Issue with enabling TLS for MQTT

Hello, I’m having some issues enabling TLS for MQTT on my satellite machine. Below is the config I’m using on the satellite.

[snips-common]
# bus = "mqtt"
mqtt = "hassbian.localdomain:8883"
# audio = ["+@mqtt"]
# assistant = "/usr/share/snips/assistant"
# user_dir = "/var/lib/snips"

## MQTT authentication
mqtt_username = "..omitted.."
mqtt_password = "..omitted.."

## MQTT TLS configuration
mqtt_tls_hostname = "hassbian.localdomain"
# mqtt_tls_disable_root_store = false
mqtt_tls_cafile = "/usr/share/snips/ca_cert/Swert-CA.pem"
# mqtt_tls_capath = ""
# mqtt_tls_client_cert = ""
# mqtt_tls_client_key = ""

When I try and run “snips-audio-server -vvv” I get the error below.

[14:16:02.281194] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.frame -> Ok(None)
[14:16:02.283724] DEBUG:snips_common_cli::cli: conf lookup: snips-common.frame -> Ok(None)
[14:16:02.285178] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.nomike -> Ok(None)
[14:16:02.286189] DEBUG:snips_common_cli::cli: conf lookup: snips-common.nomike -> Ok(None)
[14:16:02.287208] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mike -> Ok(None)
[14:16:02.288204] DEBUG:snips_common_cli::cli: conf lookup: snips-common.mike -> Ok(None)
[14:16:02.289246] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.disable_capture -> Ok(None)
[14:16:02.290262] DEBUG:snips_common_cli::cli: conf lookup: snips-common.disable_capture -> Ok(None)
[14:16:02.291294] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.alsa_capture -> Ok(None)
[14:16:02.292478] DEBUG:snips_common_cli::cli: conf lookup: snips-common.alsa_capture -> Ok(None)
[14:16:02.293246] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.hijack -> Ok(None)
[14:16:02.293962] DEBUG:snips_common_cli::cli: conf lookup: snips-common.hijack -> Ok(None)
[14:16:02.294716] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.alsa_playback -> Ok(None)
[14:16:02.295445] DEBUG:snips_common_cli::cli: conf lookup: snips-common.alsa_playback -> Ok(None)
[14:16:02.297254] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.disable_playback -> Ok(None)
[14:16:02.298121] DEBUG:snips_common_cli::cli: conf lookup: snips-common.disable_playback -> Ok(None)
[14:16:02.298871] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.output -> Ok(None)
[14:16:02.299583] DEBUG:snips_common_cli::cli: conf lookup: snips-common.output -> Ok(None)
[14:16:02.299946] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.bind -> Ok(Some("gameroom@mqtt"))
[14:16:02.301131] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.bind -> Ok(Some("gameroom@mqtt"))
[14:16:02.302060] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.bus -> Ok(None)
[14:16:02.302791] DEBUG:snips_common_cli::cli: conf lookup: snips-common.bus -> Ok(None)
[14:16:02.303541] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mqtt -> Ok(None)
[14:16:02.304288] DEBUG:snips_common_cli::cli: conf lookup: snips-common.mqtt -> Ok(Some("hassbian.localdomain:8883"))
[14:16:02.305385] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mqtt_username -> Ok(None)
[14:16:02.306459] DEBUG:snips_common_cli::cli: conf lookup: snips-common.mqtt_username -> Ok(Some("..ommitted.."))
[14:16:02.307247] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mqtt_password -> Ok(None)
[14:16:02.307972] DEBUG:snips_common_cli::cli: conf lookup: snips-common.mqtt_password -> Ok(Some("..ommitted.."))
[14:16:02.310717] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mqtt_tls_hostname -> Ok(None)
[14:16:02.311563] DEBUG:snips_common_cli::cli: conf lookup: snips-common.mqtt_tls_hostname -> Ok(Some("hassbian.localdomain"))
[14:16:02.312410] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mqtt_tls_disable_root_store -> Ok(None)
[14:16:02.313169] DEBUG:snips_common_cli::cli: conf lookup: snips-common.mqtt_tls_disable_root_store -> Ok(None)
[14:16:02.313919] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mqtt_tls_cafile -> Ok(None)
[14:16:02.314755] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mqtt_tls_cafile -> Ok(None)
[14:16:02.315506] DEBUG:snips_common_cli::cli: conf lookup: snips-common.mqtt_tls_cafile -> Ok(Some("/usr/share/snips/ca_cert/Swert-CA.pem"))
[14:16:02.316292] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mqtt_tls_capath -> Ok(None)
[14:16:02.317046] DEBUG:snips_common_cli::cli: conf lookup: snips-common.mqtt_tls_capath -> Ok(None)
[14:16:02.317797] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mqtt_tls_client_key -> Ok(None)
[14:16:02.318527] DEBUG:snips_common_cli::cli: conf lookup: snips-common.mqtt_tls_client_key -> Ok(None)
[14:16:02.319268] DEBUG:snips_common_cli::cli: conf lookup: snips-audio-server.mqtt_tls_client_cert -> Ok(None)
[14:16:02.320009] DEBUG:snips_common_cli::cli: conf lookup: snips-common.mqtt_tls_client_cert -> Ok(None)
[14:16:02.320634] DEBUG:snips_common_cli::cli: TLS options: TlsOptions { hostname: "hassbian.localdomain", disable_root_store: false, cafile: ["/usr/share/snips/ca_cert/Swert-CA.pem"], capath: [], client_certs_key: None }
[14:16:02.322081] DEBUG:rumqtt::client       : snips-audio-server|7912-glados_gameroom-1: Client start
[14:16:02.323202] INFO :rumqtt::connection   : snips-audio-server|7912-glados_gameroom-1: Connection start
[14:16:02.323887] DEBUG:rumqtt::connection   : snips-audio-server|7912-glados_gameroom-1 new connection
[14:16:02.378482] DEBUG:rustls::anchors      : add_pem_file processed 1 valid and 0 invalid certs
[14:16:02.380667] DEBUG:rustls::client::hs   : No cached session for DNSNameRef("hassbian.localdomain")
[14:16:02.382186] DEBUG:rustls::client::hs   : Not resuming any session
[14:16:02.424802] DEBUG:rumqtt::connection   : Send: Connect(Connect { protocol: MQTT(4), keep_alive: 10, client_id: "snips-audio-server|7912-glados_gameroom-1", clean_session: false, last_will: None, username: Some("..ommitted.."), password: Some("..ommitted..") })
[14:16:02.588788] DEBUG:rustls::client::hs   : ALPN protocol is None
[14:16:02.589623] DEBUG:rustls::client::hs   : Using ciphersuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[14:16:02.589853] DEBUG:rustls::client::hs   : Server supports tickets
[14:16:02.622156] DEBUG:rustls::client::hs   : ECDHE curve is ECParameters { curve_type: NamedCurve, named_group: X25519 }
[14:16:02.623597] DEBUG:rustls::client::hs   : Server cert is [Certificate(b"..ommitted..")]
[14:16:02.629553] DEBUG:rustls::client::hs   : Server DNS name is DNSName("hassbian.localdomain")
[14:16:02.639186] WARN :rustls::session      : Sending fatal alert BadCertificate
[14:16:02.640711] ERROR:snips_audio_server   : Could not start MQTT client on hassbian.localdomain:8883
 -> caused by: invalid certificate: CertNotValidForName

I don’t think the issue is with the CA cert, as I’m able to connect fine over TLS MQTT on the satellite using paho-mqtt in a python script I use for controlling the button and led for the speaker (the satellite is one of the Google AIY Voice v2 speakers). Any help that can be provided would be greatly appreciated.

I’ve got also problems connecting to my TLS secured, self-signed mosquitto broker.
At least I’m getting the same error message, but I can’t tell if it’s the same reason.

Did you make any progress narrowing it down?

Unfortunately I never had any luck, and I haven’t had an opportunity to double back to it to take another look.