Activating TLS on your mosquitto (and Owntracks)

All,

This tutorial’s intention is to make life easier for those, who would like to enable TLS on their mosquitto.
I struggled a lot and gave up many times until I finally merged information from various sites to the one which works for me.
(That’s no guarantee that it works for your specific setup though :wink:

In general it’s required to generate some certificate files on the host running mosquitto (actually all the activities below have been done on my raspberry 2 running openHABian and OH2.

It might be trivial for most of the people here, but I am sure that there must be some out there who had similar problems than I had.

So you need:

  1. Mosquitto running (it ran for quite a while on port 1883 without TLS).
  2. Generate server certificates (e.g. ca.crt see below)
  3. Copy the files to the mosquitto subdir (see below as well)
  4. Activate TLS on mosquitto
  5. Encrypt and transfer the files …otrp and ca.crt to the phone
  6. Activate TLS in owntracks (activate iPhone.otrp with passphrase)

Actually most of the documentation is a patchwork from multiple sites, like
http://owntracks.org/booklet/features/tlscert/
and
http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt
(By the way, thanks to the creators of the sources mentioned above!)

So let‘s start with rockingdlabs first (I did not put all steps here so please check the site as well).:

Before step 2 (Setup a CA and generate the server certificates):
Modify Generate-CA.sh:
IPLIST="192.168.178.50 127.0.0.1"
HOSTLIST="localhost yourhostname something.from-outside.org "
(I am not really sure if this is required, but keeping the problems in mind I had, it’s pretty likely: Those were that I haven’t been able to connect from outside my LAN.
Maybe some expert can confirm or refute this)

Anyway…
Use generate-CA.sh for certificate generation after change above
You will get:
ca.crt, ca.key, ca.srl, myhost.crt, myhost.csr, myhost.key
(ca.crt will be needed on your phone later and the .key needs to be kept in a secret place).

Copy the files:
sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp myhost.crt myhost.key /etc/mosquitto/certs/

Adjust mosquito conf accordingly:
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/myhost.crt
keyfile /etc/mosquitto/certs/myhost.key

Connection without TLS is already ok:
sudo mosquitto_sub -d -h something.from-outside.org -p 1883 -t ‘owntracks/#’ -d
(please make sure to open 1883 on your router)

Generate client certificates (see also Step 4 on the website mentioned above):
sudo openssl genrsa -out iPhone.key 2048
sudo openssl req -new -out iPhone.csr -key iPhone.key -subj "/CN=iPhone/O=example.com"
sudo openssl x509 -req -in iPhone.csr -CA ca.crt -CAkey ca.key -CAserial ./ca.srl -out iPhone.crt -days 3650 -addtrust clientAuth

This will create the following files:
iPhone.crt, iPhone.csr, iPhone.key

Connection is ok (localhost):
sudo mosquitto_sub -d -h localhost -p 8883 --tls-version tlsv1 --cafile /etc/mosquitto/ca_certificates/ca.crt --cert iPhone.crt --key iPhone.key -t ‘owntracks/#’ –d

as well as from outside:
sudo mosquitto_sub -d -h something.from-outside.org -p 8883 --tls-version tlsv1 --cafile /etc/mosquitto/ca_certificates/cart --cert iPhone.crt --key iPhone.key -t ‘owntracks/#’ –d

To transport the phone related certificate files safely:
openssl pkcs12
-export
-in iPhone.crt
-inkey iPhone.key
-name “NCO’s certificate/key”
-out iPhone.otrp

This will ask for a passphrase you need to put into your phone later (TLS Settings -> Client certificate -> passphrase)

Transfer the ca.crt and iPhone.otrp to your phone.
The otrp file can be imported into owntracks directly.
The ca.crt needs to be installed as a certificate on the phone as well.

That should be it to be able to connect with TLS to your mosquitto broker.
Hope it helps.

For those who would like to check out Let’s encrypt as alternative certificates please check out a short hint from @rlkoshak:

7 Likes

Just to add a bit of security, I suggest to see http://owntracks.org/booklet/features/tlscert/

  1. add the “two-factor authentication”

adding in the mosquitto.conf:
require_certificate true
use_identity_as_username true

you already have your client certs, so no too much extra effort

  1. activate the pinning certificate
  • enabling Use Custom Security Policy - “certificate” option
  • adding a .otre certificate as follow:

openssl x509 -in ca.crt -out ca.otre -outform DER

Hope this helps
Andrea

I posted a related tutorial on how to configure Openhab to connect to an MQTT broker with ssl/tls:

Another point to be added:

  • consider MQTT binding is not supporting the same TLS connection. So idea is to stay with TLS+pinning certificate on your mobile, and use clear connection between mosquitto and openHAB (usually on the same network/device).
  • for doing that, mosquitto needs to be configured with port 1883 and listener 8883

HTH
Andrea

I agree, the mqtt broker will normally be on the same network/device but in my case I needed a cloud mqtt broker because my mobile/cellular provider doesn’t give access to some/most IP ports. I therefore had to use cloudMQTT which works great but I didn’t want to send my location (I am using owntracks) un-encrypted from cloudMQTT to my broker, therefore I had to configure openHAB to accept a tls connection with the mqtt binding.

Vincent,

What about change the port of your mosquitto, or better map a different external port with 8883 internal? Do you have access to your router?

In case let me know if I can help. If you have access, let me know router model.

Thanks

Andrea