Since I just spent a long time getiing Home Assitant to work with Mosquitto and a Let’s Encrypt certificate:
These are the option that have to be set in the MQTT config:
`Ignore broker certificate validation’ must be disabled
The certificate must not be a wildcard certificate i.e. it must be for the host Mosquitto is running on and it must contain the full certificate chain.
Because the host I’ running Mosquitto on is not accessible from the internet, I use something like
certbot --manual certonly --preferred-challenges dns -d "host.domain.net" --email [email protected]
to create the certificate and update the TXT record in the DNS server manually while the script runs.
The host name (host.domain.net in this example) is in my local DNS and used to access the machine Mosquitto is running on.
Just found this topic, which is the closest I’ve seen to allowing me to configure MQTT integration with SSL. How do you get the extended set of options (beyond the simple “broker”, “port”, “user”, “password” set of 4) to come up when you first install an MQTT integration? Or can you only do it once you’ve got the integration installed in the first place?
If I remember correctly it was always there, right form the start.
BTW. I changed my set up to use MQTT w/o SSL internally on the raspi I have installed HomeAssistant on and proxy it as MQTTS to the outside using Traefik.
Since most of my accesses are from HomeAssisstant that reduces the CPU load a bit, but most importantly it makes the raspi with HomeAssisstant robust against expired certificates i.e. no more lights out when the MQTTS cert is expired.
Thanks for responding. With LetsEncrypt, the certificates shouldn’t really expire. That’s why I felt comfortable using MQTTS only. It’s worth considering the load on devices to use TLS, though, that’s a good shout.
I’ve installed HA 2023.8.4 (frontend 20230802.1-latest), and I only get the first four entry boxes. Looking at the code, it seems that the rest appear when advanced_broker_options is True, but it’s a little chicken and egg - I can’t get a config in until I can connect, I can’t connect until I can set advanced options to turn on TLS and I can’t set advanced options until I have a config.
