How do I clear the certificate cache?

[weirdyang]

I'm testing 3 scenarios,1 with an lets encrypt server certificate (8886), 1 with an expired server certificate (8887) and the other with a proper one (8883).

If I run the test with either the expired server certificate or lets encrypt first, the proper one will fail will this error

The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

But if I run them separately it won't fail. What could be the issue? I am already creating a new client for each test:

            var options = new ManagedMqttClientOptionsBuilder()
                .WithAutoReconnectDelay(TimeSpan.FromSeconds(5))
                .WithClientOptions(
                new MqttClientOptionsBuilder()
                .WithConnectionSettings(
                new MqttSettings(Host)
                {
                    ValidateCerts = validateCerts,
                    UseTls = useTls,
                    TcpPort = port,
                    ClientId = clientId,
                    CaFile = caFile,
                    ClientCertFile = clientFile,
                    KeyFile = keyFile,
                    KeyFilePassword = keyPass,
                    Username = username,
                    Password = password
                }));
            var client = new MqttFactory()
                .CreateManagedMqttClient();

I'm using the test.mosquitto.org servers:
8883 : MQTT, encrypted, unauthenticated
8886 : MQTT, encrypted, unauthenticated
8887 : MQTT, encrypted, server certificate deliberately expired

this is my code for building the TLS options:

        public static MqttClientOptionsBuilder WithTlsSettings(this MqttClientOptionsBuilder builder, MqttSettings cs)
        {
            var tlsParams = new MqttClientTlsOptionsBuilder();
            tlsParams.UseTls(cs.UseTls);

            if (!cs.ValidateCerts)
            {
                tlsParams.WithCertificateValidationHandler(_ => true);
                tlsParams.WithAllowUntrustedCertificates(true);
                tlsParams.WithIgnoreCertificateChainErrors(true);
                tlsParams.WithIgnoreCertificateRevocationErrors(true);
            }
            if (cs.UseTls)
            {

                tlsParams.WithSslProtocols(System.Security.Authentication.SslProtocols.Tls12 | System.Security.Authentication.SslProtocols.Tls13);

                if (!string.IsNullOrEmpty(cs.CaFile))
                {
                    X509Certificate2Collection chain = new();
                    chain.ImportFromPem(cs.CaFile.AsSpan());
                    tlsParams.WithTrustChain(chain);
                    tlsParams.WithRevocationMode(X509RevocationMode.NoCheck);
                }

                if (!string.IsNullOrEmpty(cs.ClientCertFile) && !string.IsNullOrEmpty(cs.KeyFile))
                {
                    List<X509Certificate2> certs = new();
                    X509Certificate2 cert = x509CertificateLoader.LoadFromCertString(cs.ClientCertFile, cs.KeyFile, cs.KeyFilePassword!);
                    if (!cert.HasPrivateKey)
                    {
                        throw new SecurityException("Provided Cert Has not Private Key");
                    }
                    certs.Add(cert);
                    tlsParams.WithClientCertificates(certs);
                }

                builder.WithTlsOptions(tlsParams.Build());
            }
            return builder;
        }

When I log the certificate validation errors, the same errors appear for 8887 (expired cert) and 8883 (valid cert)

For 8884

[String]:
"CN=test.mosquitto.org, OU=Expired Certificate, O=Mosquitto, L=Derby, S=United Kingdom, C=GB"
[String]:
"6/1/2021 5:00:21 am"
[X509RevocationMode]:
0
[X509ChainStatus[]]:
[
  {
    "Status": 65536,
    "StatusInformation": "A certificate chain could not be built to a trusted root authority."
  },
  {
    "Status": 1,
    "StatusInformation": "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."
  }
]
[SslPolicyErrors]:
4

For 8883

[String]:
"CN=test.mosquitto.org, OU=Expired Certificate, O=Mosquitto, L=Derby, S=United Kingdom, C=GB"
[String]:
"6/1/2021 5:00:21 am"
[X509RevocationMode]:
0
[X509ChainStatus[]]:
[
  {
    "Status": 1,
    "StatusInformation": "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."
  }
]
[SslPolicyErrors]:
4

[rido-min]

each OS/Platform has different TLS stack, can you provide more details?

And I would not disable all certification checks, instead control which ones you need with your MqttSettings (btw, do you have the source available?)

[weirdyang]

I'm testing on windows 10

[weirdyang]

I always noticed this repo notes that the callback has state, and it's also with the mosquitto LetsEncrypt endpoint

https://github.com/iotmodels/MQTTnet.Extensions.MultiCloud/blob/e4b0494bd141ea176639d9b5a76f4c208ed0b5b9/tests/MQTTnet.Extensions.MultiCloud.IntegrationTests/TestMosquittoOrgX509.cs#L16

[weirdyang]

I'm still experiencing this issue and would appreciate any advice on how to resolve this.