KB89849
Published: August 17, 2021
Revision: 2.0

Cannot connect to MQTT broker using root CA-signed or self-signed certificate


Applies To:

Firmware for the following groov EPICs:

  • GRV-EPIC-PR1
  • GRV-EPIC-PR2
Firmware for the following groov RIOs:
  • GRV-R7-MM1001-10
  • GRV-R7-MM2001-10

Versions Affected:

groov EPIC: 3.1.0 to 3.2.1
groov RIO: 3.1.0 to current

Resolved In Version:

groov EPIC: 3.2.2


Symptoms:

After you complete the following steps, the groov Manage MQTT client might not connect to the broker:

  1. (Optional) You create a self-signed MQTT client certificate and private key file; the private key file is in a PKCS format other than PKCS#1. Then, you upload the certificate and private key file into groov Manage.
  2. You correctly configure the broker to use SSL and select either:
    • the self-signed MQTT client certificate and private key file you created in step 1, or
    • a root CA-signed client certificate and private key file.

Workaround:

The cause of the problem is that the private key file (either the root CA-signed or the self-signed) is in a PKCS format other than PKCS#1; groov EPIC and groov RIO currently only support private key files in PKCS#1 format. You can convert the private key file into PKCS#1 and then upload the converted private key file into the groov EPIC or groov RIO. The following instructions assume you are familiar with and work with the OpenSSL software library:​

  1. Run the following OpenSSL command: openssl rsa -check -in client-key.pem, where client-key is the name of the private key file.
  2. Copy the output text and paste into a text file, then save it. The text file is now in PKCS#1 format.
  3. Upload the text file into groov EPIC or groov RIO:
    1. Login to your groov EPIC or groov RIO with a system administrator account.
    2. Click MQTT > Client Authentication.
    3. In the Keys section, click Add/Update.
    4. Navigate to the folder where you stored the text file you created in step 2.
    5. Select the text file, then click Open. groov Manage installs the key file.
  4. Restart the groov Manage MQTT client:
    1. In the Client Authentication page, click Back.
    2. In the MQTT Status section, click Disable. Wait a few moments for the MQTT  Status to show Disabled.
    3. Click Enable.

Resolution:

Opto 22 has resolved this issue and will include the fix in an upcoming release.

Questions?

Contact: Opto 22 Product Support.
Phone: 800-835-6786 or 951-695-3080
Email: support@opto22.com


DISCLAIMER

This Opto 22 Knowledge Base ('OptoKB') article is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this OptoKB article is not intended to constitute application, design, software, or other professional engineering advice or services. Opto 22 may modify the OptoKB articles at any time. Before making any decision or taking any action which might affect your equipment, you should consult a qualified professional.

OPTO 22 DOES NOT WARRANT THE COMPLETENESS, TIMELINESS, OR ACCURACY OF THE DATA CONTAINED IN THIS OPTOKB ARTICLE AND MAY MAKE CHANGES THERETO AT ANY TIME AT ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS 'AS IS.' IN NO EVENT SHALL OPTO 22 BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT, OR DAMAGE, EVEN IF OPTO 22 HAS BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES.

OPTO 22 DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED WITH RESPECT TO THE INFORMATION (INCLUDING HARDWARE, SOFTWARE, AND/OR FIRMWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTIBILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not sanction the exclusion of implied warranties: thus, this disclaimer may not apply to you.

Copyright © 2021 Opto 22. All rights reserved.