Installing Mosquitto for use with OwnTracks

in #utopian-io6 years ago (edited)

Installing Mosquitto for use with OwnTracks

Repository

https://github.com/eclipse/mosquitto
http://mosquitto.org/

What Will I Learn?

Guide is intended to go through installing mosquitto MQTT broker. It will cover setting up the broker to accept encyrpted (TLS) connections.

Ths guide consists of information from a varity of other guides, which I will reference. Generally I found that there wasn't one guide that got me all the way through the setup. So this set of instructions is intended to pull the information together in one location.

This guide was put together as I installed this to do presense detection for OpenHab (which is outside the scope of this).

Mosquitto logo

Requirements

Installation is on a Linnux Mint 18.2 machine so the same instructions should work with little or no modification on Unbuntu and Debian systems, based on Debian Strech.

Difficulty

The guide is of intermediate difficulty.

Firewalls and other security concerns about having a server open to the internet are not covered and you should make yourself aware of what that means.

Tutorial Contents

  • Installing, testing and configuring mosquitto.
  • Adding TLS authentication for security.
  • Configuring router and OwnTracks to access mosquitto.

Install mosquitto

http://mosquitto.org/

sudo apt-get install mosquitto mosquitto-clients

Simple mosquitto Test

Most simple

mosquitto_sub -h localhost -p 1883 -u username -P password -v -t '#'

Some instructions run this as root but it appears that isn't needed.
I put the password in because the android app only seemed to take configuration that had one.

Configuring mosquitto

Add a user

sudo mosquitto_passwd -c /etc/mosquitto/passwd myuser

Edit the conf
sudo vim /etc/mosquitto/mosquitto.conf

Add the lines

allow_anonymous false
password_file /etc/mosquitto/passwd
listener 1883 localhost
listener 8883

Note that the listener setup means non encrypted port is only available from the command line of the host. If you want to do testing on internal network then you may want to comment this out for a moment.

Checking that anonymous isn't allowed and authetication works.

This will fail

mosquitto_pub -h localhost -t "test" -m "hello world"

But using user name and password should work

mosquitto_pub -h localhost -t "test" -m "hello world" -u myuser -P thepasswdsetbefore

Configure mosquitto-tls

Generally follow what is outlined in the mosquitto docs (https://mosquitto.org/man/mosquitto-tls-7.html).

To get things to work with the OwnTracks Android app there is one notable difference that is outlined here (http://owntracks.org/booklet/features/tlscert/)

The following list of commands is the working combination of both sources of information.

Certificate Authority

Create ourselves a certificate authority, key and certificate.

openssl req -new -x509 -days 1001 -extensions v3_ca -keyout ca.key -out ca.crt

Take note of the password it will be needed later. It doesn't matter what is entered for the certificate information.

Server Key and Certificate

Here the important part is to create a server key without encryption. If it has encryption then mosquitto is unable to access the key.

openssl genrsa -out server.key 2048

Create a signing request (csr file is certificate signing request). The chanllenge password will be used in the next step.

openssl req -out server.csr -key server.key -new

Sign the certificate request with the Certificate Authority.

 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1001

Client Key and Certificate

An export password will be entered. This password will be used in the TLS screen of the OwnTracks App.

openssl pkcs12 -export -in ca.crt -inkey ca.key -out client.key

Install keys in Mosquitto

sudo cp ca.crt /etc/mosquitto/ca_certificates/

sudo cp server.crt /etc/mosquitto/certs/
sudo cp server.key /etc/mosquitto/certs/

Modify the configuration to point to the tls files

sudo vim /etc/mosquitto/conf.d/default.conf

Then add the following lines

certfile /etc/mosquitto/certs/server.crt
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key

Restart or start mosquitto

sudo systemctl restart mosquitto

Check the logs in /var/log/mosquitto/mosquitto.log for any problems.

After you have the Android side set up you will see connection logs in this file.

Configure your router or firewall

At this point you will ensure that you have a public domain name.
You might use something like (https://www.duckdns.org/) to update your dynamic IP address.

Port fowarding on your router is a path you will walk alone.

Install keys on Android.

Refer here: (http://owntracks.org/booklet/features/tls/)
I used the manual method.

Will need to get the certificate authority file ca.crt and the client key client.key on the android device.

The instructions in the own track booklet are good enough for th

Sort:  

Hey @p3t3,
Contribution in Documentation category on Utopian needs to be merged in the official repository.

And sadly your contribution is not merged in any official documentation.


Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]

Thanks for letting me know. I missed that it should have used the tutorial tag.

Congratulations @p3t3! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Do not miss the last post from @steemitboard:

SteemitBoard - Witness Update
Vote for @Steemitboard as a witness to get one more award and increased upvotes!