Mosquitto
Mosquitto is an open source MQTT message broker written in C. It also provides the tools mosquitto_sub and mosquitto_pub for subscription and publication.
License
All relevant legal information can be found here
Prerequisites
If you want to use Mosquitto with a custom domain you need to set it up first:
[isabell@stardust ~]$ uberspace web domain list
isabell.uber.space
[isabell@stardust ~]$
Installation
Luckily, Mosquitto is preinstalled on Uberspace hosts. We just need to configure it (see below).
Configuration
We’re setting up the broker to be reachable via a dedicated TCP port (as opposed to MQTT over WebSockets). The communication will be secured using TLS encryption and password authentication.
Copy default config
Copy the default (preinstalled) configuration to ~/etc/mosquitto.
[isabell@stardust ~]$ mkdir -p ~/etc/mosquitto/
[isabell@stardust ~]$ cp /etc/mosquitto/mosquitto.conf ~/etc/mosquitto/
[isabell@stardust ~]$
Open firewall port
To make the application accessible from the outside, open a port in the firewall:
[isabell@stardust ~]$ uberspace port add
Port 40132 will be open for TCP and UDP traffic in a few minutes.
[isabell@stardust ~]$
Update config
Uncomment and update the following configuration values in ~/etc/mosquitto/mosquitto.conf.
Update certfile and keyfile to match the domain certificates you want to use Mosquitto with.
The last two values ensure that only registered users are allowed.
cafile /etc/ssl/certs/ca-bundle.crt
certfile /home/isabell/etc/certificates/isabell.uber.space.crt
keyfile /home/isabell/etc/certificates/isabell.uber.space.key
port 40132
allow_anonymous false
password_file /home/isabell/etc/mosquitto/passwd
Create user(s)
Create a password file for the first user. To add more users, omit -c, which creates (overwrites) the given file.
[isabell@stardust ~]$ mosquitto_passwd -c ~/etc/mosquitto/passwd isabell
Password: [hidden]
Reenter password: [hidden]
[isabell@stardust ~]$
Finishing installation
Setup daemon
Create the file ~/etc/services.d/mosquitto.ini with the following content:
[program:mosquitto]
command=mosquitto -c %(ENV_HOME)s/etc/mosquitto/mosquitto.conf
autostart=yes
autorestart=yes
startsecs=30 ; prevent broken service from looping
After creating the configuration, tell supervisord to refresh its configuration and start the service:
[isabell@stardust ~]$ supervisorctl reread
SERVICE: available
[isabell@stardust ~]$ supervisorctl update
SERVICE: added process group
[isabell@stardust ~]$ supervisorctl status
SERVICE RUNNING pid 26020, uptime 0:03:14
[isabell@stardust ~]$
Automate certificate reloading
To ensure Mosquitto uses the latest certificates, restart the service monthly, e.g. by creating a cron job via crontab -e.
@monthly supervisorctl restart mosquitto > /dev/null
Test
Note
Note that the following commands expose your password to anyone who can view running processes, so use only with test data!
Subscription
After successful subscription, incoming messages as well as pings are printed to the command line. Quit with CTRL+C.
[isabell@stardust ~]$ mosquitto_sub --host isabell.uber.space --port 40132 --topic isabellstesttopic --tls-version tlsv1.2 --cafile /etc/ssl/certs/ca-bundle.crt --username isabell --pw yoursecretpassword --debug
Client mosq-XXXXXXXXXXXXXXXXXX sending CONNECT
Client mosq-XXXXXXXXXXXXXXXXXX received CONNACK (0)
Client mosq-XXXXXXXXXXXXXXXXXX sending SUBSCRIBE (Mid: 1, Topic: isabellstesttopic/, QoS: 0, Options: 0x00)
Client mosq-XXXXXXXXXXXXXXXXXX received SUBACK
Subscribed (mid: 1): 0
Client mosq-XXXXXXXXXXXXXXXXXX sending PINGREQ
Client mosq-XXXXXXXXXXXXXXXXXX received PINGRESP
^C
[isabell@stardust ~]$
Publication
[isabell@stardust ~]$ mosquitto_pub --message "Hello world" --host isabell.uber.space --port 40132 --topic isabellstesttopic --tls-version tlsv1.2 --cafile /etc/ssl/certs/ca-bundle.crt --username isabell --pw yoursecretpassword --debug
Client mosq-XXXXXXXXXXXXXXXXXX sending CONNECT
Client mosq-XXXXXXXXXXXXXXXXXX received CONNACK (0)
Client mosq-XXXXXXXXXXXXXXXXXX sending PUBLISH (d0, q0, r0, m1, 'isabellstesttopic/', ... (11 bytes))
Client mosq-XXXXXXXXXXXXXXXXXX sending DISCONNECT
[isabell@stardust ~]$
Client configuration
To make the usage of mosquitto_sub and mosquitto_pub more comfortable and secure, you can create config files for them with the default arguments you always need to provide.
Create the file ~/.config/mosquitto_sub with the following content:
--cafile /etc/ssl/certs/ca-bundle.crt
--host isabell.uber.space
--port 40132
--username isabell
--pw yoursecretpassword
Create a symlink to this file for mosquitto_pub, so you only need to manage a single file:
[isabell@stardust ~]$ cd ~/.config
[isabell@stardust ~/.config]$ ln -s mosquitto_sub mosquitto_pub
[isabell@stardust ~/.config]$ chmod 600 mosquitto_sub
Now you can ommit these arguments when running the commands, and the authentication arguments will not be exposed.
Tested with Mosquitto 1.6.10, Uberspace 7.7.9.0
Written by: André Birke <https://github.com/abirke>, Tim Hetkämper <https://github.com/transistortim>