0

I am trying to get my flask application to communicate with my HiveMQ Broker Cluster. The cluster only takes TLS communication through port 8883. As I understand it, I would require some certificate files in order to be able to do this, but all guides instructing me on how to create these that I've come across havent helped..

This is my simple test snippet that I cant get to publish to my topic through TSL:

from flask import Flask, render_template, redirect
from flask_mqtt import Mqtt

app = Flask(__name__)

# MQTT configuration
app.config['MQTT_BROKER_URL'] = 'xxxxxxxxxxxxxxxxxxxxx.s2.eu.hivemq.cloud'
app.config['MQTT_BROKER_PORT'] = 8883
app.config['MQTT_USERNAME'] = 'my_user_name'
app.config['MQTT_PASSWORD'] = 'my_password'
app.config['MQTT_TLS_ENABLED'] = True
app.config['MQTT_TLS_INSECURE'] = True

app.config['MQTT_TLS_CA_CERTS'] = '' # Is this needed? If yes, how is such a file created?
app.config['MQTT_TLS_CERTFILE '] = ''  # Is this needed? If yes, how is such a file created?
app.config['MQTT_TLS_KEYFILE'] = ''  # Is this needed? If yes, how is such a file created?

mqtt = Mqtt(app)

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/publish', methods=['POST'])
def publish():
    mqtt.publish("control/", "toggle_valve")
    return redirect('/', 200)

if __name__ == '__main__':
    app.run(debug=True)

I am trying to follow the Flask-MQTT documentation/examples, but I keep getting the error SSL: NO_CIPHERS_AVAILABLE] no ciphers available when trying to run the code..

Are these certification files something that I should get directly from HiveMQ, or do I have to create them myself with openssl or something similar?

Extra info: I am already sure that the url, port, and username+password works, because I have gotten it to work with the paho-mqtt library outside of flask.

Thank you for your time!

paxel
  • 13
  • 4

1 Answers1

0

HiveMQ Cloud offer does not support insecure connections, TLS is required. Secure MQTT TLS connections (port 8883) and secure Websocket TLS connections (port 8884).

To establish a TLS connection, your client/device must trust the Certificate Authority (CA) that has issued the certificate to the HiveMQ Cloud server to which your client is attempting to connect.

You can download the HiveMQ Cloud root CA here: https://letsencrypt.org/certs/isrgrootx1.pem

The other parameters such as MQTT_TLS_CERTFILE and MQTT_TLS_KEYFILE are optional if you want to perform a mutual TLS, that ensures that the communication between the client and server uses mutual encryption (use of both a client and server certificate).

I encourage you to use our Community Forum next time you have any questions regarding HiveMQ Cloud https://community.hivemq.com/

The error you're seeing, ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE], suggests that the Python environment in which your Flask MQTT app is running doesn't have any available SSL/TLS ciphers to establish a secure connection.

Using Python's ssl Module mitigates the issue. I had success with the code below.

from flask import Flask, render_template, redirect
from flask_mqtt import Mqtt
import ssl

app = Flask(__name__)

# Basic MQTT Flask configurations
app.config['MQTT_BROKER_URL'] = 'xxxxxxxxxxxxxxxxxxxxx.s2.eu.hivemq.cloud'
app.config['MQTT_BROKER_PORT'] = 8883
app.config['MQTT_USERNAME'] = 'TYPE_YOUR_USERNAME'
app.config['MQTT_PASSWORD'] = 'TYPE_YOUR_PASSWORD'
app.config['MQTT_KEEPALIVE'] = 60
app.config['MQTT_TLS_ENABLED'] = True
app.config['MQTT_TLS_INSECURE'] = False
app.config['MQTT_TLS_CA_CERTS'] = 'isrgrootx1.pem'
app.config['MQTT_TLS_VERSION'] = ssl.PROTOCOL_TLSv1_2
app.config['MQTT_TLS_CIPHERS'] = None # None to use the defaults encryption ciphers

mqtt = Mqtt(app)

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/publish', methods=['POST'])
def publish():
    mqtt.publish("control/", "toggle_valve")
    return redirect('/', 200)

if __name__ == '__main__':
    app.run(debug=True)

Kind regards,
Diego from HiveMQ Team

Diego Duarte
  • 1
  • 2
  • Thank you Diego, but it doesnt seem like it changed the outcome. I am still getting "SSL: NO_CIPHERS_AVAILABLE" when instantiating mqtt = Mqtt(app). I downloaded the certificate from the link you sent and added it to the app.config['MQTT_TLS_CA_CERTS'] – paxel Aug 08 '23 at 10:03
  • You're welcome, according to the example documentation that you have shared you must add the configuration key to define which encryption ciphers are allowable for the connection. `app.config['MQTT_TLS_CIPHERS'] = 'YOUR_CHOSEN_CIPHER_SUITE'` – Diego Duarte Aug 08 '23 at 13:56
  • Aha, I see! I used openssl to see what type of cipher suite my cluster used. I did this with the command "openssl s_client -connect xxxxxxx.s1.eu.hivemq.cloud:8883". The respone tells me ECDHE-RSA-AES128-GCM-SHA256. I added the line app.config['MQTT_TLS_CIPHERS'] = 'ECDHE-RSA-AES128-GCM-SHA256', but I am still getting the same error.. – paxel Aug 08 '23 at 15:32
  • I have added a working example code on the main answer above. Give it a try. – Diego Duarte Aug 09 '23 at 09:05
  • It works! Huge thanks Diego! I will make sure to use the HiveMQ community for any further questions in the subject :) – paxel Aug 09 '23 at 09:50