ESPHOME MQTT over TLS (port 8883)

pitchblack · June 7, 2022, 6:33pm

Hi,
I am a longtime user of ESPHOME and I love it!

I have a project where I need to place a ESP32 outside my network. VPN will not work because of constraints at that location (very low bandwidth). I want to use MQTT over TLS to encrypt the messages.

I followed the guide on esphome website (MQTT Client Component — ESPHome TLS with esp-idf (esp32)) but I cannot get it to work.

I setup my broker to accept encrypted messages and I when I test it with MQTT Explorer I can connect via TLS and port 8883. I just cannot get ESPHOME on the ESP32 to do the same.

For

skip_cert_cn_check: true
idf_send_async: true
certificate_authority: | ...

EDIT:
I get “[skip_cert_cn_check] is an invelid option for [mqtt]. Please check the indentation.” OR “[idf_send_async] is an invelid option for [mqtt]. Please check the indentation.” etc. I checked and redone everything, but nothing fixed the issue.

My config (cert is fake, IP is local for testing):

esphome:
  name: pump-mon

esp32:
  board: esp32-c3-devkitm-1
  framework:
    type: esp-idf
    version: latest


# Enable logging
logger:

wifi:
  networks:
  - ssid: !secret wifi_ssid
    password: !secret wifi_pass


mqtt:
  broker: 172.16.0.10
  port: 8883
  username: !secret mqtt_user
  password: !secret mqtt_pass
  birth_message:
    topic: pump-mon/status
    payload: online
  will_message:
    topic: pump-mon/status
    payload: offline
  skip_cert_cn_check: true
  idf_send_async: true
  certificate_authority: |
    -----BEGIN CERTIFICATE-----
    MIIDjzCCAnegAwIBAgIUCCL7c2D9m3Yh6K9IfNWfBaq1vHAwDQYJKoZIhvcNAQEL
    BQAwVzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAkFCMQ4wDAYDVQQHDAVMZWR1YzEQ
    MA4GA1UECgwHbWUuaG9tZTEZMBcGA1UEAwwQaGFzcy5mcmVpdGVyLm5ldDAeFw0y
    MjA2MDYxNzA3MzlaFw0zMjA2MDMxNzA3MzlaMFcxCzAJBgNVBAYTAkNBMQswCQYD
    VQQIDAJBQjEOMAwGA1UEBwwFTGVkdWMxEDAOBgNVBAoMB21lLmhvbWUxGTAXBgNV
    BAMMEGhhc3MuZnJlaXRlci5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
    AoIBAQDVu0hziYV/r3YAw89sO6zwUdKOjAmE7vFE1R/0KySbd
    JhQJdOb5zNOfBmO54e5qrAZ195rl/rX/2pjemdyLHwFBWzUiK0tlRWlaIanRAnmi
    GcWcZNMOLo+i6nTJc0ArA4pPbWYbA9vMKf1GuGFQhoRxQS4NMcveugAPSVLRk/m4
    aWyy
    -----END CERTIFICATE-----

Any ideas on what I am doing wrong?

Thanks.

nickrout · June 7, 2022, 9:30pm

should it be

certificate_authority: | >

I know what you have is in the docs, but something is being read as []

edit: I don’t pretend to understand this, but https://yaml-multiline.info/

pitchblack · June 8, 2022, 2:40pm

Adding the > just throws another error.

pitchblack · June 10, 2022, 6:05pm

Found my problem. For some reason ESPHome did not update past 2022.2.1. Needed 2022.4 for this to work. Updated to 2022.5.x now and no issues.

ESPmonster · July 5, 2022, 4:13pm

Out of curiosity (b/c I have a similar network situation and there is not much documented about this), how is your setup exactly? Do you use Esphome MQTT over TLS to connect to Mosquitto on your HA server? Does this requiring opening up ports in HA? Are there any (data/network) safety risks?