OH1: OwnTracks, rPi, certificates

I have OwnTracks working on my local rPi via WiFi.
Now it is time to connect it remotely.

I have read the booklet (manual) at OwnTracks and created certificates via their provided generate-CA.sh utility. It generates 3 files: ca.srl, ca.crt and ca.key.
It then goes on to configure the MQTT broker (mosquitto) to as follows:

listener 8883
cafile ca-bundle.crt
certfile server.crt
keyfile server.key

However, I have no ca-bundle.crt file; the utility above created only two of the three file.
I guess the three correctly named files come from startssl.com, but the pages/files are no longer available.

I have an open port listening on 8883 (tested) working.

My question:
Can someone please point me in the right direction for one functioning connection type of the iPhone with the MQTT broker?

Considering that mosquitto allows anonymous connection, OwnTracks should be able to send to my broker? (Cert, auth, tls all disabled – for testing).

I use OwnTracks (with OT-Recorder) without using communications encryption between the clients and the MQTT broker .

I have enabled authentication (simple username/password combo) to allow access (1883) to the Mosquitto from the remote clients (including OT on iPhone). I have disabled TLS on the client (mobile app) side.

I remember that I tried enabling encryption (8883) on the MQTT Broker on my rPi3 but I gave up after some time :slight_smile: It’s also a mess to store the encryption keys on the iPhone…

I have created a Mosquitto Users file in /etc/mosquitto/passwd and I add there all my credentials (OH2RC1 uses a user to access MQTT, Owntracks Mobile App uses another user, common to all devices, ESP/Arduinos use another, etc, etc)

Make sure that you have port forwarding enabled on your Internet Gateway to route/NAT port 1883 back to your Mosquitto from the internet.

1 Like

I remember when setting this up almost a year ago it took me at least two days …

I did not read through the owntracks manual again, so if it did not change:

The script assumed you have a etc/mosquitto/TLS subdir which I had to create manually.
The generated files have to be renamed to match the servers network name and the full path to the files have to be in mosquitto.conf, so in my case it looks like:

listener 1883
listener 8883
tls_version tlsv1
cafile /etc/mosquitto/conf.d/ca.crt
certfile /etc/mosquitto/conf.d/raspberrypi3.crt
keyfile /etc/mosquitto/conf.d/raspberrypi3.key

The tls_version tlsv1 was necessary because of some incompatibility with … I don’t remember, but I think it was mentioned on git where the script files are located.

Have fun :slight_smile:

Edit: and all files in /etc/mosquitto and subdirs have to be user:group mosquitto:mosquitto to function properly …

1 Like

I did manage to get Mosquitto encryption working shortly before my machine crashed using LetsEncrypt certs. I only had TLS enabled (I did not require the client to present a cert) to connect.

Once you get it working with the self signed certs you might consider looking into that. Since the LetsEncrypt CA is trusted already I don’t think you need to copy anything to your iPhone.

As I rebuild my machine I’ll write up a tutorial for using LetsEncrypt with MQTT. It won’t go as far as OwnTracks as I only use this to let Tasker inject some MQTT into my HA system.

1 Like

Thank you all for your replies…

The simplest way to get a connection (and also the most unsecure) is adding the listener; e.g. listener 8883, create a port forward in the LAN/WAN router, set the IP/port values in OwnTracks and it works.

What I find a short-coming of MQTT is the fact that it has global and per listener settings. The documentation does not identify what a local and global setting is; the issue has been raised on Git.

I put allow_anonymous = false (thinking it would be local to 8883) but this is a global setting, hence, neither OH nor the devices could talk to MQTT anymore.

Since I want to test the functionality of OwnTracks before doing anything further with it, this set-up will do.

As for documentation I’d love to do something there, but most of the stuff I try to do, hardly ever ends up in a fully and proper working solution. :frowning:

I’ve found even half baked tutorials that end with “and now I’m stuck” will generate lots of help. :yum:

What helped me a lot (although I am not done completely) is:

But when it comes to the test (Point 3) I had to use this for testing.
mosquitto_sub --tls-version tlsv1 -h localhost --cafile /etc/mosquitto/ca_certificates/ca.crt -p 8883 -v -t ‘owntracks/#’ –d

After this turorial mentioned above I was able to connect (locally with the certificate using the mosquitto setting “require_certificate true”.

However, when trying to connect from the outside, I do not get a connection (port 8883 is open) and I get in mosquitto.log:

1487404764: New connection from on port 8883.
1487404764: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

So, what’s the difference between the connection within my LAN and from the internet in regards to the TLS encryption?

Solved it.
Howto will follow soon.

1 Like

@Max_G @rlkoshak @sihui @Dim

I finally managed to make it work and I hope that you will find this short turorial helpful

Activating TLS on your mosquitto (and Owntracks).

I tried many times desperately to activate TLS and failed multiple times (and gave up for a while in between).
There are some tutorials on the web, but none of these helped me to understand the root cause.

In general it’s required to generate some certificate files on the host running mosquitto (actually all the activities below have been done on my raspberry 2 running openHABian and OH2.

It might be trivial for most of the people here, but I am sure that there must be some out there who had similar problems than I had.

So you need:

  1. Mosquitto running (it ran for quite a while on port 1883 without TLS).
  2. Generate server certificates (e.g. ca.crt see below)
  3. Copy the files to the mosquitto subdir (see below as well)
  4. Activate TLS on mosquitto
  5. Encrypt and transfer the files …otrp and ca.crt to the phone
  6. Activate TLS in owntracks (activate iPhone.otrp with passphrase)

Actually most of the documentation is a patchwork from multiple sites, like

So let‘s start with rockingdlabs first (I did not put all steps here so please check the site as well).:

Before step 2 (Setup a CA and generate the server certificates):
Modify Generate-CA.sh:
HOSTLIST="localhost yourhostname something.from-outside.org "

Use generate-CA.sh for certificate generation after change above
You will get:
ca.crt, ca.key, ca.srl, myhost.crt, myhost.csr,
(ca.crt will be needed on your phone later).

Copy the files:
sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp myhost.crt myhost.key /etc/mosquitto/certs/

Adjust mosquito conf accordingly:
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/myhost.crt
keyfile /etc/mosquitto/certs/myhost.key

Connection without TLS is already ok:
sudo mosquitto_sub -d -h something.from-outside.org -p 1883 -t ‘owntracks/#’ -d

Generate client certificates (see also Step 4 on the website mentioned above):
sudo openssl genrsa -out iPhone.key 2048
sudo openssl req -new -out iPhone.csr -key iPhone.key -subj "/CN=iPhone/O=example.com"
sudo openssl x509 -req -in iPhone.csr -CA ca.crt -CAkey ca.key -CAserial ./ca.srl -out iPhone.crt -days 3650 -addtrust clientAuth

Connection is ok (localhost):
sudo mosquitto_sub -d -h localhost -p 8883 --tls-version tlsv1 --cafile /etc/mosquitto/ca_certificates/ca.crt --cert iPhone.crt --key iPhone.key -t ‘owntracks/#’ –d

as well as from outside:
sudo mosquitto_sub -d -h something.from-outside.org -p 8883 --tls-version tlsv1 --cafile /etc/mosquitto/ca_certificates/cart --cert iPhone.crt --key iPhone.key -t ‘owntracks/#’ –d

To transport it safely:
openssl pkcs12
-in iPhone.crt
-inkey iPhone.key
-name “NCO’s certificate/key”
-out iPhone.otrp

This will ask for a passphrase you need to put into your phone later (TLS Settings -> Client certificate -> passphrase)

Transfer the ca.crt and iPhone.otrp to your phone.
The otrp file can be imported into owntracks directly.
The ca.crt needs to be installed as a certificate on the phone as well.


Great tutorial. I always have to browse around Google every time I have to redo mine.

The only think I can possible add is that it is possible to use the LetsEncrypt certs in Mosquitto as well if you don’t want to have to generate your own and you have already acquired some for a reverse proxy setup.

My only request would be for you to create a new Thread under Tutorials and paste this in there so it is easier to find for new users.

Sure, will do. Good point.
Please feel free to add your suggestions about Let’sEncrypt then. I don’t have checked out that option.

Its really simple actually. Follow the instructions in the Nginx reverse proxy tutorial to acquire the certs.

Then use the paths to the files in /etc/letsencrypt/live/<your domain> for the server certs and key. The “fullchain.pem” contains the CA.cert I believe, but since LetsEncrypt is already a trusted CA, you shouldn’t have to import the CA.crt on the client.

Note that this is only for setting up TLS with any client. The generation of the client certs I believe are still required. And I’m not 100% certain you can do both server and client with letsencrypt as I don’t remember if the two can have different CAs.


1 Like