How to create public-facing MQTT server? (Ubuntu)

Hello all, I re-discovered Owntracks last night, which is an amazing little app that allows you to set up geofencing, location awareness, and can even report your velocity, steps (iOS), current phone battery level, and altitude. I spent the best part of today trying to set up my own public-facing MQTT server (after setting it up with webhooks and the free plan offering 150 webhooks per month running out over night!)

But I must say I have found it almost impossible to get an MQTT broker working with TLS. Has anyone managed to do this? I've read countless guides repeatedly and all have failed me.

If anyone has a better suggestion of where to start (i.e. another guide to the one I link to below) then I'm all ears. I tried also working to the Owntracks guide but got nowhere.

Here's what I have done, maybe someone can help me at the point I'm getting stuck?

  • Create a new VM, install Ubuntu Server, and chose the option to install mosquitto as a "snap"

  • Mosquitto runs out of the box fine, and I can update mosquitto.conf with the passwd file location and it also works fine with user authentication

  • Followed this guide to install certbot, to create and download certificates from letsencrypt. I liked this guide because it sets up a cron which automatically checks the certificate validity daily, and renews the certificate when it expires.

  • added a second listener in mosquitto.conf to listen to 8883 on my internal ip address, i.e.
    listener 8883 192.168.1.39

  • I am still able from Node-RED to access this MQTT server, if I update the MQTT configuration to port 8883

  • However when I change the line in mosquitto.conf to reflect the hostname I'll be using externally, node-red no longer connects:
    listener 8883 home.example.com

  • Taking a different tack, I have done what that guide linked above suggests and changed the line to
    listener 8883 (i.e. removed the hostname) and this now prevents me from connecting locally over 1883 but DOES work over 8883, so that's okay, I already have an internal MQTT server and only want this one as a public-facing one, so I continue.

  • Now I insert these lines into mosquitto.conf:
    certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
    cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
    keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem and after restarting mosquitto Node-RED no longer connects to the broker.

  • So I assume that the broker is ready to accept SSL connections and try to test this first from that server:
    mosquitto_pub -h mydomain.co.uk -t test -m "hello again" -p 8883 --capath /etc/ssl/certs/ -u "user" -P "password" as suggested by the guide I linked to above.

  • This just gives me "Error: Connection refused"

  • Likewise I test the above command with local IP address and get the same message

Any ideas?

There was an extensive thread on this a few months back. I assume you have a domain name you can make use of and a fixed IP address to the network? Also that you are allowing inbound traffic on the firewall to port 8883 (and blocking everything else).

I wouldn't do that myself. Snaps are, in themselves, virtualised environments like a lightweight version of Docker as I understand it. That means that you can fall foul of networking issues I think. I would just use a standard install.

You don't need to use TLS if accessing from the same device over localhost. So just have 2 different connections. 1 bound to localhost without TLS and the other bound to the domain name that does.

Just on this point, it appears that if you specify a listener then you also have to specify the default port if you want that to keep working
port 1883

I am not familiar with Owntracks but the guide your referred says:

HTTP mode

If you don't want to go to the trouble of hosting your own MQTT setup, you can use HTTP mode to publish location data to a HTTP server of your chosing, and you can also use our Recorder for doing so.

In such case it seems to make sense to use a service like webhookrelay, which has a nice contrib node ready to use.

Wouldn´t it be easier to go this route instead of setting up an internet facing MQTT broker ?

Thanks for the comments so far;

@TotallyInformation Yes I have dynamic dns set up which provides me with a domain name. The MQTT broker is accessible from the outside world, it's just I cannot secure it with TLS (so passwords and data being sent in plan text so I can't continue to use it like that). I am allowing 8883 inbound. My understanding of "snaps" is limited to what I have encountered today only, but as far as I can make out they aren't a form of container, they are just packages which quickly install the software. I think I might take your idea though and try to install a new server from scratch and install mosquitto in the normal way. I understand I don't need to use TLS locally, the problem is that when I set the certificate locations, both listeners (1883 and 8883) seem to stop responding on the local network. If I remove the certificate lines from the config file they both work again.

@Colin I did read this somewhere but I must now go back and double-check I did this! Thanks

@Andrei Yes the webhookrelay is very good, and it makes light work of the problem, but unfortunately it's limited to 150 messages per month, and my iphone sent 150 overnight, I woke up to the message that my webhookrelay account had reached its limit :frowning:

1 Like

I explicitly set the port number for the default listener, but it didn't make a difference.

So in summary, everything works from the outside world, connections over 1883 work internally and 8883 works externally, but as soon as I add the certificate paths to the config file, everything stops working internally and externally!

MQTT - TLS encryption example - Share Your Projects - Node-RED Forum

I stopped using Owntrack with Mqtt, it wasn't reliable, missed a lot of points.
Using it now with HTTP and that works perfect.
My phone is with the help of OpenVpn always in my home network, so no port forwarding etc.
For easy private network creation have a look at ZeroTierOne.

If you prever to use webhooks, here's a nice example hwo to use Owntrack with NR and webhook.

Thanks, interesting that you prefer to use http. I have openVPN as I use Untangle as my gateway which includes this. How are you connected permanently (is this on iPhone?) For me I have to go into settings and connect but would be interested to hear how to enforce or ensure permanent connection? This is the ideal scenario!

Webhooks just doesn’t work, OwnTracks sends a message every three minutes, so the monthly allowance of 150 messages lasts about 3 hours!

I'm using Android.
In the OpenVpn app you can set the option's reconnect on reboot and Seamless Tunnel, this quanteed that Vpn is running.
With the help of Tasker OpenVpn will be disabled when I'm at home and enable when leaving the home wifi network.

Sorry for the offtopic.....