们通过wss连接的最终解决方案(例如emqx.my-domain.com)。
英文:
I'm using Angular 14 and the ngx-mqtt front-end lib.
Here's my connection string which works fine:
getEmqxCloudConnection(): IMqttServiceOptions {
return {
hostname: 'xx.xx.xx.182',
port: 8083,
path: '/mqtt',
clean: true, // retain
connectTimeout: 4000,
reconnectPeriod: 4000,
clientId: 'HarBrowserTest1',
username: 'myUser',
password: 'myPass',
protocol: 'ws',
connectOnCreate: false,
};
}
As per their Broker dashboard the available ports are:
Ports: 1883(mqtt), 8883(mqtts), 8083(ws), 8084(wss)
I have already imported our SSL Certificate into the EMQX Dashboard, yet when I change my conn string to port: 8084 and protocol: 'wss' - IT DOESN'T CONNECT !
They have some screenshots here showing their Client Tool, but for reason every one shows port=1883 (a mistake maybe). https://docs.emqx.com/en/cloud/latest/connect_to_deployments/mqttx.html#connection-configuration
In my Chrome browser network tab, here's what I see for the std insecure ws - A successful ws conn to the Mqtt Broker.
Here is the certificate UI which I used to imported the PEM-Encoded cert body and key:
*********** UPDATE **************
As per comment down below, binding the IP to your domain was the final solution which allowed us to connect over wss`. (e.g. emqx.my-domain.com)
答案1
得分: 2
这很可能是与您为代理使用的证书有关。
首先,除非您已正确创建证书(使用正确的SAN条目),包括IP地址作为证书的主体,否则连接将被拒绝,因为证书与代理用于连接的主机名/IP地址不匹配。
其次,如果这是一个自签名证书,那么浏览器将会拒绝它,除非您手动将CA(或者如果它确实是自签名的证书)导入浏览器的信任存储并标记为受信任。浏览器 不会像在网页上那样向您显示警告并要求接受WebSocket连接,它只会在控制台中显示错误,没有其他信息。
附言:您不应在Web应用程序中硬编码客户端ID,因为客户端ID必须在所有客户端之间保持唯一,因此硬编码它意味着每个访问页面的人都将使用相同的客户端ID,每个新连接都会中断上一个连接(并可能最终导致重新连接的问题)。
英文:
This will most likely be down to the certificate you have used for the broker.
First unless you have created the certificate just right (using the correct SAN entries) that include the IP address as the principal for the certificate, then the connection will get rejected because the certificate doesn't match the hostname/IP address the broker is using to connect.
Second, if it is a self signed certificate then the browser will just reject it, unless you have manually imported the CA (or if it really is self signed the cert it's self) into the browsers trust store and marked it as trusted. The browser will NOT show you a warning and ask to accept for a WebSocket connection like it does with a webpage, it will just fail with an error in the console and nothing else.
P.S. - You should not hard code the client id in web apps, this is because client ids must be unique across ALL clients, so hardcoding it means that everybody that visits the page will use the same client id and each new connection will kick off the last one (and probably end up in a reconnect fight)
答案2
得分: 1
如果你检查 EMQX 的日志,也许你可以获得更多有用的信息。
以下是常见 TLS 连接失败的可能原因。
首先,如前面的答案中提到的,当证书颁发时,它的 CN 或 SAN 字段可能设置为域名或 IP 地址,但你在连接时指定的地址与 CN 和 SAN 字段的值不匹配。
在这种情况下,TLS 客户端会认为你正在连接的服务器可能不是你真正期望的,因此它会拒绝连接。
我们有三种解决方法:
- 关闭对等证书的验证,如果你的客户端支持此选项。然而,我们不建议这样做,因为它会增加安全风险。
- 重新颁发一个与你的服务器地址匹配的证书。
- 在客户端连接时设置 SNI 字段(全名 Server Name Indication),以便 TLS 检查 SNI 是否与证书的 CN 和 SAN 字段匹配,而不是你的实际连接地址。
第二种可能的原因是你的证书路径不完整,比如中间证书缺失,或者客户端没有指定受信任的根证书,EMQX 日志中的关键字是 unknown_ca。
有关更多 TLS 错误原因,你可以参考SSL 连接错误。
英文:
If you check the logs of EMQX, maybe you can get more helpful information.
The following are possible reasons for common TLS connection failures.
First of all, as mentioned in the previous answer, your certificate may have a domain name or IP address set as CN or SAN when it is issued, but the address you specified when connecting does not match the values of the CN and SAN fields.
In this case, the TLS client will think that the server you are connecting to may not be what you really expect, so it will refuse the connection.
We have three ways to solve it:
- Turn off the verification of the peer certificate, if your client has this option. However, we do not recommend this as it increases the security risk.
- Reissue a certificate that matches your server address
- Set the SNI field (full name Server Name Indication) when the client connects, so that TLS will check whether the SNI matches the CN and SAN fields of the certificate, instead of your actual connection address.
The second possible reason is that your certificate path is incomplete, such as the lack of intermediate certificates, or the client does not specify a trusted root certificate, its keyword in the EMQX log is unknown_ca.
For more TLS error reasons, you can refer to SSL Connection Error.
答案3
得分: 1
在浏览器环境中,您应该使用由CA签发的服务器证书,而不是自签名证书。
自签名SSL与受信任的CA签名SSL证书比较,参见https://cheapsslsecurity.com/blog/self-signed-ssl-versus-trusted-ca-signed-ssl-certificate/。
英文:
In a browser environment, you should use a server certificate issued by a CA Signed than a self-signed certificate.
Self-Signed SSL Vs Trusted CA Signed SSL Certificate, see the https://cheapsslsecurity.com/blog/self-signed-ssl-versus-trusted-ca-signed-ssl-certificate/
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论