To allow mosquitto to accept connections across the network (without using passwords), create a file with the extension .conf in the folder /etc/mosquitto/conf.d (I call mine /etc/mosquitto/conf.d/mossy.conf) and in there put
listener 1883
allow_anonymous true
In addition, if you want human readable timestamps in the mosquitto log add
# human readable timestamps in log
log_timestamp true
log_timestamp_format %Y-%m-%d %H:%M:%S
That is preferable to modifying the master config file as that may get overwritten during a mosquitto upgrade.
Of course, the usual security considerations apply so you should think about your network, information sensitivity and the threat levels of your host country. Not normally too great an issue for home automation over a local network but given the state of the digital world war currently being fought, none of us should be complacent.
While it might ideally. As it is restricted to localhost connections only by default, the other things aren't necessarily a priority. My feeling is that Mosquitto have done this as the simplest way to try to get people to actually THINK about their needed security config. Not unreasonable in my view.
Just to add re the localhost bit - typically it is not best practice to set localhost as the address of the MQTT broker - but rather an explicit IP address.
I wonder if your old flows had this set - check what they have in their config screen and see if it set to the old IP address of the old machine.
In order to try and understand this localhost query, is the suggestion being made that I should use the i/p address of the RPi in all the nodes instead of localhost? I am quite sure that all the nodes in both the older machine and the newer one simply have the word localhost plus the port 1883.
In answer to another query, the messages that I am looking to receive are coming from the device that is being commanded. The payload is either a yes or no.
I will check the i/p situation tomorrow
The mqttout node does not send a message to a device, it sends a message to the broker. For a device to receive that it must subscribe to the topic on the mqtt broker that the mqttout node is connected to. Since you have moved the broker to a new pi, which presumably has a different ip address to the old pi, then you need to tell the device to connect to the broker on the new ip address. Have you done that?
Are there any .conf files in /etc/mosquitto/conf.d? What do they contain?
I don't believe there is a security issue in revealing mosquitto.conf.
This is what mine contains
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
per_listener_settings true
pid_file /run/mosquitto/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
allow_anonymous false
listener 1883
password_file /etc/mosquitto/passwd
ie it uses port 1883, anonymous connection is disallowed, and the permitted users have usern ame and a password hash in /etc/mosquitto/passwd, which contains something like this
I really thought the post above from "colin" had found the issue regarding the fact that all of the devices did, in fact, specify the i/p of the RPi that was running mosquitto. So I went to the older running system and shut it down. Then I went to the new system and changed it's i/p to the original value and restarted it. However, that did not change the outcome but I do think that is one problem I had not considered and I plan to stay in this configuration.
For "jbudd" , here is the conf
ckentm@4004HOME:~ $ cat /etc/mosquitto/mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf
per_listener_settings true
pid_file /run/mosquitto/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
allow_anonymous false
listener 1883
password_file /etc/mosquitto/passwd
I also noted that line but as you can see in the code I sent, this file is located in "/etc/mosquitto/" and not in the conf.d directory.
ckentm@4004HOME:/etc/mosquitto/conf.d $ ls
README
ckentm@4004HOME:/etc/mosquitto/conf.d $ cat README
Any files placed in this directory that have a .conf ending will be loaded as
config files by the broker. Use this to make your local config.
Now I wonder if the conf file in the directory above should be moved to this directory?
Any thoughts
The file mosquitto.conf has to be in /etc/mosquitto.
It is best policy not to edit this file because a reinstallation will probably overwrite it.
The file itself instructs mosquitto to import any .conf files from /etc/mosquitto/conf.d.
So your config should ideally go in a file such as /etc/mosquitto/conf.d/myconf.conf.
If like me you are happy to edit /etc/mosquitto/mosquitto.conf that's fine.
Moving files from one place to another isn't going to resolve this issue.
First of all, for "jbudd" . That is exactly the course that created this system in the first place. When I started the version was 1.3 and user/pswd was not required. However, when I rebuilt this from version 1.7 is when the course changed to add user/pswd. The mosquitto.conf that is in my previous post, definitely says:
which means to me that user/pswd is required .
Another input that I have rcvd in the RNT forum suggests that RPi OS,Trixie has known issues with NodeRed and suggests that I create another image using Bookworm. At this point, anything is worth a try.
It is required if you you specified anonymous false. Have you created users and passwords and configured the node red server nodes in node red to use them? If not then set anonymous true.
I, any many others I would think, use Node-RED with Trixie so I have no idea why anyone would think this. (I also use mosquitto on a very recently updated platform accessed from many Node-RED instances on other Pis with no problems)
My main mosquitto broker, a Pi 4, actually still runs Bookworm so to check, I have installed mosquitto on another Pi (Zero 2) running Trixie.
I followed the guide as far as configuring anonymous access and I confirm it works with Node-red on another Pi, mqtt-out and mqtt-in nodes pointing to the IP of the Zero 2
I'll now change it to allow_anonymous false, setup a user/password and report back...
Yes, it works now with a user account and password.
Key tests:
systemctl status mosquitto returns, among other stuff:
Active: active (running)
And after editing the Node-red config to include username and password
ps as @Colin has twice said, there is no real need to disallow anonymous access to mosquitto as long as you can only access the broker from your home network, which is surely the case unless you do something unwise like port forwarding in the router.
