Skip to content

Instantly share code, notes, and snippets.

@jannegpriv

jannegpriv/mosquitto_bridging_tls.md

Last active November 27, 2020 22:54
Show Gist options
  • Save jannegpriv/e1221b89feb52fa69cf68531a2d5b39d to your computer and use it in GitHub Desktop.
Save jannegpriv/e1221b89feb52fa69cf68531a2d5b39d to your computer and use it in GitHub Desktop.
Download ZIP
Configure Mosquitto bridging with TLS
Raw
mosquitto_bridging_tls.md

Configure Mosquitto bridging with TLS

The use-case for me is to connect my openHAB installation at our summer house with my production openHAB installation. The summer house openHAB instance will then just act as a slave to the production system and is connected using the MQTT binding and the MQTT Event Bus (Now replaced by the openHAB remote binding).

To be able to connect a remote Mosquitto instance to a central Mosquitto instance you need to configure the remote Mosquitto as a bridge and the central Mosquitto will then be the broker.

Broker side

  1. Create a local protected directory:
mkdir myCA
$ chmod 700 myCA
$ cd myCA
  1. Download the generate-CA.sh script from the OwnTracks project. The script creates the certificate authority (CA) files, generates keys, server certificates, and uses the CA to sign the certificates.

First we need to add information about our external IP address for our Mosquitto broker, this is the public IP from your ISP. This is done by uncommenting the IPLIST variable in the script (I've also added the private IP address):

IPLIST="82.166.55.213 192.168.50.141"
  1. Then run the script:
bash generate_CA.sh

The script will generate the following files (hostname is the hostname of the machine you are running the broker on):

  • ca.key (CA private key)
  • ca.crt (CA certificate)
  • hostname.key (broker private key)
  • hostname.csr (broker certificate)
  • hostname.crt (broker certification request)

Copy the ca.crt to the /etc/mosquitto/ca_certificates folder. Copy the hostname.crt/hostname.key to /etc/mosquitto/certs.

  1. MQTT configuration for broker

We will use client certificates that the Mosquitto bridge will use and also use user/password authentication. The /etc/mosquitto/mosquitto.conf should look like this:

#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

log_type error
log_type warning
log_type notice
log_type information
log_timestamp true
connection_messages true


# Plain MQTT protocol
listener 1883

# End of plain MQTT configuration

# MQTT over TLS/SSL
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/openhab.crt
keyfile /etc/mosquitto/certs/openhab.key
require_certificate true

allow_anonymous false
password_file /etc/mosquitto/passwd

include_dir /etc/mosquitto/conf.d
  1. Restart the mosquitto broker
sudo systemctl restart mosquitto.service

Bridge side

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment