ACL With MQTT Broker 4.1 Hass.io

so I tried that but user topic readwrite #
I’ll try yours…

yeah nah didn’t help at all. Same

I missed the part where you said you Don’t use a user name and password for Hass’s Mqtt login/setup.
I do.
I think that might be it.

Well I use a Home Assistant user, not a local user.
Do you have anonymous true or false?

When I set active true, I can’t control the switches either as they won’t connect to the broker.

@pvizeli any chance you can comment on this issue?

My Mqtt config,

{
  "logins": [
    {
      "username": "hassuser1",
      "password": "myPWmqttmyPW"
    }
  ],
  "anonymous": false,
  "customize": {
    "active": true,
    "folder": "mosquitto"
  },
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

It would seem odd that the ACL will only work with a local user and not a Home Assistant User…

I have this problem as well. I found it strange that in usr/share/ I did not find a ‘hassio’ directory and had to create that and the mosquitto directory. My content of ‘accesscontrollist’ was as suggested in the mosquitto borker page, so I changed it as suggested above. That did not fix it.

mosquittos log:
Preformatted text indent preformatted text by 4 spaces
1553357063: |-- ** checking backend http
1553357063: |-- url=http://127.0.0.1:8080/login
1553357063: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357064: |-- getuser(has) AUTHENTICATED=1 by http
1553357064: Socket error on client , disconnecting.
1553357064: |-- mosquitto_auth_unpwd_check(has)
1553357064: |-- ** checking backend http
1553357064: |-- url=http://127.0.0.1:8080/login
1553357064: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
1553357064: New connection from 10.0.0.233 on port 1883.
[INFO] found has on local database
1553357066: |-- getuser(has) AUTHENTICATED=1 by http
1553357066: Socket error on client , disconnecting.
1553357078: New connection from 10.0.0.100 on port 1883.
1553357078: |-- mosquitto_auth_unpwd_check(has)
1553357078: |-- ** checking backend http
1553357078: |-- url=http://127.0.0.1:8080/login
1553357078: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357079: |-- getuser(has) AUTHENTICATED=1 by http
1553357079: Socket error on client , disconnecting.
1553357082: New connection from 10.0.0.189 on port 1883.
1553357082: |-- mosquitto_auth_unpwd_check(has)
1553357082: |-- ** checking backend http
1553357082: |-- url=http://127.0.0.1:8080/login
1553357082: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357083: |-- getuser(has) AUTHENTICATED=1 by http
1553357083: Socket error on client , disconnecting.
1553357084: New connection from 10.0.0.112 on port 1883.
1553357084: |-- mosquitto_auth_unpwd_check(has)
1553357084: |-- ** checking backend http
1553357084: |-- url=http://127.0.0.1:8080/login
1553357084: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357085: |-- getuser(has) AUTHENTICATED=1 by http
1553357085: Socket error on client , disconnecting.
1553357085: New connection from 10.0.0.223 on port 1883.
1553357085: New connection from 10.0.0.214 on port 1883.
1553357085: |-- mosquitto_auth_unpwd_check(has)
1553357085: |-- ** checking backend http
1553357085: |-- url=http://127.0.0.1:8080/login
1553357085: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357087: Socket error on client , disconnecting.
1553357087: |-- getuser(has) AUTHENTICATED=1 by http
1553357087: |-- mosquitto_auth_unpwd_check(has)
1553357087: |-- ** checking backend http
1553357087: |-- url=http://127.0.0.1:8080/login
1553357087: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357088: |-- getuser(has) AUTHENTICATED=1 by http
1553357088: Socket error on client , disconnecting.
1553357088: New connection from 10.0.0.112 on port 1883.
1553357088: New connection from 10.0.0.224 on port 1883.
1553357088: |-- mosquitto_auth_unpwd_check(has)
1553357088: |-- ** checking backend http
1553357088: |-- url=http://127.0.0.1:8080/login
1553357088: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357089: |-- getuser(has) AUTHENTICATED=1 by http
1553357089: Socket error on client , disconnecting.
1553357089: New connection from 10.0.0.208 on port 1883.
1553357089: |-- mosquitto_auth_unpwd_check(has)
1553357089: |-- ** checking backend http
1553357089: |-- url=http://127.0.0.1:8080/login
1553357089: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357090: |-- getuser(has) AUTHENTICATED=1 by http
1553357090: Socket error on client , disconnecting.
1553357090: New connection from 10.0.0.233 on port 1883.
1553357090: |-- mosquitto_auth_unpwd_check(has)
1553357090: |-- ** checking backend http
1553357090: |-- url=http://127.0.0.1:8080/login
1553357090: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357091: |-- getuser(has) AUTHENTICATED=1 by http
1553357091: Socket error on client , disconnecting.
1553357095: New connection from 10.0.0.100 on port 1883.
1553357095: |-- mosquitto_auth_unpwd_check(has)
1553357095: |-- ** checking backend http
1553357095: |-- url=http://127.0.0.1:8080/login
1553357095: |-- data=username=has&password=hAs&topic=&acc=-1&clientid=
[INFO] found has on local database
1553357096: |-- getuser(has) AUTHENTICATED=1 by http
1553357096: Socket error on client , disconnecting.
1553357108: New connection from 10.0.0.189 on port 1883.
1553357108: |-- mosquitto_auth_unpwd_check(has)
1553357108: |-- ** checking backend http
indent preformatted text by 4 spaces

Sorry I think my first attempt to insert my mosquitto log except was not done right. I still need any help I can get on this (most of my automation is with MQTT so I am very down at this time. Any help greatly appreciated, Doug

I’m not sure this will help, or is relevant.

However I rebooted My (working 4.1 broker) Hass system a few days ago and had similar issue. And I remember my logs had the same messages.

I tryed a few thing. What I think worked was temporarily change the MQTT config. I changed the line

"active": true,

To.

"active": false,

Restarted the broker. let it run with errors for a minute or two. Then changed it back, and restarted the broker again.
Then automagically it was working. /shrug

Worth a try.

I found out yesterday that if you add homeassistant to the acl file (with permissions) that it works now with active: true.

That sounds logical.
I havn’t used it. However I’m going to.

Thanks for the info.

Same problem here. Encouraging to see people have it working.
So what are the magic steps?

I have the following setup:

configurtion.yaml

    mqtt:
      broker: core-mosquitto
      username: !secret mqtt_username
      password: !secret mqtt_password
    # mqtt username and password are not hassio user credentials?

    switch:
      - platform: mqtt
        name: sonoff 1
        state_topic: “stat/sonoff_1/RESULT”
        command_topic: “cmnd/sonoff_1/POWER1”
        availability_topic: “tele/sonoff_1/LWT”
        qos: 1
        payload_on: "ON"
        payload_off: "OFF"
        payload_available: “Online”
        payload_not_available: “Offline”
        retain: true

accesscontrollist

    # General Section
    # topic readwrite #
    topic read $SYS/#
    # User Section
    user airoguard
    topic readwrite stat/sonoff_1/RESULT
    topic readwrite cmnd/sonoff_1/POWER1
    topic readwrite tele/sonoff_1/LWT
    # Client Section
    #pattern readwrite stat/sonoff_1/%u/#
    #pattern readwrite cmnd/sonoff_1/%u/#

mosquitto config

{
  "logins": [
    {
      "username": "airoguard",
      "password": "XXXXXX."
    }
  ],
  "anonymous": false,
  "customize": {
    "active": true,
    "folder": "mosquitto"
  },
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

Sonoff basic config

Sonoff Basic Module
Sonoff1
MQTT parameters 
Host ()
192.168.0.17
Port (1883)
1883
Client (DVES_51CD30)
DVES_%06X
User (DVES_USER)
airoguard
Password
••••••••
Topic = %topic% (sonoff)
sonoff_1
Full Topic (%prefix%/%topic%/)
%prefix%/%topic%/
Sonoff-Tasmota 6.5.0 by Theo Arends

Result

sonoff 1 unavailable
?
Thanks
Rob

I also have the same problem, when i updated to mosquitto 4.1.
I have a(basic) automations with zigbee2mqtt (cc2531) and a sonoff basic with tasmota 6.4.0
now i have no usernames/passwords and only have created a mosquitto folder within the share folder

this is what i got:

add on config:

{
“logins”: ,
“anonymous”: true,
“customize”: {
“active”: true,
“folder”: “mosquitto”
},
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
}

log error:

553584991: New connection from 192.168.1.7 on port 1883.
1553584991: Socket error on client <unknown>, disconnecting.

sonoff yaml config:

switch:
platform: mqtt
name: “sonoff garage”
command_topic: “cmnd/sonoff/power”
state_topic: “stat/sonoff/POWER”
qos: 1
payload_on: “ON”
payload_off: “OFF”
retain: true

mqtt yaml config:

mqtt:
broker: core-mosquitto
discovery: true

Getting the same issue here.
I found my answer in the Mosquitto addon page : addons/mosquitto/README.md at master · home-assistant/addons · GitHub

Since version 4.1 of the addon, an explicit ACL definition is now required, see these instructions.

Hope it will help

I upgraded to 4.1 and have been trying to figure out how to correct my socket error problems and get back to lights working. Have read and tried everything on this forum with no luck. Pipo114 posted that he found the answer but didn’t tell us what the answer is. I have the following configuration. Any help would be appreciated.

Configuration.yaml

mqtt:
broker: 127.0.0.1
port: 1883
client_id: budlyte
username: xxxxxxx
password: yyyyyy
protocol: 3.1
birth_message:
topic: “tele/hass1/LWT”
payload: “Online”
qos: 1
retain: true
will_message:
topic: “tele/hass1/LWT”
payload: “Offline”
qos: 1
retain: true

Mqtt config

{
“logins”: [
{
“username”: “xxxxxxx”,
“password”: “yyyyyy”
}
],
“anonymous”: false,
“customize”: {
“active”: true,
“folder”: “mosquitto”
},
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
}

accesscontrollist file
user xxxxxxx
topic readwrite #

acl.conf

acl_file /share/mosquitto/accesscontrollist

Thanks

Can Someone do a “MQTT 4.1 for DUMMIES”. I followed the links in pipo114 post (-2), with no JOY. I need someone to dumb it down…

I also have just same, but now is ok…

with :

image909×616 27 KB

1–>> user for mqtt --> example : mqtt-admin

Sonoff console:
00:03:21 MQT: Connect failed to 192.168.0.4:1883, rc -4. Retry in 10 sec
00:03:32 MQT: Attempting connection…
00:03:47 MQT: Connect failed to 192.168.0.4:1883, rc -4. Retry in 10 sec
00:03:57 MQT: Attempting connection…
00:04:12 MQT: Connect failed to 192.168.0.4:1883, rc -4. Retry in 10 sec
00:04:23 MQT: Attempting connection…
00:04:38 MQT: Connect failed to 192.168.0.4:1883, rc -4. Retry in 10 sec
00:04:49 MQT: Attempting connection…
00:05:04 MQT: Connect failed to 192.168.0.4:1883, rc -4. Retry in 10 sec
00:05:15 MQT: Attempting connection…
00:05:15 MQT: Connect failed to 192.168.0.4:1883, rc -2. Retry in 10 sec
00:05:26 MQT: Attempting connection…
00:05:27 MQT: Connected
00:05:27 MQT: tele/sonoff/LWT = Online (retained)
00:05:27 MQT: cmnd/sonoff/POWER =
00:05:27 MQT: tele/sonoff/INFO1 = {“Module”:“Sonoff Basic”,“Version”:“6.5.0(basic)”,“FallbackTopic”:“cmnd/DVES_F985F2_fb/”,“GroupTopic”:“sonoffs”}
00:05:27 MQT: tele/sonoff/INFO2 = {“WebServerMode”:“Admin”,“Hostname”:“sonoff-1522”,“IPAddress”:“192.168.0.137”}
00:05:27 MQT: tele/sonoff/INFO3 = {“RestartReason”:“Software/System restart”}
00:05:27 MQT: stat/sonoff/RESULT = {“POWER”:“OFF”}
00:05:27 MQT: stat/sonoff/POWER = OFF
00:05:36 MQT: tele/sonoff/STATE = {“Time”:“1970-01-01T00:05:36”,“Uptime”:“0T00:02:37”,“Vcc”:3.226,“SleepMode”:“Dynamic”,“Sleep”:50,“LoadAvg”:19,“POWER”:“OFF”,“Wifi”:{“AP”:1,“SSId”:“LS-Home”,“BSSId”:“C8:D1:2A:CB:B1:7C”,“Channel”:11,“RSSI”:96,“LinkCount”:1,“Downtime”:“0T00:00:04”}}
00:05:36 MQT: tele/sonoff/SENSOR = {“Time”:“1970-01-01T00:05:36”,“Switch1”:“ON”}
00:10:37 MQT: tele/sonoff/STATE = {“Time”:“1970-01-01T00:10:36”,“Uptime”:“0T00:07:37”,“Vcc”:3.226,“SleepMode”:“Dynamic”,“Sleep”:50,“LoadAvg”:19,“POWER”:“OFF”,“Wifi”:{“AP”:1,“SSId”:“LS-Home”,“BSSId”:“C8:D1:2A:CB:B1:7C”,“Channel”:11,“RSSI”:98,“LinkCount”:1,“Downtime”:“0T00:00:04”}}
00:10:37 MQT: tele/sonoff/SENSOR = {“Time”:“1970-01-01T00:10:37”,“Switch1”:“ON”}

same issue here.
latest HA/Hass.io/Mosquitto add-on

other stuff i found:

• Homeassistant can connect to Mosquitto either you set or don’t ACLS
• issue is connecting to the broker from outside: I have both issues with MQTT.FX and Happy Bubbles add-on which can’t connect to MQTT

in fact:

• if ACLS is used I can connect with MQTT.fx ONLY if i log in anonymously with the proper flag set to true in Mosquitto add-on
• if ACLS is off i can connect with MQTT.fx using user/pwd credential set in ACLS

so far didn’t find any combination to be able to connect Happy Bubble add-on to Mosquitto

I had issues with connecting with various applications too, the one which works reliably for me when all the others dont is MQTT Lens which runs on Chrome.

So everybody has more or less the same kind of problem in this thread (and me too), but is it an identified bug, is there a workaround, or a right way to do it?

Hi David,

can you tell me exactly where I need to put the user homeassistant?
Here the link to my thread: