Install Mosquitto broker
sudo apt install mosquitto mosquitto-clients
mosquitto-clients is needed for local testing otherwise not needed
Autostart Mosquito service
sudo systemctl enable mosquitto
Check Mosquitto status
sudo systemctl status mosquitto
Local testing
Open two terminals.
One as subscriber to see the results
mosquitto_sub -h localhost -t "test/message"
One as a publisher to send a message
mosquitto_pub -h localhost -t "test/message" -m "Hello world"
Securing MQTT
With username and password
On the broker
Create user with password
> sudo mosquitto_passwd -c /etc/mosquitto/passwd <user_name>
Edit the mosquitto config files.
> sudo nano /etc/mosquitto/mosquitto.conf
Add > password_file /etc/mosquitto/passwd
Add > allow_anonymous false
Restart the broker
> sudo systemctl restart mosquitto
Testing
Test the subscriber > mosquitto_sub -h localhost -t "test/message" Must results in an error > mosquitto_sub -h localhost -t "test/message" -u <user> -P <password> Function will wait for a message Test the publisher > mosquitto_pub -h localhost -t "test/message" -m "Hello world" Must results in an error. >mosquitto_pub -h localhost -t "test/message" -m "Hello world" -u <user> -P <password>
Use TLS for security
With a script, the easy way
Create certificates and keys with the following Github script
https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh
On the broker
Edit the mosquitto config files.
> sudo nano /etc/mosquitto/mosquitto.conf
add the following
> listener 8883
> cafile /etc/mosquitto/ca_certificates/ca.crt
> keyfile /etc/mosquitto/certs/<server.key>
> certfile /etc/mosquitto/certs/<server.crt>
put the just created certificates and file in the right place named above
Restart the broker
> sudo systemctl restart mosquitto
Copy the CA.crt file to the clients, take care the file is unencrypted
Open a second terminal
Test the subscriber(Terminal 1) mosquitto_sub --cafile /etc/mosquitto/certs/ca.crt -h MQTT01 -t "test/message" -p 8883 Test the publisher(Terminal 2) mosquitto_pub --cafile /etc/mosquitto/certs/ca.crt -h MQTT01 -t "test/message" -m "hello" -p 8883
Creating key and certificates by hand
extracted from the script
Create a CA key and certificate
On the broker cd /etc/mosquitto/certs extracted from the script > openssl req -newkey rsa:4096 -x509 -nodes -sha512 -days 1826 -extensions v3_ca -keyout ca.key -out ca.crt -subj "/CN=An MQTT broker/O=OwnTracks.org/OU=generate-CA/emailAddress=nobody@example.net"
Create a server key and certificatels
On the broker cd /etc/mosquitto/certs > sudo openssl genrsa -out MQTT01.key 4096 > sudo openssl req -new -out server.csr -key server.key > sudo openssl req -new -sha512 -out MQTT01.csr -key MQTT01.key -subj "/CN=MQTT01"
Now we use the CA key to verify and sign the server certificate. This creates the server.crt file
sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360 sudo openssl x509 -req -sha512 -in MQTT01.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.srl -out MQTT01.crt -days 3065 -extfile MQTT01.CNF -extensions JPMextensions
Edit the Mosquitto config file
On the broker
Edit the mosquitto config files.
> sudo nano /etc/mosquitto/mosquitto.conf
add the following
> listener 8883
> cafile /etc/mosquitto/certs/ca.crt
> keyfile /etc/mosquitto/certs/server.key
> certfile /etc/mosquitto/certs/server.crt
Restart the broker
> sudo systemctl restart mosquitto
Securing MQTT
First install broker certificates