Setting up Mosquitto 1.4 with TLS
Web browsers do a wonderful job of hiding the complexities of secure connections. When you’re working with a system that doesn’t include a browser, those niceties are stripped away and you have a few manual steps you need to complete. Since I just went through a few hours of frustration sorting this all out I figured I’d try to save others from the same by writing up the pertinent details. Dive in!
TLS is based on having a chain of trust from a Certificate Authority down to your server. It’s those CAs that you pay money to when you buy a TLS certificate. You can always skip the CA and self-sign a certificate, the mosquitto-tls manpage covers this nicely, but note that a self-signed certificate will not work with the new Websockets support in Mosquitto 1.4 Modern web browsers will give you nasty error messages if you try to use a self-signed cert, even for websockets, and rightly so.
So, assuming you’re using an actually issued certificate. You’ll need it in the PEM format along with your key (also in PEM format). In case your cert happens to happens to be in binary/der format (I’ve seen them as .crt files) you can use this OpenSSL command to convert them to PEM.
openssl x509 -inform der -in XXX.crt -out XXX.pem
You’re also going to need your CA’s root certificate and any intermediates. If you already have your cert installed on your HTTP server, you can use SSL Checker to figure out the full chain. Once you know the certificates you can download them from your CA (again, in PEM format) and put them all into a single file, one after the other with the root certificate coming last.
Now that you have all of those pieces, your cert, your key, and the compiled CA cert, upload them to your server. Make sure neither your certificate nor your key are not shared or accidentally in your web root. Also, ensure that all three files are readable by the user that you have running mosquitto.
All that’s left now is to make the appropriate changes to the mosquitto.conf file. Mosquitto recommends using port 8883 for secure MQTT.
port 8883
cafile /etc/certs/ca.pem
certfile /etc/certs/mydomain.pem
keyfile /etc/certs/mydomain.key
If you did everything correctly you can use the same setup for both your MQTT and Websockets listener (though on a different port, of course). If you are wanting to use Websockets you’ll need to re-compile Mosquitto after modifying the config.mk file and chaning the value of WITH_WEBSOCKETS to yes.
Hopefully you find this useful and are able to quickly get Mosquitto up and operational. Here are a few links I found useful while sorting this all out. Note that some of the information is out of date now that Mosquitto 1.4 has shipped and is the current version.
