Hello all, I re-discovered Owntracks last night, which is an amazing little app that allows you to set up geofencing, location awareness, and can even report your velocity, steps (iOS), current phone battery level, and altitude. I spent the best part of today trying to set up my own public-facing MQTT server (after setting it up with webhooks and the free plan offering 150 webhooks per month running out over night!)
But I must say I have found it almost impossible to get an MQTT broker working with TLS. Has anyone managed to do this? I've read countless guides repeatedly and all have failed me.
If anyone has a better suggestion of where to start (i.e. another guide to the one I link to below) then I'm all ears. I tried also working to the Owntracks guide but got nowhere.
Here's what I have done, maybe someone can help me at the point I'm getting stuck?
-
Create a new VM, install Ubuntu Server, and chose the option to install mosquitto as a "snap"
-
Mosquitto runs out of the box fine, and I can update mosquitto.conf with the passwd file location and it also works fine with user authentication
-
Followed this guide to install certbot, to create and download certificates from letsencrypt. I liked this guide because it sets up a cron which automatically checks the certificate validity daily, and renews the certificate when it expires.
-
added a second listener in mosquitto.conf to listen to 8883 on my internal ip address, i.e.
listener 8883 192.168.1.39
-
I am still able from Node-RED to access this MQTT server, if I update the MQTT configuration to port 8883
-
However when I change the line in mosquitto.conf to reflect the hostname I'll be using externally, node-red no longer connects:
listener 8883 home.example.com
-
Taking a different tack, I have done what that guide linked above suggests and changed the line to
listener 8883
(i.e. removed the hostname) and this now prevents me from connecting locally over 1883 but DOES work over 8883, so that's okay, I already have an internal MQTT server and only want this one as a public-facing one, so I continue. -
Now I insert these lines into mosquitto.conf:
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem
and after restarting mosquitto Node-RED no longer connects to the broker. -
So I assume that the broker is ready to accept SSL connections and try to test this first from that server:
mosquitto_pub -h mydomain.co.uk -t test -m "hello again" -p 8883 --capath /etc/ssl/certs/ -u "user" -P "password"
as suggested by the guide I linked to above. -
This just gives me "Error: Connection refused"
-
Likewise I test the above command with local IP address and get the same message
Any ideas?