The use-case for me is to connect my openHAB installation at our summer house with my production openHAB installation. The summer house openHAB instance will then just act as a slave to the production system and is connected using the MQTT binding and the MQTT Event Bus (Now replaced by the openHAB remote binding).
To be able to connect a remote Mosquitto instance to a central Mosquitto instance you need to configure the remote Mosquitto as a bridge and the central Mosquitto will then be the broker.
- Create a local protected directory:
mkdir myCA
$ chmod 700 myCA
$ cd myCA
- Download the generate-CA.sh script from the OwnTracks project. The script creates the certificate authority (CA) files, generates keys, server certificates, and uses the CA to sign the certificates.
First we need to add information about our external IP address for our Mosquitto broker, this is the public IP from your ISP. This is done by uncommenting the IPLIST variable in the script (I've also added the private IP address):
IPLIST="82.166.55.213 192.168.50.141"
- Then run the script:
bash generate_CA.sh
The script will generate the following files (hostname is the hostname of the machine you are running the broker on):
- ca.key (CA private key)
- ca.crt (CA certificate)
- hostname.key (broker private key)
- hostname.csr (broker certificate)
- hostname.crt (broker certification request)
Copy the ca.crt to the /etc/mosquitto/ca_certificates folder. Copy the hostname.crt/hostname.key to /etc/mosquitto/certs.
- MQTT configuration for broker
We will use client certificates that the Mosquitto bridge will use and also use user/password authentication. The /etc/mosquitto/mosquitto.conf should look like this:
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
log_type error
log_type warning
log_type notice
log_type information
log_timestamp true
connection_messages true
# Plain MQTT protocol
listener 1883
# End of plain MQTT configuration
# MQTT over TLS/SSL
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/openhab.crt
keyfile /etc/mosquitto/certs/openhab.key
require_certificate true
allow_anonymous false
password_file /etc/mosquitto/passwd
include_dir /etc/mosquitto/conf.d
- Restart the mosquitto broker
sudo systemctl restart mosquitto.service