So, some experimentation and reading later. Here are some updates and simplifications.
For the Mosquitto configuration, you need to add/change
/etc/mosquitto/conf.d/custom.conf (you can call the file anything. You also seem to have to add the default port as well if you want to retain that. Mosquitto uses default settings which include the standard port but they seem to be turned off once you add your own custom settings. Note the bits in angle brackets that you need to change:
# Default Listener: 1883
# Bind the default listener to localhost only if you want to force external connections to be TLS only
# Secure listener
## This is standard and should always be this
## These are from your installation of LE
## Forces use of modern version of TLS to avoid security issues
## Forces ALL CLIENTs to provide a valid certificate - change the node config to allow this from NR
You then need to restart the Mosquitto broker with
sudo systemctl restart mosquitto. You can check whether it has started the correct ports with
sudo netstat -lptu | grep mosquitto which should give you 4 entries:
tcp 0 0 0.0.0.0:8883 0.0.0.0:* LISTEN 17697/mosquitto
tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN 17697/mosquitto
tcp6 0 0 [::]:8883 [::]:* LISTEN 17697/mosquitto
tcp6 0 0 [::]:1883 [::]:* LISTEN 17697/mosquitto
Note that you do not have to make any firewall changes on the Pi, the OS does that for you and will open both ports. You can check that from another Linux/Mac device (or Windows using WSL) with
telnet <IP-NAME> 1883 and
telnet <IP-NAME> 8883.
To connect securely from Node-RED, you need to configure the MQTT connection to use the TLS connection not the standard one. You also need to use the IP name rather than the IP address because otherwise, the certificate won't be valid.
Note that you need to set the URL and the port but you don't need to set the "Enable secure connection" flag. That lets you authenticate the Node-RED client connection to the broker (if you set the
require_certificate to true for example).
Many thanks to Paul for giving me both the clues and the motivation to get this done.
To monitor what is going on with Mosquitto, you can use the command
sudo tail /var/log/mosquitto/mosquitto.log -f. This will show you connections and disconnections. If you need more information, you can change the log level in your mosquitto broker configuration file and restart the broker.
# Logging. Defaults to "error, warning, notice, information"
# debug, error, warning, notice, information, subscribe, unsubscribe, websockets, none, all