The script is not able to connect to a secured broker without cafile parameter

[vulcainman]

Dear maintainer,

I was implementing your script in my infra when I noticed that it was not able to connect to a secured broker. After looking in source code, the is caused by the fact that TLS is enable if and only if a CA file is provided whereas, this should'nt be necessary.

I guess the best way to address this issue is to add a parameter indicating that TLS should be enabled. Let me know if you want me to propose a patch or a pull request.

[jpmens]

Enabling TLS but not verifying a server's certificate seems counterproductive and cannot be good practice. You are of course free to alter the source code to provide the feature, but we would most likely not incorporate it into the repository.

[vulcainman]

As far as I can see from paho-mqtt documentation (https://pypi.org/project/paho-mqtt/#constructor-reinitialise), if ca_certs is not set, it use the default certification authority of the system (like most tools except browsers that usually integrate their own certificate authorities).

I've tested with a self-signed certificate and it fails as expected (--tls is the parameter I've added myself to the script to enable TLS) :

check_mqtt --tls -H xxx.com -P 8883 -u user -p password -t icinga/heartbeat 
CRITICAL - Connection to xxx.com:8883 failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:992)

By the way, manually indicating certification authority is not really convenient since the broker admin may update certificate provider at anytime.