ACL With MQTT Broker 4.1 Hass.io

Installed the new MQTT 4.1 Addon for Hass.io

I have a Home Assistant User called mqttuser created. This is used in all my devices for MQTT authentication with the broker.

Because of this, I have ALL MQTT broker settings as default. (No local user or password) All ports are as per default.

Broker Config:

{
  "logins": [],
  "anonymous": false,
  "customize": {
    "active": false,
    "folder": "mosquitto"
  },
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

This works perfectly.

IF I enable the ACL by setting

"active":true,

Nothing works. I get connection errors in the Tasmota Console as well.

I have created a mosquitto folder:

accesscontrollist file has:

topic readwrite #

acl.conf has:

acl_file /share/mosquitto/accesscontrollist

I get console full of:

[INFO] Setup mosquitto configuration
[WARN] SSL not enabled - No valid certs found!
[INFO] No local user available
[INFO] Initialize Hass.io Add-on services
[INFO] Initialize Home Assistant discovery
[INFO] Start Mosquitto daemon
1552446167: mosquitto version 1.5.6 starting
1552446167: Config loaded from /etc/mosquitto.conf.
1552446167: |-- *** auth-plug: startup
1552446167: |-- ** Configured order: http

1552446167: |-- with_tls=false
1552446167: |-- getuser_uri=/login
1552446167: |-- superuser_uri=/superuser
1552446167: |-- aclcheck_uri=/acl
1552446167: |-- getuser_params=(null)
1552446167: |-- superuser_params=(null)
1552446167: |-- aclcheck_params=(null)
1552446167: |-- retry_count=3
1552446167: Opening ipv4 listen socket on port 1883.
1552446167: Opening ipv6 listen socket on port 1883.
1552446167: Opening websockets listen socket on port 1884.
1552446167: Warning: Mosquitto should not be run as root/administrator.
1552446169: New connection from 172.30.32.1 on port 1883.
1552446170: Socket error on client <unknown>, disconnecting.
1552446170: New connection from 172.30.32.1 on port 1883.
1552446170: |-- mosquitto_auth_unpwd_check(homeassistant)
1552446170: |-- ** checking backend http
1552446170: |-- url=http://127.0.0.1:8080/login
1552446170: |-- data=username=homeassistant&password=***redacted***&topic=&acc=-1&clientid=
[INFO] found homeassistant on local database
1552446170: |-- getuser(homeassistant) AUTHENTICATED=1 by http
1552446170: Socket error on client <unknown>, disconnecting.
1552446170: New connection from 172.30.32.1 on port 1883.
1552446172: Socket error on client <unknown>, disconnecting.
1552446172: New connection from 172.30.32.1 on port 1883.
1552446172: |-- mosquitto_auth_unpwd_check(homeassistant)
1552446172: |-- ** checking backend http
1552446172: |-- url=http://127.0.0.1:8080/login
1552446172: |-- data=username=homeassistant&password=***redacted***&topic=&acc=-1&clientid=
[INFO] found homeassistant on local database
1552446172: |-- getuser(homeassistant) AUTHENTICATED=1 by http
1552446172: Socket error on client <unknown>, disconnecting.
1552446172: New connection from 172.30.32.1 on port 1883.

and in Tasmota Console:

14:02:44 MQT: Attempting connection...
14:02:44 MQT: Connect failed to 10.90.11.100:1883, rc -2. Retry in 10 sec
14:02:55 MQT: Attempting connection...
14:03:10 MQT: Connect failed to 10.90.11.100:1883, rc -4. Retry in 10 sec
14:03:21 MQT: Attempting connection...
14:03:36 MQT: Connect failed to 10.90.11.100:1883, rc -4. Retry in 10 sec
14:03:47 MQT: Attempting connection...
14:04:02 MQT: Connect failed to 10.90.11.100:1883, rc -4. Retry in 10 sec
14:04:13 MQT: Attempting connection...
14:04:28 MQT: Connect failed to 10.90.11.100:1883, rc -4. Retry in 10 sec

If I set active:false and restart the broker all is good again (as in it works):

1552446376: New connection from 10.90.11.50 on port 1883.
1552446376: |-- mosquitto_auth_unpwd_check(mqttuser)
1552446376: |-- ** checking backend http
1552446376: |-- url=http://127.0.0.1:8080/login
1552446376: |-- data=username=mqttuser&password=***redacted***&topic=&acc=-1&clientid=
[INFO] found mqttuser on Home Assistant
1552446376: New client connected from 10.90.11.50 as DVES_4E6C26 (c1, k10, u'mqttuser').
1552446376: |-- getuser(mqttuser) AUTHENTICATED=1 by http
1552446376: New connection from 10.90.11.55 on port 1883.
1552446376: New connection from 10.90.11.35 on port 1883.
1552446376: New connection from 10.90.11.22 on port 1883.
1552446376: |-- mosquitto_auth_unpwd_check(mqttuser)
1552446376: |-- ** checking backend http
1552446376: |-- url=http://127.0.0.1:8080/login
1552446376: |-- data=username=mqttuser&password=***redacted***&topic=&acc=-1&clientid=
[INFO] found mqttuser on Home Assistant
1552446377: |-- getuser(mqttuser) AUTHENTICATED=1 by http
1552446377: New client connected from 10.90.11.55 as DVES_684D92 (c1, k10, u'mqttuser').
1552446377: |-- mosquitto_auth_unpwd_check(mqttuser)
1552446377: |-- ** checking backend http
1552446377: |-- url=http://127.0.0.1:8080/login
1552446377: |-- data=username=mqttuser&password=***redacted***&topic=&acc=-1&clientid=
[INFO] found mqttuser on Home Assistant
1552446377: |-- getuser(mqttuser) AUTHENTICATED=1 by http
1552446377: New client connected from 10.90.11.35 as DVES_A84353 (c1, k10, u'mqttuser').
1552446377: |-- mosquitto_auth_unpwd_check(mqttuser)
1552446377: |-- ** checking backend http
1552446377: |-- url=http://127.0.0.1:8080/login
1552446377: |-- data=username=mqttuser&password=***redacted***&topic=&acc=-1&clientid=

and Tasmota Console:

14:06:16 MQT: Attempting connection...
14:06:19 MQT: Connected
14:06:19 MQT: sonoff1/tele/LWT = Online (retained)
14:06:19 MQT: sonoff1/cmnd/POWER = 

I am at a loss to see what I am screwing up here…

I also then seem to get a bunch of these:

1552446567: |-- mosquitto_auth_acl_check(..., client id not available, mqttuser, sonoff5/tele/STATE, MOSQ_ACL_WRITE)
1552446567: |-- url=http://127.0.0.1:8080/superuser
1552446567: |-- data=username=mqttuser&password=&topic=&acc=-1&clientid=
1552446567: |-- aclcheck(mqttuser, sonoff5/tele/STATE, 2) SUPERUSER=Y by http
1552446567: |--  Cached  [0B6B01CD888B7F05AB8D45DA9A4E2EA676E24E0E] for (client id not available,mqttuser,2)
1552446567: |-- mosquitto_auth_acl_check(..., client id not available, homeassistant, sonoff5/tele/STATE, MOSQ_ACL_READ)
1552446567: |-- url=http://127.0.0.1:8080/superuser
1552446567: |-- data=username=homeassistant&password=&topic=&acc=-1&clientid=
1552446567: |-- aclcheck(homeassistant, sonoff5/tele/STATE, 1) SUPERUSER=Y by http
1552446567: |--  Cached  [71909FD47F0DB2F132E966447ACFB988D38AC292] for (client id not available,homeassistant,1)

I have my similar setup working with 4.1 broker now.
But My “accesscontrollist” is different a bit from yours.

user hassuser1
topic #

“hassuser1” is the user name for Tasmota and Hass MQTT log in’s. Try with your user name “mqttuser”.

Hope it helps

so I tried that but user topic readwrite #
I’ll try yours…

yeah nah didn’t help at all. Same

I missed the part where you said you Don’t use a user name and password for Hass’s Mqtt login/setup.
I do.
I think that might be it.

Well I use a Home Assistant user, not a local user.
Do you have anonymous true or false?

When I set active true, I can’t control the switches either as they won’t connect to the broker.

@pvizeli any chance you can comment on this issue?

My Mqtt config,

{
  "logins": [
    {
      "username": "hassuser1",
      "password": "myPWmqttmyPW"
    }
  ],
  "anonymous": false,
  "customize": {
    "active": true,
    "folder": "mosquitto"
  },
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

It would seem odd that the ACL will only work with a local user and not a Home Assistant User…

I have this problem as well. I found it strange that in usr/share/ I did not find a ‘hassio’ directory and had to create that and the mosquitto directory. My content of ‘accesscontrollist’ was as suggested in the mosquitto borker page, so I changed it as suggested above. That did not fix it.

mosquittos log:
Preformatted text indent preformatted text by 4 spaces
1553357063: |-- ** checking backend http
1553357063: |-- url=http://127.0.0.1:8080/login
1553357063: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357064: |-- getuser(has) AUTHENTICATED=1 by http
1553357064: Socket error on client , disconnecting.
1553357064: |-- mosquitto_auth_unpwd_check(has)
1553357064: |-- ** checking backend http
1553357064: |-- url=http://127.0.0.1:8080/login
1553357064: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
1553357064: New connection from 10.0.0.233 on port 1883.
[INFO] found has on local database
1553357066: |-- getuser(has) AUTHENTICATED=1 by http
1553357066: Socket error on client , disconnecting.
1553357078: New connection from 10.0.0.100 on port 1883.
1553357078: |-- mosquitto_auth_unpwd_check(has)
1553357078: |-- ** checking backend http
1553357078: |-- url=http://127.0.0.1:8080/login
1553357078: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357079: |-- getuser(has) AUTHENTICATED=1 by http
1553357079: Socket error on client , disconnecting.
1553357082: New connection from 10.0.0.189 on port 1883.
1553357082: |-- mosquitto_auth_unpwd_check(has)
1553357082: |-- ** checking backend http
1553357082: |-- url=http://127.0.0.1:8080/login
1553357082: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357083: |-- getuser(has) AUTHENTICATED=1 by http
1553357083: Socket error on client , disconnecting.
1553357084: New connection from 10.0.0.112 on port 1883.
1553357084: |-- mosquitto_auth_unpwd_check(has)
1553357084: |-- ** checking backend http
1553357084: |-- url=http://127.0.0.1:8080/login
1553357084: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357085: |-- getuser(has) AUTHENTICATED=1 by http
1553357085: Socket error on client , disconnecting.
1553357085: New connection from 10.0.0.223 on port 1883.
1553357085: New connection from 10.0.0.214 on port 1883.
1553357085: |-- mosquitto_auth_unpwd_check(has)
1553357085: |-- ** checking backend http
1553357085: |-- url=http://127.0.0.1:8080/login
1553357085: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357087: Socket error on client , disconnecting.
1553357087: |-- getuser(has) AUTHENTICATED=1 by http
1553357087: |-- mosquitto_auth_unpwd_check(has)
1553357087: |-- ** checking backend http
1553357087: |-- url=http://127.0.0.1:8080/login
1553357087: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357088: |-- getuser(has) AUTHENTICATED=1 by http
1553357088: Socket error on client , disconnecting.
1553357088: New connection from 10.0.0.112 on port 1883.
1553357088: New connection from 10.0.0.224 on port 1883.
1553357088: |-- mosquitto_auth_unpwd_check(has)
1553357088: |-- ** checking backend http
1553357088: |-- url=http://127.0.0.1:8080/login
1553357088: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357089: |-- getuser(has) AUTHENTICATED=1 by http
1553357089: Socket error on client , disconnecting.
1553357089: New connection from 10.0.0.208 on port 1883.
1553357089: |-- mosquitto_auth_unpwd_check(has)
1553357089: |-- ** checking backend http
1553357089: |-- url=http://127.0.0.1:8080/login
1553357089: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357090: |-- getuser(has) AUTHENTICATED=1 by http
1553357090: Socket error on client , disconnecting.
1553357090: New connection from 10.0.0.233 on port 1883.
1553357090: |-- mosquitto_auth_unpwd_check(has)
1553357090: |-- ** checking backend http
1553357090: |-- url=http://127.0.0.1:8080/login
1553357090: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357091: |-- getuser(has) AUTHENTICATED=1 by http
1553357091: Socket error on client , disconnecting.
1553357095: New connection from 10.0.0.100 on port 1883.
1553357095: |-- mosquitto_auth_unpwd_check(has)
1553357095: |-- ** checking backend http
1553357095: |-- url=http://127.0.0.1:8080/login
1553357095: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357096: |-- getuser(has) AUTHENTICATED=1 by http
1553357096: Socket error on client , disconnecting.
1553357108: New connection from 10.0.0.189 on port 1883.
1553357108: |-- mosquitto_auth_unpwd_check(has)
1553357108: |-- ** checking backend http
indent preformatted text by 4 spaces

Sorry I think my first attempt to insert my mosquitto log except was not done right. I still need any help I can get on this (most of my automation is with MQTT so I am very down at this time. Any help greatly appreciated, Doug

I’m not sure this will help, or is relevant.

However I rebooted My (working 4.1 broker) Hass system a few days ago and had similar issue. And I remember my logs had the same messages.

I tryed a few thing. What I think worked was temporarily change the MQTT config. I changed the line

"active": true,

To.

"active": false,

Restarted the broker. let it run with errors for a minute or two. Then changed it back, and restarted the broker again.
Then automagically it was working. /shrug

Worth a try.

I found out yesterday that if you add homeassistant to the acl file (with permissions) that it works now with active: true.

That sounds logical.
I havn’t used it. However I’m going to.

Thanks for the info.

Same problem here. Encouraging to see people have it working.
So what are the magic steps?

I have the following setup:

configurtion.yaml

    mqtt:
      broker: core-mosquitto
      username: !secret mqtt_username
      password: !secret mqtt_password
    # mqtt username and password are not hassio user credentials?

    switch:
      - platform: mqtt
        name: sonoff 1
        state_topic: “stat/sonoff_1/RESULT”
        command_topic: “cmnd/sonoff_1/POWER1”
        availability_topic: “tele/sonoff_1/LWT”
        qos: 1
        payload_on: "ON"
        payload_off: "OFF"
        payload_available: “Online”
        payload_not_available: “Offline”
        retain: true

accesscontrollist

    # General Section
    # topic readwrite #
    topic read $SYS/#
    # User Section
    user airoguard
    topic readwrite stat/sonoff_1/RESULT
    topic readwrite cmnd/sonoff_1/POWER1
    topic readwrite tele/sonoff_1/LWT
    # Client Section
    #pattern readwrite stat/sonoff_1/%u/#
    #pattern readwrite cmnd/sonoff_1/%u/#

mosquitto config

{
  "logins": [
    {
      "username": "airoguard",
      "password": "XXXXXX."
    }
  ],
  "anonymous": false,
  "customize": {
    "active": true,
    "folder": "mosquitto"
  },
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

Sonoff basic config

Sonoff Basic Module
Sonoff1
MQTT parameters 
Host ()
192.168.0.17
Port (1883)
1883
Client (DVES_51CD30)
DVES_%06X
User (DVES_USER)
airoguard
Password
••••••••
Topic = %topic% (sonoff)
sonoff_1
Full Topic (%prefix%/%topic%/)
%prefix%/%topic%/
Sonoff-Tasmota 6.5.0 by Theo Arends

Result

sonoff 1 unavailable
?
Thanks
Rob

I also have the same problem, when i updated to mosquitto 4.1.
I have a(basic) automations with zigbee2mqtt (cc2531) and a sonoff basic with tasmota 6.4.0
now i have no usernames/passwords and only have created a mosquitto folder within the share folder

this is what i got:

add on config:

{
“logins”: ,
“anonymous”: true,
“customize”: {
“active”: true,
“folder”: “mosquitto”
},
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
}

log error:

553584991: New connection from 192.168.1.7 on port 1883.
1553584991: Socket error on client <unknown>, disconnecting.

sonoff yaml config:

switch:
platform: mqtt
name: “sonoff garage”
command_topic: “cmnd/sonoff/power”
state_topic: “stat/sonoff/POWER”
qos: 1
payload_on: “ON”
payload_off: “OFF”
retain: true

mqtt yaml config:

mqtt:
broker: core-mosquitto
discovery: true

Getting the same issue here.
I found my answer in the Mosquitto addon page : addons/mosquitto/README.md at master · home-assistant/addons · GitHub

Since version 4.1 of the addon, an explicit ACL definition is now required, see these instructions.

Hope it will help

I upgraded to 4.1 and have been trying to figure out how to correct my socket error problems and get back to lights working. Have read and tried everything on this forum with no luck. Pipo114 posted that he found the answer but didn’t tell us what the answer is. I have the following configuration. Any help would be appreciated.

Configuration.yaml

mqtt:
broker: 127.0.0.1
port: 1883
client_id: budlyte
username: xxxxxxx
password: yyyyyy
protocol: 3.1
birth_message:
topic: “tele/hass1/LWT”
payload: “Online”
qos: 1
retain: true
will_message:
topic: “tele/hass1/LWT”
payload: “Offline”
qos: 1
retain: true

Mqtt config

{
“logins”: [
{
“username”: “xxxxxxx”,
“password”: “yyyyyy”
}
],
“anonymous”: false,
“customize”: {
“active”: true,
“folder”: “mosquitto”
},
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
}

accesscontrollist file
user xxxxxxx
topic readwrite #

acl.conf

acl_file /share/mosquitto/accesscontrollist

Thanks

Can Someone do a “MQTT 4.1 for DUMMIES”. I followed the links in pipo114 post (-2), with no JOY. I need someone to dumb it down…

I also have just same, but now is ok…

with :

image909×616 27 KB

1–>> user for mqtt --> example : mqtt-admin

Sonoff console:
00:03:21 MQT: Connect failed to 192.168.0.4:1883, rc -4. Retry in 10 sec
00:03:32 MQT: Attempting connection…
00:03:47 MQT: Connect failed to 192.168.0.4:1883, rc -4. Retry in 10 sec
00:03:57 MQT: Attempting connection…
00:04:12 MQT: Connect failed to 192.168.0.4:1883, rc -4. Retry in 10 sec
00:04:23 MQT: Attempting connection…
00:04:38 MQT: Connect failed to 192.168.0.4:1883, rc -4. Retry in 10 sec
00:04:49 MQT: Attempting connection…
00:05:04 MQT: Connect failed to 192.168.0.4:1883, rc -4. Retry in 10 sec
00:05:15 MQT: Attempting connection…
00:05:15 MQT: Connect failed to 192.168.0.4:1883, rc -2. Retry in 10 sec
00:05:26 MQT: Attempting connection…
00:05:27 MQT: Connected
00:05:27 MQT: tele/sonoff/LWT = Online (retained)
00:05:27 MQT: cmnd/sonoff/POWER =
00:05:27 MQT: tele/sonoff/INFO1 = {“Module”:“Sonoff Basic”,“Version”:“6.5.0(basic)”,“FallbackTopic”:“cmnd/DVES_F985F2_fb/”,“GroupTopic”:“sonoffs”}
00:05:27 MQT: tele/sonoff/INFO2 = {“WebServerMode”:“Admin”,“Hostname”:“sonoff-1522”,“IPAddress”:“192.168.0.137”}
00:05:27 MQT: tele/sonoff/INFO3 = {“RestartReason”:“Software/System restart”}
00:05:27 MQT: stat/sonoff/RESULT = {“POWER”:“OFF”}
00:05:27 MQT: stat/sonoff/POWER = OFF
00:05:36 MQT: tele/sonoff/STATE = {“Time”:“1970-01-01T00:05:36”,“Uptime”:“0T00:02:37”,“Vcc”:3.226,“SleepMode”:“Dynamic”,“Sleep”:50,“LoadAvg”:19,“POWER”:“OFF”,“Wifi”:{“AP”:1,“SSId”:“LS-Home”,“BSSId”:“C8:D1:2A:CB:B1:7C”,“Channel”:11,“RSSI”:96,“LinkCount”:1,“Downtime”:“0T00:00:04”}}
00:05:36 MQT: tele/sonoff/SENSOR = {“Time”:“1970-01-01T00:05:36”,“Switch1”:“ON”}
00:10:37 MQT: tele/sonoff/STATE = {“Time”:“1970-01-01T00:10:36”,“Uptime”:“0T00:07:37”,“Vcc”:3.226,“SleepMode”:“Dynamic”,“Sleep”:50,“LoadAvg”:19,“POWER”:“OFF”,“Wifi”:{“AP”:1,“SSId”:“LS-Home”,“BSSId”:“C8:D1:2A:CB:B1:7C”,“Channel”:11,“RSSI”:98,“LinkCount”:1,“Downtime”:“0T00:00:04”}}
00:10:37 MQT: tele/sonoff/SENSOR = {“Time”:“1970-01-01T00:10:37”,“Switch1”:“ON”}

same issue here.
latest HA/Hass.io/Mosquitto add-on

other stuff i found:

• Homeassistant can connect to Mosquitto either you set or don’t ACLS
• issue is connecting to the broker from outside: I have both issues with MQTT.FX and Happy Bubbles add-on which can’t connect to MQTT

in fact:

• if ACLS is used I can connect with MQTT.fx ONLY if i log in anonymously with the proper flag set to true in Mosquitto add-on
• if ACLS is off i can connect with MQTT.fx using user/pwd credential set in ACLS

so far didn’t find any combination to be able to connect Happy Bubble add-on to Mosquitto