This is how I connected my NodeMCUs to the buildin Mosquitto broaker (Addon) of Hassio using TLS
- still working on how to get it into Lovelace
1. Create all the certificate files using openssl (if it asks: the Common Name needs to be the IP of Hassio)
I used this tutorial as base: http://www.steves-internet-guide.com/mosquitto-tls/
$ openssl genrsa -des3 -out ca.key 2048
$ openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
$ openssl genrsa -out server.key 2048
$ openssl req -new -out server.csr -key server.key
$ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600
2. Create PEM files:
(They are actually already pem files the commands just copy them with the pem extention.)
$ cp server.crt servercrt.pem
$ cp server.key serverkey.pem
3. Copy to your Hassio location:
$ scp -r ~/Documents/Sandbox/myCerts4/servercrt.pem [email protected]:/ssl
$ scp -r ~/Documents/Sandbox/myCerts4/serverkey.pem [email protected]:/ssl
$ scp -r ~/Documents/Sandbox/myCerts4/ca.crt [email protected]:/ssl
4. UNDER CONSTRUCTION: The configuration.yaml part looks like this:
Unfortunatelly it is not working yet *facepalm
mqtt:
broker: core-mosquitto
port: 1883
username: !secret mqtt_username
password: !secret mqtt_password
certificate: /ssl/ca.crt
5. The configuration in the Addon looks like this: {
“logins”: [
{
“username”: “stefan”,
“password”: “secretPassword”
}
],
“anonymous”: false,
“customize”: {
“active”: false,
“folder”: “mosquitto”
},
“certfile”: “servercrt.pem”,
“keyfile”: “serverkey.pem”
}
I think if you then leave the entrys for the ports 1883 and 1884 blank, they are not reachable any more.
6. On another computer you need the server.crt file. Then you can check the mosquitto output with:
mosquitto_sub --cafile server.crt -h 192.168.178.28 -u “stefan” -P “secretPassword” -t “#” -i “stefansMac” -v -p 8883 --tls-version tlsv1.2
(From now on, I switched to the second part of this tutorial: https://www.youtube.com/watch?time_continue=964&v=gU5Vp0zCzak)
7. For attaching the NodeMCU you need the Fingerprint of the certificate. You can get it form your computer with:
$ echo | openssl s_client -connect hassio.local:8883 | openssl x509 -fingerprint -noout
8. In the code of the NodeMCU you can use:
#define mqtt_server “192.168.178.28” // the IP of your mqtt broke
#define mqtt_user “stefan” // your mqtt user name, in the easiest case your Hassio username
#define mqtt_password “secretPassword” // your mqtt user password, in the easiest case your Hassio password
const char* mqtt_fprint = “AB:CD:EF:GH:AB:CD:EF:GH:AB:CD:EF:GH:AB:CD:EF:GH”;
#define mqtt_port 8883
9. Then establish the connection:
WiFiClientSecure espClient;
PubSubClient client(espClient);
10. And use this reconnect function:
void reconnect() {
// Loop until we're reconnected
while (!client.connected()) {
Serial.print("Attempting MQTT connection...");
// verifyFingerprint();
// Attempt to connect
if (client.connect(SENSORNAME, mqtt_user, mqtt_password)) {
Serial.println("connected");
sendState();
if (espClient.verify(mqtt_fprint, mqtt_server)) {
Serial.print("Connection secure -> .");
} else {
Serial.println("Connection insecure! Rebooting.");
Serial.flush();
ESP.restart();
}
} else {
Serial.print("failed, rc=");
Serial.print(client.state());
Serial.println(" try again in 5 seconds");
// Wait 5 seconds before retrying
for (int i = 0; i < 50; i++) {
digitalWrite(BUILTIN_LED, LOW);
delay(1);
digitalWrite(BUILTIN_LED, HIGH);
delay(200);
}
}
}
}
It took me half a lifetime so maybe this helps you folks.
I ran into troubles by updating Arduino libraries. If you update the PubSubLibrary, make sure to change the MQTT_MAX_PACKET_SIZE entry in the PubSubClient.h to
#define MQTT_MAX_PACKET_SIZE 512