Translation: How to install Mosquitto this MQTT messaging server on Ubuntu16.04 and configure it securely

Original address: https://www.digitalocean.com/community/tutorials/ how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-ubuntu-16-04

Brief introduction

Mqtt is a protocol that delivers messages between machines and machines and is designed to enable lightweight publish/subscribe communication between IoT devices. Widely used in vehicle location tracking, smart home automation, environmental sensing network, as well as various public utilities data collection.

Mosquitto is a popular MQTT server (called a repeater in the MQTT protocol) and has strong community support for easy installation and configuration.

In this tutorial, we will install mosquito, obtain a certificate from Let's encrypt, build our own repeater, use password authentication, and use SSL to secure MQTT communications.

Pre-conditions

Before you start this tutorial, you need to:

• A Ubuntu16.04 server, non-root and open sudo user, set up a basic firewall, please refer to this Ubuntu16.04 Server building tutorial.
• A domain name that points to your server, you can refer to how to create a domain name on the Digitalocean. This tutorial will be used mqtt.example.com instead.

Step 1 Install Mosquitto

Ubuntu16.04 the Mosquitto version of the default software warehouse is quite new. Log in with your non-root user and use the apt-get installation Mosquitto.

sudo apt-get install mosquitto mosquitto-clients

By default, Ubuntu launches the Mosquitto service after installation. Let's test the default configuration first. Use a topic on the Mosquitto client subscription repeater that you just installed.

The topic is the label for sending and subscribing messages. They are set hierarchically, such as you can set the theme to sensors/outside/temp , sensors/outside/humidity . How to set the theme depends on what you need. A simple theme will be used throughout the tutorial test to test configuration changes.

Open a Server command window again, so you have two parallel windows. In the new command line, use mosquitto_sub to subscribe to the test topic:

mosquitto_sub -h localhost -t test

-hUsed to specify the host name of the MQTT server to -t specify the subject. When the ENTER key is pressed, there is no output because it is mosquitto_sub waiting for the message to be delivered. Go back to another command line and post a message:

mosquitto_pub"Hello world"

mosquitto_pubThe options are the mosquitto_sub same, except this time we used an -m option to specify the message content. Press Enter and you will see Hello World appearing on another command line. You have just sent your first MQTT message.

On the second command line CTRL + C , enter, Exit mosquitto_sub , but keep the connection to the server. In step five will be used again to it.

Next, we'll use SSL with Certbot to secure our Mosquitto, Certbot is the new client of Let's encrypt.

Step 2 to obtain the Let's encrypt certificate, install Certbot

Let's encrypt is a service that provides free SSL certificates through an automated API. Many clients can invoke this API. Ubuntu's default repository contains the official client, but it's a bit out of date and lacks a new feature we need.

Therefore, we install the official client from an Ubuntu PPA (Personal package Archive). Many alternative warehouses are packaged with newer versions, or niche software. First, add the warehouse:

sudo add-apt-respository ppa:certbot/certbot

Need to hit Enter to accept the installation. Next, update the package list to get the package information for the new warehouse.

sudo apt-get update

Finally, install let ' s Encrypt's official client, called certbot .

sudo apt-get install certbot

certbotThe installation is complete, then run it to get the certificate we need.

Step 3 Run Certbot

certbotNeed to respond to the password challenge given by a let's encrypt to prove that we have control over the domain name. It is done using port 80 (HTTP) and/or 443 (HTTPS). We will only use ports 80 , so we need to allow network traffic on this port.

sudo ufw allow httpRule added

Now we can run Certbot to get the certificate. Use the --standalone option to tell Certbot that it has completed its own HTTP challenge request, --standalone-supported-challenges http-01 limiting the communication port to 80 . -dused to establish the domain name to be authenticated, certonly tell Certbot to just get the certificate, no additional configuration steps are required.

sudo certbot certonly --standalone --standalone-supported-challenges http-01 -d mqtt.example.com

When you run the above command, the command line prompts you to enter an email address and agrees to the terms of service. After that, you will see a message telling you to handle the success and informing you where the certificate is stored.

We've got the certificate, and now we need to make sure that Certot updates them automatically when the certificate is about to expire.

Step 4 Create an automatic update policy for Certbot

Let's encrypt certificate is valid for only 90 days. This is to encourage users to automate their certificate update process. We'll create a run-time command to check the certificate expiration and update them automatically.

We will cron run the update check every day. This is a system service that runs periodic work. Open and edit a file called to crontab specify the cron work to be done.

sudo crontab -e

You will see a prompt to select a text editor. Choose the one you like, and you'll see the default corontab , with a help note attached. At the end of the file, add the following line to save and close the file.

15 3 * * * certbot renew --noninteractive --post-hook "systemctl restart mosquitto"

15 3 * * *Represents a command that runs after 3 o'clock in the morning 15 every day. The Certbot renew command checks all certificates installed on the server and updates those that expire less than 30 days. --noninteractivetell Certbot not to wait for user input.

--post-hook "systemctl restart mosquitto"Mosquitto will be restarted to take the latest certificate, but this command will only be executed if the certificate is updated. This post-hook feature is not in the legacy let's encrypt client. This is why we installed it from the PPA instead of the default Ubuntu library. Without this, we also need to restart Mosquitto every day, even without a certificate update.

Although MQTT clients need to set up automatic re-connection, it is wise to avoid interrupting them on a daily basis.

Now that the Automatic Update certificate is configured, we'll go back and configure Mosquitto to make him more secure.

Step 5 Configure the Mqtt password

Next, configure Mosquitto to enable the password. Mosquitto contains a tool to generate a special password file called mosquitto_passwd . This command will prompt you to enter a password for the specified user name and save the results in /etc/mosquitto/passwd .

sudo mosquitto_passwd -c /etc/mosquitto/passwd sammy

Next, open a new profile for Mosquitto and specify the password files that are required for all connections to log on.

sudo nano /etc/mosquitto/conf.d/default.conf

The above command opens a new configuration file. Paste in the following:

allow_anonymous falsepassword_file /etc/mosquitto/passwd

allow_anonymous falseAn unauthenticated link is disabled and password_file a row specifies where Mosquitto obtains user and password information. Save and exit the file.

Next, restart the Mosquitto and test for changes.

sudo systemctl restart mosquitto

Try to post a message without a password:

mosquitto_pub -h localhost -t "test" -m "hello world"

This message will be rejected:

OutputConnection Refused: not authorised.Error: The connection was refused.

Before attempting with a password, go to another command line and subscribe to the topic with a user name and password test .

mosquitto_sub -h localhost -t test -u "sammy" -P "password"

The connection will be established and wait for the message to arrive. Keep this command line open because we will periodically send a test message to it.

Try to publish the message again using the user name and password:

mosquitto_pub -h localhost -t "test" -m "hello world" -u "sammy" -P "password"

This message will be sent successfully as in step 1. We succeeded in adding password protection to Mosquitto. Unfortunately, we did not encrypt the password when we sent it. We will then address this issue by adding SSL encryption.

Step 6 Configure SSL for MQTT

In order to turn on SSL encryption, you need to establish the location of the certificate in the Mosquitto configuration. Open the configuration file that you just started:

sudo nano /etc/mosquitto/conf.d/default.conf

Paste the following lines at the end of the file, preserving the two lines that have been added:

listener 1883 localhostlistener 8883certfile /etc/letsencrypt/live/mqtt.example.com/cert.pemcafile /etc/letsencrypt/live/mqtt.example.com/chain.pemkeyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

We have added two separate blocks in the configuration listener . The first block, listener 1883 localhost updated the 1883 default Mqtt listener on the port, which we have been using for a long time. 1883is the standard non-encrypted MQTT port. The part of this line localhost indicates that Mosquitto only binds this port to the LocalHost interface, so it cannot be accessed externally. The external request should have been blocked by the firewall and will be explained next.

listener 8883An encrypted listener was established on port 8883. This is the standard port for Mqtt+ssl (usually referred to as Mqtts). The next three lines,,, are certfile cafile keyfile to point Mosquitto to a specific let's encrypt file that will be used to create an encrypted connection.

Save and exit the file and restart Mosquitto to update the configuration:

sudo systemctl restart mosquitto

Update the firewall so that it allows connections to port 8883.

sudo ufw allow 8883

Next, use a mosquitto_pub specific option that comes with several SSL:

mosquitto_pub -h mqtt.example.com -t test -m "hello again" -p 8883 --capath /etc/ssl/certs/ -u "sammy" -P "password"

Note that the full hostname is used this time, not localhost. Because SSL certificates are issued to mqtt.example.com, if we try to localhost create a secure link, we will receive a message that the current hostname and the certificate's hostname are inconsistent. Even if they all point to the same Mosquitto server.

--capath /etc/ssl/certsTo mosquitto_pub start SSL, and specify where to look for the root certificate. These certificates are installed by your operating system in a specific location, so this address is not the same on MacOS, Windows and other systems. mosquitto_pubuse the root certificate to check whether the Mosquitto server's certificate has been authenticated by let's encrypt's certificate authority. One thing to note is that there is no such option, mosquitto_pub and mosquitto_sub is not trying to use SSL links even if you try to connect to a standard secure port 8883 . A similar option for the --cafile .

If the test goes well, you'll see hello again appear on the command line. Here, it means that the server has been built! If you are extending the MQTT protocol so that it can work based on the WebSocket protocol, please refer to the final step below.

Step 7 Configure the use of Mqtt via WebSockets (optional)

To invoke Mqtt through JavaScript in a Web browser, the protocol can be adapted to support standard websockets. If you don't need this feature, you can skip this step.

We need to add a new block to the configuration file listener :

sudo nano /etc/mosquitto/conf.d/default.conf

At the end of the file, add the following:

listener 8083protocol websocketscertfile /etc/letsencrypt/live/mqtt.example.com/cert.pemcafile /etc/letsencrypt/live/mqtt.example.com/chain.pemkeyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

This is consistent with the previous block, except for the port number and protocol websockets the line. There is no official standard for MQTT services provided through WebSockets. But 8083 it's the most common.

Save and exit the file, and then restart Mosquitto.

sudo systemctl restart mosquitto

Next, open port 8083 on the firewall.

sudo ufw allow 8083

To test this functionality, you need to use a public, browser-based MQTT client. This kind of client has many, but mqtt-admin is the simplest direct. Open Mqtt-admin in the browser. You will see the Settings window.

Fill in the following connection information:

• Protocol Select WSS (WebSocket secure).
• Host fills in the domain name of the Mosquitto server.
• Port to fill in 8083 .
• user fills in the username of the Mosquitto.
• Password Fill in the password you set.
• ClientID remains the default.

After you click Save Settings , mqtt-admin you will be connected to the Mosquitto server. Next, fill in the Topic test , fill in the Payload with any information, and then click Publish. A message will be displayed at the mosquitto_sub command line.

Conclusion

So far, we have established a secure, password-protected MQTT server and set up a method for automatically updating SSL certificates from let's encrypt service. This will provide a robust and secure messaging platform for any future project. Some popular software and hardware works well under the MQTT protocol:

• Owntracks is an open source geo-tracking app. Owntracks periodically reports location information to the server. You can then store and display this information on a basemap, create alarms, and activate your IoT device based on geographic location.
• Node-red, a browser-based graphical interface that connects IoT devices. You can connect the output of one node to the input of another node, and you can route information between different protocols through a filter. Database and so on.
• The ESP8266 is a cheap WiFi microcontroller with MQTT capability. It can be used to publish temperature information to a topic, or you can subscribe to atmospheric pressure themes or when a storm comes to make the buzzer sound.

This is only one part of the MQTT ecosystem's well-known case. There's more hardware or software that uses this protocol. If you already have a favorite hardware platform, or a software programming language, it may already have the MQTT capability. Enjoy the fun of having your "things" communicate with each other.

Translation: How to install Mosquitto this MQTT messaging server on Ubuntu16.04 and configure it securely