Skip to content

Instantly share code, notes, and snippets.

@drmaq
Forked from probonopd/mosquitto-on-uberspace.txt
Created September 24, 2018 20:02
Show Gist options
  • Save drmaq/274b0d9564543a3ca49a5b85ad2f1190 to your computer and use it in GitHub Desktop.
Save drmaq/274b0d9564543a3ca49a5b85ad2f1190 to your computer and use it in GitHub Desktop.
mosquitto MQTT on uberspace
# Make a directory
mkdir ~/mosquitto
cd ~/mosquitto
# Get mosquitto for CentOS 6 and locally unpack it
wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/oojah:/mqtt/RedHat_RHEL-6/x86_64/mosquitto-1.2-6.1.x86_64.rpm
rpm2cpio mosquitto-*.rpm | cpio -idmv
mosquitto-*.rpm
# Set up ~/service on uberspace
test -d ~/service || uberspace-setup-svscan
uberspace-setup-service mosquitto ~/mosquitto/usr/sbin/mosquitto
# Congratulations - the ~/service/mosquitto service is now ready to use!
# To control your service you'll need the svc command (hint: svc = service control):
# To start the service (hint: u = up):
svc -u ~/service/mosquitto
# To stop the service (hint: d = down):
svc -d ~/service/mosquitto
# To reload the service (hint: h = HUP):
svc -h ~/service/mosquitto
# To restart the service (hint: du = down, up):
svc -du ~/service/mosquitto
# Log can be viewed with
cat ~/service/mosquitto/log/main/current
# By default mosquitto starts on port 1883; we need to find another
# free port on uberspace and use that
cat > etc/mosquitto/mosquitto.conf <<EOF
port 11883
persistence true
persistence_location $HOME/mosquitto/var/lib/mosquitto/
EOF
# Create the required directories
mkdir -p ~/mosquitto/var/log/mosquitto/
# Try
~/mosquitto/usr/sbin/mosquitto -c ~/mosquitto/etc/mosquitto/mosquitto.conf
# Edit ~/service/mosquitto/run so that the exec line reads:
exec ~/mosquitto/usr/sbin/mosquitto -c ~/mosquitto/etc/mosquitto/mosquitto.conf 2>&1
# Restart
svc -du ~/service/mosquitto
# Inspect the log
tail ~/service/mosquitto/log/main/current
# To remove the service:
cd ~/service/mosquitto
rm ~/service/mosquitto
svc -dx . log
rm -rf ~/etc/run-mosquitto
# More information about controlling daemons can be found here:
# https://uberspace.de/dokuwiki/system:daemontools#wenn_der_daemon_laeuft
# Uberspace support needs to be informed to open the firewall for the special port.
# Before we do this though, we need to think about security as the above does not
# implement any security at all so far.
############
https://blog.uberspace.de/lets-encrypt-rollt-an/
# Do once
uberspace-letsencrypt
letsencrypt certonly
uberspace-prepare-certificate -k ~/.config/letsencrypt/live/www.*/privkey.pem -c ~/.config/letsencrypt/live/www.*/cert.pem
# Do every 90 days
letsencrypt-renewer --config-dir ~/.config/letsencrypt --logs-dir ~/.config/letsencrypt/logs --work-dir ~/tmp/
uberspace-prepare-certificate -k ~/.config/letsencrypt/live/www.*/privkey.pem -c ~/.config/letsencrypt/live/www.*/cert.pem
############
http://mosquitto.org/2015/12/using-lets-encrypt-certificates-with-mosquitto/
If you want to use TLS certificates you’ve generated using the Let’s Encrypt service, this is how you should configure your listener (replace “example.com” with your own domain of course):
Go to https://www.identrust.com/certificates/trustid/root-download-x3.html to get the DST root certificate. Open a text editor, and paste the contents from that link, surrounding the text with the BEGIN and END lines as below:
—–BEGIN CERTIFICATE—–
<pasted content goes here
—–END CERTIFICATE—–
Then, each time after your script to automatically generate your certificates runs you should also run:
cat /etc/letsencrypt/live/example.com/chain.pem /etc/letsencrypt/<your root>.pem > /etc/letsencrypt/live/example.com/chain-ca.pem
Then use the following for your mosquitto.conf:
listener 8883
cafile /etc/letsencrypt/live/example.com/chain-ca.pem
certfile /etc/letsencrypt/live/example.com/cert.pem
keyfile /etc/letsencrypt/live/example.com/privkey.pem
You need to be aware that current versions of mosquitto never update listener settings when running, so when you regenerate the server certificates you will need to completely restart the broker.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment