Embedded MQTT broker - secure OwnTracks connection possible?

Is it possible to configure the embedded MQTT broker to accept secure connections from OwnTracks? And if so does anyone have examples of how to do this? I’ve searched everywhere but can’t find any information on this.

I do have an unsecured web sockets connection working between the embedded MQTT broker and OwnTracks, but I don’t want to leave it unsecured for long. I’d prefer to not have to switch to Mosquitto MQTT if possible, but I will if that is the only option. I do not want to use CloudMQTT.

I’m running Home Assistant on Ubuntu Server 16.04.3 LTS, and I do have Lets Encrypt configured to secure my HA web site.


No idea on the embedded broker. I used mosquitto before HA so I used that. I ended up running two mosquitto brokers - an unsecured broker that HA connects to and all of local sensor and apps use. And a second, fully secured broker exposed to the internet and bridged to the unsecure broker for owntracks. Works great - I can help with those instructions if you decide to go that route.

@TD22057 Thank you for the offer to assist me. I was able to figure out how to setup mosquito with lets encrypt by following this guide below, and I’m now able to turn on TLS encryption within owntracks.


One question for you. What is the rationale for needing an unsecured broker? Is it because some local devices don’t support MQTT authentication?

Thanks again.


@Paul_M Multiple reasons really. For scripts and small devices, I don’t want to deal w/ encryption. The unsecured broker is only on my LAN so I don’t have to worry about attacks on it for the most part. Primarily it’s security though - the bridge is one direction from the secured->unsecured and only for the own tracks topics. So if someone were to hack the secured WAN broker and subscribe (which is unlikely given the certificate requirements, etc), they can’t see anything but the owntracks messages. If I ever add locks, alarm system, etc to my unsecured broker, I don’t have to worry about someone getting control of the actuators in the house because there is no path to that broker/topics from the outside. If I was more paranoid, I would have a second secured broker on the LAN for actuators and security devices to protect against someone hacking my WIFI but I’m not ready to get that complicated yet.

1 Like

Thanks. Makes sense.

I also want to use Owntracks with the integrated HBMQTT with a secured connection (https for the webinterface already works). Should I also switch to Mosquito? The integrated one does not sound like a good idea if it’s not clear if it works at all.

I installed Hass on Ubuntu 16.04 using the “Installation in Python virtual environment” guide