TLS handshake fails (using mqtts): Common name doesn't match

[RichPiano]

I'm connecting to a Raspberry Pi 4B using MQTT over TLS. I have create a self signed certificate on the Raspi which is used by mosquitto running with TLS configured. I also embedded it into the esp32 binary (as shown in the mqtts ssl example). As Common Name (CN) I put in the raspberry pi's IP address. This IP address is also used as broker URI in the esp32 source code.

Now I get this error message:

Code: Select all

E (35928) esp-tls: Failed to open new connection
E (35928) TRANS_SSL: Failed to open a new connection
E (35938) MQTT_CLIENT: Error transport connect
I (35938) MQTTS_EXAMPLE: MQTT_EVENT_ERROR
I (35948) MQTTS_EXAMPLE: Last error code reported from esp-tls: 0x8010
I (35948) MQTTS_EXAMPLE: Last tls stack error number: 0x2700
I (35958) MQTTS_EXAMPLE: Last captured errno : 0 (Success)
I (35968) MQTTS_EXAMPLE: MQTT_EVENT_DISCONNECTED
I (50968) MQTTS_EXAMPLE: Other event id:7
E (51008) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (51008) esp-tls-mbedtls: Failed to verify peer certificate!
I (51008) esp-tls-mbedtls: verification info:   ! The certificate Common Name (CN) does not match with the expected CN
  ! The certificate is not

It's obvious that somehow the CN's don't match up. But I have testet again and again that the IP address of the certificate on the server (the raspberry) and the one on the client (esp32) DO indeed match. Also, it clearly is the IP address specified in broker URI. But what else could cause this mismatch?

[chegewara]

Did you check with other mqtt client or did you try to connect to rpi from browser using https connection to confirm all is setup correctly on rpi?

[RichPiano]

I solved the issue. Thanks for you tip @chegewara. The problem was with the Raspberry Pi not with the ESP. After I made sure that apache server could use the certificate (using this guide: https://www.youtube.com/watch?v=bp22h1KTqyo) it worked. However, I had to change the access rights of the certificates for the MQTT broker, which was very confusing as I thought if apache could use it the mqtt broker could as well. Turns out this is not necessarily the case as both use different groups to access the files. Just in case someone stumbles upon the same problem.