Upstream
/
esphome-docs
mirror of https://github.com/esphome/esphome-docs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

mqtt: MbedTLS doesn't like wildcard certificates (#2336)

This commit is contained in:
ShellAddicted 2022-10-05 03:31:15 +02:00 committed by GitHub
parent ccb7961ad6
commit 946211c10a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
components/mqtt.rst
View File

@ -290,6 +290,21 @@ You have to download the server CA certficiate in PEM format and add it to ``cer
Usually these are .crt files and you can open them with any text editor.
Also make sure to change the ``port`` of the mqtt broker. Most brokers use port 8883 for TLS connections.
.. warning::
MbedTLS, the library that handles TLS for the esp-idf, doesn't validate wildcard certificates.
The Common Name check only works if the CN is explicitly reported in the certificate.
- \*.example.com -> Fail
- mqtt.example.com -> Success
If a secure connection is necessary for your device, you really want to set:
.. code-block:: yaml
skip_cert_cn_check: false
.. code-block:: yaml
mqtt:
@ -298,6 +313,7 @@ Also make sure to change the ``port`` of the mqtt broker. Most brokers use port
discovery: true
discovery_prefix: ${mqtt_prefix}/homeassistant
log_topic: ${mqtt_prefix}/logs
# Evaluate carefully skip_cert_cn_check
skip_cert_cn_check: true
idf_send_async: false
certificate_authority: |