Mosquitto using letsencrypt

Recently I’ve been playing with MQTT (mosquitto) and also with letsencrypt. Putting this together isn’t hard, but there are a few challenges.

Setup Let’s Encrypt Link to heading

I currently use nginx to serve files. Since I already have a webserver running, I found it much easier to use letsencrypt with the webroot authenticator. Below is basically the config file I have for frcv.net

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
email = youremail

# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
renew-by-default = True

authenticator = webroot

webroot-path = /usr/share/nginx/yourdomain

domains = yourdomain, www.yourdomain

Then I use this config to generate the letsencrypt certs.

letsencrypt certonly -c /etc/letsencrypt/frcv.net.ini

Configure Mosquitto Link to heading

Now we can use the same cert for mosquitto with one small addition. We need to create the keyfile bundle for mosquitto to use.

cat /etc/letsencrypt/live/yourdomain/{privkey,fullchain}.pem > /etc/letsencrypt/live/yourdomain/keyfile.pem

Then we can use all this in our mosquitto config.

listener 1883
max_connections -1
cafile /etc/letsencrypt/live/yourdomain/chain.pem
certfile /etc/letsencrypt/live/yourdomain/cert.pem
keyfile /etc/letsencrypt/live/yourdomain/keyfile.pem

Connecting Link to heading

This is where I ran into most of my problems. mosquitto_sub doesn’t actually use ssl unless you pass use the --cafile or -capath options. I found the --cafile options to be better. On Arch I was able to use /etc/ssl/cert.pem. If you are on a system that doens’t have letsencrypt cert in its store, you can download the DST Root CA X3 cert or get it from me.

mosquitto_sub -v -h frcv.net -p 4886 -t '#' --cafile /etc/ssl/cert.pem  # CA from your system

or

mosquitto_sub -v -h frcv.net -p 4886 -t '#' --cafile letsencrypt_root_ca.pem.txt # CA from letsencrypt