[Solved] Losant Brokers (mosquitto) dependent on Losant LosantRootCA.crt are all unable to connect to Losant

#1

Earlier this morning all our mosquitto brokers failed to connect with TLS tls_process_server_certificate:certificate verify failed

Where can I find an updated certificate or have you invalidated the current one ?

This is urgent I have a large amount of equipment down.

T

#2

Tim, I replied to your support email, we can continue our conversation there.

#3

Any details about the solution?

#4

The root CA for Losant’s SSL certificates changed. If you are dependent on verifying against the exact root CA, the new root CA is the DigiCert Global Root CA (you can find it on this page https://www.digicert.com/digicert-root-certificates.htm )

1 Like
#5

Hi. I also have an SSL CERTIFICATE_VERIFY_FAILED (since 14th may), on a raspberry PI with paho mqtt client. What should i do? Thank you.

1 Like
#6

Hi @Laszlo_Kajcsa,

You will need to switch to the new Root CA, it can be found here.

Thanks,
Julia

1 Like
#7

That was my broblem too with my raspberry pi in the same date. any details about how switch the new one?!!
THANKs @JuliaKempf

#8

More details plz of how I can do that!!
Because that’s the first time of using losant platform.

#9

Thank you @JuliaKempf. Solved. :slight_smile:

#10

@gh_amel you have to change the content of the /usr/local/lib/python2.7/dist-packages/losantmqtt/RootCA.crt file (at least in my case this is the path) with the content of the file indicated by @JuliaKempf

2 Likes
rootCA changes?
#11

@gh_amel and @Laszlo_Kajcsa

Just an FYI, the easiest way to get a new cert is to update the losant-mqtt library. This would avoid finding an updating the cert file. If you’re using python, to update just simply:

pip install losant-mqtt --upgrade
#12

Thank you @anaptfox. Good to know. But what i was missing is some prior announcement by losant, that they will change this certificate. Or maybe there was one, just i missed it.

2 Likes
#13

Thanks @Laszlo_Kajcsa, @anaptfox
How we can know more about the update in losant next time?

#14

This was 100% our mistake, and I promise we will be more proactive on updates such as this. In the future, you can expect multiple email notifications when a change like this occurs. This particular change should not ever happen again, but rest assured you’d be notified from Losant.

If there is anything else we can do or more questions you have, I’d be happy to hear/help.

#15

This brings up an interesting scenario for large-scale IoT deployments: all certificates invalidate after some time, or are invalidated by their owners (eg. if they get compromised). How to make sure you have ample notice? Could one alternative be to run a small “honeypot” of test devices with the clock advanced by as
much as you need to fix certificate failure problems?

#16

@Gambit_Support,

So, the core problem here was that our certificate provider changed the root certificate they are using to sign our certificate. This is a very rare event due to the fact that root certificates have very long lives.

We had not had issues updating our SSL certificates in the past, which is why we didn’t consider it worthy of system maintenance or other notifications of that nature. We will be reworking our policies and procedures regarding future SSL updates.