sure guys, just finished going through the process.
a) certificates: created using
openssl genrsa -des3 -out ca.key 2048
(generates ca key)
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
(generates cert auth certificate)
openssl genrsa -out server.key 2048
(server key pair)
openssl req -new -key server.key -out server.csr
(server cert request)
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 18000
(server cert)
A couple of notes about this.
a) here a template of the data I filled in
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:ITALY
Locality Name (eg, city) :Rome
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EDcertAuthority
Organizational Unit Name (eg, section) :
Common Name (e.g. server FQDN or YOUR name) :E. Dolis
Email Address :exxxxxxxxx@gmail.com
the data filled in for the server should be different, in the end it makes sense as a CA authority should be different from the entity requesting the cert. I read that if data are exactly the same, things get broken because the two certs are nearly the same (?!)
b) watch the durations. I have so far tested the setup with the CA key issued for 1826 days and the server cert for 360. Since this cert is just for private use in my network, I wanted to push it further. I tried a high value for CA days and the resulting certificates seem to be invalid for mosquitto (the service wont start)’
as you see, I have pushed the server cert to kind of 50yearish and the server starts fine, need to test is in running env though
b) mosquitto.conf (add file in conf.d folder)
log_type all
log_type error
log_type warning
connection_messages true
log_timestamp true
allow_anonymous false
password_file /etc/mosquitto/passwd
#SSL certificates
# note: if you want to restrict non-TSL connections to localhost, add localhost at the end of the following line
listener 1883
listener 8883
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
cafile /etc/mosquitto/ca_certificates/ca.crt
other note. You create the username and passwords in mosquitto using the directions of steve
I had some issues as I used some command and discovered that the user entries were not concatenated. That is the password file was regenerated. Maybe I did something wrong, I didn’t track back the issue - just solved appending manually the contents.
This to say, if you created a new user, just check its entry is not replacing the previous ones.
Done this, well, everything should be set. I tested using a MQTT Explorer session (you need to add the ca.crt to the server certificates. + settings: validate->no TLS->yes) not from localhost and both the TSL and the plain username\pwd go through.
On OpenHAB 3 side here are the settings
UID: mqtt:broker:MOSQ_BROKER
label: Mosquitto broker
thingTypeUID: mqtt:broker
configuration:
lwtQos: 0
publickeypin: true
keepAlive: 60
clientid: f257ef8b-6490-4df8-9b03-64def5bf0f8b
certificate: CAB1697C204DE83771A3511E2137347899D4D3A4AB494C2725A151795CBB17F0
publickey: AE9E2E08D4C0E2EFC0FB7C6E69A07F0415DA6913B0EA4C9CC4B9F8AE4934DCDC
secure: true
certificatepin: true
password: **********
qos: 0
reconnectTime: 60000
host: localhost
lwtRetain: true
username: openHAB
enableDiscovery: true
The only settings I keyed in were host, username, password. I noticed that changing certificates I get an error related to pinning - I simply recreated the thing - I guess that when got more time I’ll try to understand more about this pinning thing.
Well, if this helped in any way and you wish to reciprocate, please solve this riddle of mine: How do I read the logs of mosquitto in Raspbian? very new to Linux and still not managed to do that
EDIT:
I figured it out. Sheer luck sudo journalctl -u mosquitto.service -b