mosquitto install with ssl

http://lukse.lt/uzrasai/2015-02-internet-of-things-messaging-mqtt-1-installing-mosquitto-server/

Install some libraries and tools

apt-get update
apt-get install pkg-config cmake openssl libc-ares-dev libssl-dev python-mosquitto

Then install mosquitto from sources (please double check that you will be installing latest version). Of course you can install it on other operating systems and platforms (OSX, Windows, Openwrt, Various Linux, Raspberry) using prepared setup files.

wget http://mosquitto.org/files/source/mosquitto-1.3.5.tar.gz
tar xzf mosquitto-1.3.5.tar.gz
cd mosquitto-1.3.5
cmake .
make install

Pretty easy. Mosquitto is installed and should be ready to serve. Interesting part comes next – if secure messaging using SSL or TLS is need, you will need to generate certificates.

Edit configuration file

Make some adjustments to configuration file, there are more settings to adjust, but I provide only basic set

mkdir /etc/mosquitto/conf.d/certs
nano /etc/mosquitto/conf.d/mosquitto.conf

Here is how my configuration looks like

allow_anonymous false
autosave_interval 1800
connection_messages true
log_dest stderr
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
log_type all
log_type debug
log_timestamp true
password_file /etc/mosquitto/conf.d/jp.pw
acl_file /etc/mosquitto/conf.d/jp.acl
persistence true
persistence_location /tmp/
persistence_file mosquitto.db
persistent_client_expiration 1m
retained_persistence true
listener 1883 127.0.0.1
listener 8883
tls_version tlsv1
cafile /etc/mosquitto/conf.d/certs2/ca.crt
certfile /etc/mosquitto/conf.d/certs2/server.crt
keyfile /etc/mosquitto/conf.d/certs2/server.key
require_certificate false
allow_anonymous false

SSL key generation

Go to certificated directory, I have prepared earlier and run few commands. You will be asked to enter some data. There are few tricky parts:

• If your certificate will be used on local machine without valid hostname (i.e. only IP address), you must use special settings in your program to make it a bit less secure (don’t check hostname). Though connection still be encrypted.
• Don’t set -days xxxx to big – certificate will be invalid and you might get strange errors.

cd /etc/mosquitto/conf.d/certs/

openssl req -new -x509 -days 1000 -extensions v3_ca -keyout ca.key -out ca.crt

    > Generating a 2048 bit RSA private key
    > .....................................................................................+++
    > ..+++
    > writing new private key to 'ca.key'
    > Enter PEM pass phrase:123
    > Verifying - Enter PEM pass phrase:123
    > -----
    > You are about to be asked to enter information that will be incorporated
    > into your certificate request.
    > What you are about to enter is what is called a Distinguished Name or a DN.
    > There are quite a few fields but you can leave some blank
    > For some fields there will be a default value,
    > If you enter '.', the field will be left blank.
    > -----
    > Country Name (2 letter code) [AU]:LT
    > State or Province Name (full name) [Some-State]:
    > Locality Name (eg, city) []:Vilnius
    > Organization Name (eg, company) [Internet Widgits Pty Ltd]:lukse.lt
    > Organizational Unit Name (eg, section) []:
    > Common Name (e.g. server FQDN or YOUR name) []:lukse.lt
    > Email Address []:[email protected]

openssl genrsa -des3 -out server.key 2048

    > Generating RSA private key, 2048 bit long modulus
    > ............................................................................................................+++
    > ..............+++
    > e is 65537 (0x10001)
    > Enter pass phrase for server.key:123
    > Verifying - Enter pass phrase for server.key:123

openssl genrsa -out server.key 2048

    > Generating RSA private key, 2048 bit long modulus
    > ....................................................................+++
    > ................................................+++
    > e is 65537 (0x10001

openssl req -out server.csr -key server.key -new

    > You are about to be asked to enter information that will be incorporated
    > into your certificate request.
    > What you are about to enter is what is called a Distinguished Name or a DN.
    > There are quite a few fields but you can leave some blank
    > For some fields there will be a default value,
    > If you enter '.', the field will be left blank.
    > -----
    > Country Name (2 letter code) [AU]:LT
    > State or Province Name (full name) [Some-State]:
    > Locality Name (eg, city) []:Vilnius
    > Organization Name (eg, company) [Internet Widgits Pty Ltd]:lukse.lt
    > Organizational Unit Name (eg, section) []:
    > Common Name (e.g. server FQDN or YOUR name) []:lukse.lt
    > Email Address []:[email protected]
    > 
    > Please enter the following 'extra' attributes
    > to be sent with your certificate request
    > A challenge password []:123
    > An optional company name []:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000

    > Signature ok
    > subject=/C=LT/ST=Some-State/L=Vilnius/O=lukse.lt/CN=lukse.lt/[email protected]
    > Getting CA Private Key
    > Enter pass phrase for ca.key:123

 This is it. We can run secured mosquitto now. Just to test I will run it in verbose mode.

service mosquitto stop
/usr/sbin/mosquitto -v -c /etc/mosquitto/mosquitto.conf

If you see output like this, everyting is good and you are ready to dig deeper.

root@397063:/home/mqtt/remote_shell# /usr/sbin/mosquitto -v -c /etc/mosquitto/mosquitto.conf
1424034500: mosquitto version 1.3.5 (build date 2014-10-18 00:28:57+0000) starting
1424034500: Config loaded from /etc/mosquitto/mosquitto.conf.
1424034500: Opening ipv4 listen socket on port 1883.
1424034500: Opening ipv4 listen socket on port 8883.
1424034500: Opening ipv6 listen socket on port 8883.

User managing

Mosquitto has built in features to manage users. It uses two config files: jp.pw – for managing passwords and jp.acl – for access level configuration.

Passwords

To create new user

mosquitto_passwd /etc/mosquitto/conf.d/jp.pw test
    > Password: secret
    > Reenter password: secret

To delete user

mosquitto_passwd -D /etc/mosquitto/conf.d/jp.pw test

Password file looks like

root@397063:/etc/mosquitto/conf.d# cat /etc/mosquitto/conf.d/jp.pw                    
test1:$6$GWjNhmdRHTBKTwx0gIAWwerH0epp4Wb6q4sam7AhUAwboIdDVUhI9NiV32sY9rzhS7DlrznhOkUF/2pb4GOg5O4dhcCB2tAwlb/hmoQ==
test2:$6$v61hb9FpQ53KS0jZ$m94VacLuKntD/Fhqi9Sw9gBWPMDVQo76ZnznIvm0C3G0XVNfysĖhNFEVlIWByJt9Bq41reBHrx4yYbxmu5aNjLXEVw==

Access level

This file jp.acl must be eddited by hand, and sample file looks like

root@397063:/etc/mosquitto/conf.d# cat jp.acl 

# anonymus access
topic read $SYS/#
topic test/#

user test1
topic write zz/#
topic read zz/#

Enable and start service

After installing mosquitto server, creating SSL keys, configuring users you are ready to start MQTT server with these commands

service mosquitto enable
service mosquitto start