Unable to connect to Solace Event Broker Cloud

PubSub+ Event Broker
1

I downloaded the PEM file (DigiCertGlobalRootCA.pem) from Solace PubSub+ Cloud and used the following Python code to connect:

trust_store_path = r"DigiCertGlobalRootCA.pem"

props = {
    "solace.messaging.transport.host": "tcps://XXXXXXX:55443",
    "solace.messaging.service.vpn-name": "XXX",
    "solace.messaging.authentication.scheme.basic.username": "XXXX",
    "solace.messaging.authentication.scheme.basic.password": "XXXXX",
}

# Create a TLS transport security strategy
transport_security = TLS.create().with_certificate_validation(
    validate_server_name=True,
    ignore_expiration=False,
    trust_store_file_path=trust_store_path
)

service = MessagingService.builder() \
    .from_properties(props) \
    .with_transport_security_strategy(transport_security) \
    .build()

service.connect()

However, when I run this code using Python, I encounter the following error:

SESSION CREATION UNSUCCESSFUL. Untrusted certificate.
{'caller_description': 'From service event callback',
 'return_code': 'Ok',
 'sub_code': 'SOLCLIENT_SUBCODE_UNTRUSTED_CERTIFICATE',
 'error_info_sub_code': 99,
 'error_info_contents': "Session '(c0,s1)_cfh_test': The peer certificate is not trusted, rc='unable to get local issuer certificate'"}

It seems the Solace client cannot verify the server’s certificate due to a missing intermediate certificate in the trust store. I would appreciate any guidance or working examples from the community on how to properly configure the trust store to include the full certificate chain.

2

Hi there, I’m Solly AI, I generate responses to your questions using the power of the Solace Agent Mesh:

Please remember that AI technology can make mistakes so ensure that you read our Disclaimer.

AI Generated responses are a work in progress, your help in evaluating my response would be awesome! If my response makes sense, please mark it as a solution or give a :+1:. If my response doesn’t make sense for your topic, please react to it with a :shaking_face:.

Looking at the documentation, I can explain how to configure the trust store with the complete certificate chain for connecting to PubSub+ Cloud using Python.

The key points are:

  1. When connecting securely to PubSub+ Cloud, you need to:

    • Download the trust store (DigiCert Root CA) from the “Connect” tab in the SMF section of your service
    • Configure the trust store path in your connection properties

  2. For Python, you can configure the trust store in two ways:

    a. Using Transport Security Strategy:

    from solace.messaging.config.transport_security_strategy import TLS

transport_security_strategy = TLS.create().with_certificate_validation(True, False, "/path/to/truststore/")

messaging_service = MessagingService.builder().from_properties(broker_props)\
                   .with_transport_security_strategy(transport_security_strategy)\
                   .build()

    b. Using broker properties:

    broker_props = {
    "solace.messaging.transport.host": "tcps://host:port",
    "solace.messaging.service.vpn-name": "vpn_name",
    "solace.messaging.authentication.scheme.basic.username": "username",
    "solace.messaging.authentication.scheme.basic.password": "password",
    "solace.messaging.tls.trust-store-path": "/path/to/truststore/DigiCert_Global_Root_CA.pem"
}

Relevant documentation:

3

i have amended the code as below
props = {
“solace.messaging.transport.host”: “xxxx:55443”,
“solace.messaging.service.vpn-name”: “XXXX”,
“solace.messaging.authentication.scheme.basic.username”: “XXXX”,
“solace.messaging.authentication.scheme.basic.password”: “XXXXX”,
}

transport_security_strategy = TLS.create().with_certificate_validation(True, False, “D:\cert”)

service = MessagingService.builder().from_properties(props) \
    .with_transport_security_strategy(transport_security_strategy) \
    .build()

However i still encounter the below error
File “C:\Users\MSTR-ChooFungHai\PycharmProjects\PythonProject.venv\Lib\site-packages\solace\messaging\messaging_service.py”, line 1263, in connect
raise error
solace.messaging.errors.pubsubplus_client_error.PubSubPlusCoreClientError: SESSION CREATION UNSUCCESSFUL. Untrusted certificate. {‘caller_description’: ‘do_connect’, ‘return_code’: ‘Not ready’, ‘sub_code’: ‘SOLCLIENT_SUBCODE_UNTRUSTED_CERTIFICATE’, ‘error_info_sub_code’: 99, ‘error_info_contents’: “Session ‘(c0,s1)_cfh_test’: The peer certificate is not trusted, rc=‘unable to get local issuer certificate’”}
2025-04-08 17:12:24,852 [WARNING] solace.messaging.core: [_solace_transport.py:72] [[SERVICE: 0x1f1d3231090] - [APP ID: FUNGHAI/34048/00000001/22ow5g7_mK]] SESSION CREATION UNSUCCESSFUL. Untrusted certificate. {‘caller_description’: ‘From service event callback’, ‘return_code’: ‘Ok’, ‘sub_code’: ‘SOLCLIENT_SUBCODE_UNTRUSTED_CERTIFICATE’, ‘error_info_sub_code’: 99, ‘error_info_contents’: “Session ‘(c0,s1)_cfh_test’: The peer certificate is not trusted, rc=‘unable to get local issuer certificate’”}
2025-04-08 17:12:24,853 [WARNING] solace.messaging.core: [_solace_transport.py:72] [[SERVICE: 0x1f1d3231090] - [APP ID: FUNGHAI/34048/00000001/22ow5g7_mK]] SESSION CREATION UNSUCCESSFUL. Untrusted certificate. {‘caller_description’: ‘do_connect’, ‘return_code’: ‘Not ready’, ‘sub_code’: ‘SOLCLIENT_SUBCODE_UNTRUSTED_CERTIFICATE’, ‘error_info_sub_code’: 99, ‘error_info_contents’: “Session ‘(c0,s1)_cfh_test’: The peer certificate is not trusted, rc=‘unable to get local issuer certificate’”}
2025-04-08 17:12:24,853 [WARNING] solace.messaging.connections: [messaging_service.py:1262] [[SERVICE: 0x1f1d3231090] - [APP ID: FUNGHAI/34048/00000001/22ow5g7_mK]] Connection failed. Status code: 3

4

Hey @funghai,

I noticed in your broker properties you didn’t put a solace.messaging.tls.trust-store-path as suggested by @Solly-AI, was there a particular reason for that?

Additionally, did you happen to have a look at the response @swenhelge provided here regarding the possibility of needing to provide a full certificate chain?