drmaq/mosquitto-on-uberspace.txt

## mosquitto-on-uberspace.txt
# Make a directory
mkdir ~/mosquitto
cd ~/mosquitto

# Get mosquitto for CentOS 6 and locally unpack it
wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/oojah:/mqtt/RedHat_RHEL-6/x86_64/mosquitto-1.2-6.1.x86_64.rpm
rpm2cpio mosquitto-*.rpm | cpio -idmv
mosquitto-*.rpm

# Set up ~/service on uberspace
test -d ~/service || uberspace-setup-svscan

uberspace-setup-service mosquitto ~/mosquitto/usr/sbin/mosquitto

# Congratulations - the ~/service/mosquitto service is now ready to use!
# To control your service you'll need the svc command (hint: svc = service control):

# To start the service (hint: u = up):
  svc -u ~/service/mosquitto
# To stop the service (hint: d = down):
  svc -d ~/service/mosquitto
# To reload the service (hint: h = HUP):
  svc -h ~/service/mosquitto
# To restart the service (hint: du = down, up):
  svc -du ~/service/mosquitto

# Log can be viewed with
cat ~/service/mosquitto/log/main/current

# By default mosquitto starts on port 1883; we need to find another
# free port on uberspace and use that

cat > etc/mosquitto/mosquitto.conf <<EOF
port 11883
persistence true
persistence_location $HOME/mosquitto/var/lib/mosquitto/
EOF

# Create the required directories
mkdir -p ~/mosquitto/var/log/mosquitto/

# Try
~/mosquitto/usr/sbin/mosquitto -c ~/mosquitto/etc/mosquitto/mosquitto.conf

# Edit ~/service/mosquitto/run so that the exec line reads:
exec ~/mosquitto/usr/sbin/mosquitto -c ~/mosquitto/etc/mosquitto/mosquitto.conf 2>&1

# Restart
svc -du ~/service/mosquitto

# Inspect the log
tail ~/service/mosquitto/log/main/current

# To remove the service:
  cd ~/service/mosquitto
  rm ~/service/mosquitto
  svc -dx . log
  rm -rf ~/etc/run-mosquitto

# More information about controlling daemons can be found here:
# https://uberspace.de/dokuwiki/system:daemontools#wenn_der_daemon_laeuft

# Uberspace support needs to be informed to open the firewall for the special port.
# Before we do this though, we need to think about security as the above does not
# implement any security at all so far.

############

https://blog.uberspace.de/lets-encrypt-rollt-an/

# Do once
uberspace-letsencrypt
letsencrypt certonly
uberspace-prepare-certificate -k ~/.config/letsencrypt/live/www.*/privkey.pem -c ~/.config/letsencrypt/live/www.*/cert.pem

# Do every 90 days
letsencrypt-renewer --config-dir ~/.config/letsencrypt --logs-dir ~/.config/letsencrypt/logs --work-dir ~/tmp/
uberspace-prepare-certificate -k ~/.config/letsencrypt/live/www.*/privkey.pem -c ~/.config/letsencrypt/live/www.*/cert.pem

############

http://mosquitto.org/2015/12/using-lets-encrypt-certificates-with-mosquitto/

If you want to use TLS certificates you’ve generated using the Let’s Encrypt service, this is how you should configure your listener (replace “example.com” with your own domain of course):

Go to https://www.identrust.com/certificates/trustid/root-download-x3.html to get the DST root certificate. Open a text editor, and paste the contents from that link, surrounding the text with the BEGIN and END lines as below:

    —–BEGIN CERTIFICATE—–

    <pasted content goes here

    —–END CERTIFICATE—–

Then, each time after your script to automatically generate your certificates runs you should also run:

    cat /etc/letsencrypt/live/example.com/chain.pem /etc/letsencrypt/<your root>.pem > /etc/letsencrypt/live/example.com/chain-ca.pem

Then use the following for your mosquitto.conf:

    listener 8883
    cafile /etc/letsencrypt/live/example.com/chain-ca.pem
    certfile /etc/letsencrypt/live/example.com/cert.pem
    keyfile /etc/letsencrypt/live/example.com/privkey.pem

You need to be aware that current versions of mosquitto never update listener settings when running, so when you regenerate the server certificates you will need to completely restart the broker.
	# Make a directory
	mkdir ~/mosquitto
	cd ~/mosquitto

	# Get mosquitto for CentOS 6 and locally unpack it
	wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/oojah:/mqtt/RedHat_RHEL-6/x86_64/mosquitto-1.2-6.1.x86_64.rpm
	rpm2cpio mosquitto-*.rpm \| cpio -idmv
	mosquitto-*.rpm

	# Set up ~/service on uberspace
	test -d ~/service \|\| uberspace-setup-svscan

	uberspace-setup-service mosquitto ~/mosquitto/usr/sbin/mosquitto

	# Congratulations - the ~/service/mosquitto service is now ready to use!
	# To control your service you'll need the svc command (hint: svc = service control):

	# To start the service (hint: u = up):
	svc -u ~/service/mosquitto
	# To stop the service (hint: d = down):
	svc -d ~/service/mosquitto
	# To reload the service (hint: h = HUP):
	svc -h ~/service/mosquitto
	# To restart the service (hint: du = down, up):
	svc -du ~/service/mosquitto

	# Log can be viewed with
	cat ~/service/mosquitto/log/main/current

	# By default mosquitto starts on port 1883; we need to find another
	# free port on uberspace and use that

	cat > etc/mosquitto/mosquitto.conf <<EOF
	port 11883
	persistence true
	persistence_location $HOME/mosquitto/var/lib/mosquitto/
	EOF

	# Create the required directories
	mkdir -p ~/mosquitto/var/log/mosquitto/

	# Try
	~/mosquitto/usr/sbin/mosquitto -c ~/mosquitto/etc/mosquitto/mosquitto.conf

	# Edit ~/service/mosquitto/run so that the exec line reads:
	exec ~/mosquitto/usr/sbin/mosquitto -c ~/mosquitto/etc/mosquitto/mosquitto.conf 2>&1

	# Restart
	svc -du ~/service/mosquitto

	# Inspect the log
	tail ~/service/mosquitto/log/main/current

	# To remove the service:
	cd ~/service/mosquitto
	rm ~/service/mosquitto
	svc -dx . log
	rm -rf ~/etc/run-mosquitto

	# More information about controlling daemons can be found here:
	# https://uberspace.de/dokuwiki/system:daemontools#wenn_der_daemon_laeuft

	# Uberspace support needs to be informed to open the firewall for the special port.
	# Before we do this though, we need to think about security as the above does not
	# implement any security at all so far.

	############

	https://blog.uberspace.de/lets-encrypt-rollt-an/

	# Do once
	uberspace-letsencrypt
	letsencrypt certonly
	uberspace-prepare-certificate -k ~/.config/letsencrypt/live/www./privkey.pem -c ~/.config/letsencrypt/live/www./cert.pem

	# Do every 90 days
	letsencrypt-renewer --config-dir ~/.config/letsencrypt --logs-dir ~/.config/letsencrypt/logs --work-dir ~/tmp/
	uberspace-prepare-certificate -k ~/.config/letsencrypt/live/www./privkey.pem -c ~/.config/letsencrypt/live/www./cert.pem

	############

	http://mosquitto.org/2015/12/using-lets-encrypt-certificates-with-mosquitto/

	If you want to use TLS certificates you’ve generated using the Let’s Encrypt service, this is how you should configure your listener (replace “example.com” with your own domain of course):

	Go to https://www.identrust.com/certificates/trustid/root-download-x3.html to get the DST root certificate. Open a text editor, and paste the contents from that link, surrounding the text with the BEGIN and END lines as below:

	—–BEGIN CERTIFICATE—–

	<pasted content goes here

	—–END CERTIFICATE—–

	Then, each time after your script to automatically generate your certificates runs you should also run:

	cat /etc/letsencrypt/live/example.com/chain.pem /etc/letsencrypt/<your root>.pem > /etc/letsencrypt/live/example.com/chain-ca.pem

	Then use the following for your mosquitto.conf:

	listener 8883
	cafile /etc/letsencrypt/live/example.com/chain-ca.pem
	certfile /etc/letsencrypt/live/example.com/cert.pem
	keyfile /etc/letsencrypt/live/example.com/privkey.pem

	You need to be aware that current versions of mosquitto never update listener settings when running, so when you regenerate the server certificates you will need to completely restart the broker.