@Max_G @rlkoshak @sihui @Dim
I finally managed to make it work and I hope that you will find this short turorial helpful
Activating TLS on your mosquitto (and Owntracks).
I tried many times desperately to activate TLS and failed multiple times (and gave up for a while in between).
There are some tutorials on the web, but none of these helped me to understand the root cause.
In general it’s required to generate some certificate files on the host running mosquitto (actually all the activities below have been done on my raspberry 2 running openHABian and OH2.
It might be trivial for most of the people here, but I am sure that there must be some out there who had similar problems than I had.
So you need:
- Mosquitto running (it ran for quite a while on port 1883 without TLS).
- Generate server certificates (e.g. ca.crt see below)
- Copy the files to the mosquitto subdir (see below as well)
- Activate TLS on mosquitto
- Encrypt and transfer the files …otrp and ca.crt to the phone
- Activate TLS in owntracks (activate iPhone.otrp with passphrase)
Actually most of the documentation is a patchwork from multiple sites, like
http://owntracks.org/booklet/features/tlscert/
and
http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt
So let‘s start with rockingdlabs first (I did not put all steps here so please check the site as well).:
Before step 2 (Setup a CA and generate the server certificates):
Modify Generate-CA.sh:
IPLIST="192.168.178.50 127.0.0.1"
HOSTLIST="localhost yourhostname something.from-outside.org "
Use generate-CA.sh for certificate generation after change above
You will get:
ca.crt, ca.key, ca.srl, myhost.crt, myhost.csr,
(ca.crt will be needed on your phone later).
Copy the files:
sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp myhost.crt myhost.key /etc/mosquitto/certs/
Adjust mosquito conf accordingly:
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/myhost.crt
keyfile /etc/mosquitto/certs/myhost.key
Connection without TLS is already ok:
sudo mosquitto_sub -d -h something.from-outside.org -p 1883 -t ‘owntracks/#’ -d
Generate client certificates (see also Step 4 on the website mentioned above):
sudo openssl genrsa -out iPhone.key 2048
sudo openssl req -new -out iPhone.csr -key iPhone.key -subj "/CN=iPhone/O=example.com"
sudo openssl x509 -req -in iPhone.csr -CA ca.crt -CAkey ca.key -CAserial ./ca.srl -out iPhone.crt -days 3650 -addtrust clientAuth
Connection is ok (localhost):
sudo mosquitto_sub -d -h localhost -p 8883 --tls-version tlsv1 --cafile /etc/mosquitto/ca_certificates/ca.crt --cert iPhone.crt --key iPhone.key -t ‘owntracks/#’ –d
as well as from outside:
sudo mosquitto_sub -d -h something.from-outside.org -p 8883 --tls-version tlsv1 --cafile /etc/mosquitto/ca_certificates/cart --cert iPhone.crt --key iPhone.key -t ‘owntracks/#’ –d
To transport it safely:
openssl pkcs12
-export
-in iPhone.crt
-inkey iPhone.key
-name “NCO’s certificate/key”
-out iPhone.otrp
This will ask for a passphrase you need to put into your phone later (TLS Settings -> Client certificate -> passphrase)
Transfer the ca.crt and iPhone.otrp to your phone.
The otrp file can be imported into owntracks directly.
The ca.crt needs to be installed as a certificate on the phone as well.