All,
This tutorial’s intention is to make life easier for those, who would like to enable TLS on their mosquitto.
I struggled a lot and gave up many times until I finally merged information from various sites to the one which works for me.
(That’s no guarantee that it works for your specific setup though
In general it’s required to generate some certificate files on the host running mosquitto (actually all the activities below have been done on my raspberry 2 running openHABian and OH2.
It might be trivial for most of the people here, but I am sure that there must be some out there who had similar problems than I had.
So you need:
- Mosquitto running (it ran for quite a while on port 1883 without TLS).
- Generate server certificates (e.g. ca.crt see below)
- Copy the files to the mosquitto subdir (see below as well)
- Activate TLS on mosquitto
- Encrypt and transfer the files …otrp and ca.crt to the phone
- Activate TLS in owntracks (activate iPhone.otrp with passphrase)
Actually most of the documentation is a patchwork from multiple sites, like
http://owntracks.org/booklet/features/tlscert/
and
http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt
(By the way, thanks to the creators of the sources mentioned above!)
So let‘s start with rockingdlabs first (I did not put all steps here so please check the site as well).:
Before step 2 (Setup a CA and generate the server certificates):
Modify Generate-CA.sh:
IPLIST="192.168.178.50 127.0.0.1"
HOSTLIST="localhost yourhostname something.from-outside.org "
(I am not really sure if this is required, but keeping the problems in mind I had, it’s pretty likely: Those were that I haven’t been able to connect from outside my LAN.
Maybe some expert can confirm or refute this)
Anyway…
Use generate-CA.sh for certificate generation after change above
You will get:
ca.crt, ca.key, ca.srl, myhost.crt, myhost.csr, myhost.key
(ca.crt will be needed on your phone later and the .key needs to be kept in a secret place).
Copy the files:
sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp myhost.crt myhost.key /etc/mosquitto/certs/
Adjust mosquito conf accordingly:
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/myhost.crt
keyfile /etc/mosquitto/certs/myhost.key
Connection without TLS is already ok:
sudo mosquitto_sub -d -h something.from-outside.org -p 1883 -t ‘owntracks/#’ -d
(please make sure to open 1883 on your router)
Generate client certificates (see also Step 4 on the website mentioned above):
sudo openssl genrsa -out iPhone.key 2048
sudo openssl req -new -out iPhone.csr -key iPhone.key -subj "/CN=iPhone/O=example.com"
sudo openssl x509 -req -in iPhone.csr -CA ca.crt -CAkey ca.key -CAserial ./ca.srl -out iPhone.crt -days 3650 -addtrust clientAuth
This will create the following files:
iPhone.crt, iPhone.csr, iPhone.key
Connection is ok (localhost):
sudo mosquitto_sub -d -h localhost -p 8883 --tls-version tlsv1 --cafile /etc/mosquitto/ca_certificates/ca.crt --cert iPhone.crt --key iPhone.key -t ‘owntracks/#’ –d
as well as from outside:
sudo mosquitto_sub -d -h something.from-outside.org -p 8883 --tls-version tlsv1 --cafile /etc/mosquitto/ca_certificates/cart --cert iPhone.crt --key iPhone.key -t ‘owntracks/#’ –d
To transport the phone related certificate files safely:
openssl pkcs12
-export
-in iPhone.crt
-inkey iPhone.key
-name “NCO’s certificate/key”
-out iPhone.otrp
This will ask for a passphrase you need to put into your phone later (TLS Settings -> Client certificate -> passphrase)
Transfer the ca.crt and iPhone.otrp to your phone.
The otrp file can be imported into owntracks directly.
The ca.crt needs to be installed as a certificate on the phone as well.
That should be it to be able to connect with TLS to your mosquitto broker.
Hope it helps.
For those who would like to check out Let’s encrypt as alternative certificates please check out a short hint from @rlkoshak: