Add MQTT over SSL

[Thoma-HauC]

Hello,

I am not comfortable with the writing of YUNoHost scripts.
And maybe you are aware about the below suggestion.

But if you know how to add mosquitto user to ssl-cert group then a first step to use MQTT over SSL is done.
The second step is to push the below four line to the /etc/mosquitto/conf.d/default.conf :
listener 8883
certfile /etc/yunohost/certs/your.domain.tld/crt.pem
cafile /etc/yunohost/certs/your.domain.tld/crt.pem
keyfile /etc/yunohost/certs/your.domain.tld/key.pem

And that is all.

Regards,

Thoma

[utkarshsethi]

@Rafi594 @YunoHost Can you wiht this?

I need to run mosqutto with SSL, would directly editing config files mess up the app?

[h3ndrik]

also run:
usermod -a -G ssl-cert mosquitto
so that mosquitto can access the certificates.

EDIT:
setfacl -R -m u:mosquitto:rx /etc/yunohost/certs/your.domain.tld

seems to do the trick??

and you have to open port 8883 in the yunohost firewall manually.

[jose1711]

I believe this really needs a better integration with YunoHost. I think as a minimum it should be possible to choose domain, toggle SSL and manage users including password reset from the interface.

As far as SSL is concerned I've collected the steps from comments above (thanks for those) and converted them to commands which can be run on the server within a root session:

# create new config
domain=$(yunohost domain main-domain --output-as plain)

cat >/etc/mosquitto/conf.d/ssl.conf <<HERE
listener 8883
certfile /etc/yunohost/certs/${domain}/crt.pem
cafile /etc/yunohost/certs/${domain}/crt.pem
keyfile /etc/yunohost/certs/${domain}/key.pem

allow_anonymous false
password_file /etc/mosquitto/passwd
HERE

# grant permissions to certificates for mosquitto user
usermod -a -G ssl-cert mosquitto
setfacl -R -m u:mosquitto:rx /etc/yunohost/certs/${domain}

# reconfigure firewall (deny 1883, allow 8883)
yunohost firewall allow TCP 8883
yunohost firewall disallow TCP 1883

# update port in the app configuration
yunohost app setting mosquitto port -v 8883

# remove and readd service
yunohost service remove mosquitto
yunohost service add mosquitto --description="Allows MQTT clients to send/receive data" --log="/var/log/mosquitto/mosquitto.log" --needs_exposed_ports=8883

# update backup script
sed -i '/--src_path=/s/default.conf/ssl.conf/' /etc/yunohost/apps/mosquitto/scripts/backup

# switch configs and restart mosquitto
mv /etc/mosquitto/conf.d/default.conf /etc/mosquitto/conf.d/default.conf.disabled
systemctl restart mosquitto

EDIT: add port update step
EDIT2: add service remove+readd step
EDIT3: fix backup

[jose1711]

Here's a config that enables both SSL (8883) and non-SSL (1883) connections. Perhaps someone finds it useful:

per_listener_settings true

listener 8883
certfile /etc/yunohost/certs/DOMAINNAME/crt.pem
cafile /etc/yunohost/certs/DOMAINNAME/crt.pem
keyfile /etc/yunohost/certs/DOMAINNAME/key.pem
password_file /etc/mosquitto/passwd
allow_anonymous false

listener 1883
password_file /etc/mosquitto/passwd
allow_anonymous false

[jedie]

I believe this really needs a better integration with YunoHost. I think as a minimum it should be possible to choose domain, toggle SSL and manage users including password reset from the interface.

+1

Can somebody provide this? Would be great!