Installing Mosquitto for use with OwnTracks
Installing Mosquitto for use with OwnTracks
Repository
https://github.com/eclipse/mosquitto
http://mosquitto.org/
What Will I Learn?
Guide is intended to go through installing mosquitto MQTT broker. It will cover setting up the broker to accept encyrpted (TLS) connections.
Ths guide consists of information from a varity of other guides, which I will reference. Generally I found that there wasn't one guide that got me all the way through the setup. So this set of instructions is intended to pull the information together in one location.
This guide was put together as I installed this to do presense detection for OpenHab (which is outside the scope of this).
Requirements
Installation is on a Linnux Mint 18.2 machine so the same instructions should work with little or no modification on Unbuntu and Debian systems, based on Debian Strech.
Difficulty
The guide is of intermediate difficulty.
Firewalls and other security concerns about having a server open to the internet are not covered and you should make yourself aware of what that means.
Tutorial Contents
- Installing, testing and configuring mosquitto.
- Adding TLS authentication for security.
- Configuring router and OwnTracks to access mosquitto.
Install mosquitto
sudo apt-get install mosquitto mosquitto-clients
Simple mosquitto Test
Most simple
mosquitto_sub -h localhost -p 1883 -u username -P password -v -t '#'
Some instructions run this as root but it appears that isn't needed.
I put the password in because the android app only seemed to take configuration that had one.
Configuring mosquitto
Add a user
sudo mosquitto_passwd -c /etc/mosquitto/passwd myuser
Edit the conf
sudo vim /etc/mosquitto/mosquitto.conf
Add the lines
allow_anonymous false
password_file /etc/mosquitto/passwd
listener 1883 localhost
listener 8883
Note that the listener setup means non encrypted port is only available from the command line of the host. If you want to do testing on internal network then you may want to comment this out for a moment.
Checking that anonymous isn't allowed and authetication works.
This will fail
mosquitto_pub -h localhost -t "test" -m "hello world"
But using user name and password should work
mosquitto_pub -h localhost -t "test" -m "hello world" -u myuser -P thepasswdsetbefore
Configure mosquitto-tls
Generally follow what is outlined in the mosquitto docs (https://mosquitto.org/man/mosquitto-tls-7.html).
To get things to work with the OwnTracks Android app there is one notable difference that is outlined here (http://owntracks.org/booklet/features/tlscert/)
The following list of commands is the working combination of both sources of information.
Certificate Authority
Create ourselves a certificate authority, key and certificate.
openssl req -new -x509 -days 1001 -extensions v3_ca -keyout ca.key -out ca.crt
Take note of the password it will be needed later. It doesn't matter what is entered for the certificate information.
Server Key and Certificate
Here the important part is to create a server key without encryption. If it has encryption then mosquitto is unable to access the key.
openssl genrsa -out server.key 2048
Create a signing request (csr file is certificate signing request). The chanllenge password will be used in the next step.
openssl req -out server.csr -key server.key -new
Sign the certificate request with the Certificate Authority.
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1001
Client Key and Certificate
An export password will be entered. This password will be used in the TLS screen of the OwnTracks App.
openssl pkcs12 -export -in ca.crt -inkey ca.key -out client.key
Install keys in Mosquitto
sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp server.crt /etc/mosquitto/certs/
sudo cp server.key /etc/mosquitto/certs/
Modify the configuration to point to the tls files
sudo vim /etc/mosquitto/conf.d/default.conf
Then add the following lines
certfile /etc/mosquitto/certs/server.crt
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
Restart or start mosquitto
sudo systemctl restart mosquitto
Check the logs in /var/log/mosquitto/mosquitto.log for any problems.
After you have the Android side set up you will see connection logs in this file.
Configure your router or firewall
At this point you will ensure that you have a public domain name.
You might use something like (https://www.duckdns.org/) to update your dynamic IP address.
Port fowarding on your router is a path you will walk alone.
Install keys on Android.
Refer here: (http://owntracks.org/booklet/features/tls/)
I used the manual method.
Will need to get the certificate authority file ca.crt and the client key client.key on the android device.
The instructions in the own track booklet are good enough for th
Hey @p3t3,
Contribution in Documentation category on Utopian needs to be merged in the official repository.
And sadly your contribution is not merged in any official documentation.
Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]
Thanks for letting me know. I missed that it should have used the tutorial tag.
Congratulations @p3t3! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Do not miss the last post from @steemitboard:
Vote for @Steemitboard as a witness to get one more award and increased upvotes!