@Humvee It connects to MQTT server port 443 with TLS enabled.
Just add to your mosquitto a new listener for this with no password and self signed certificates :
listener 443 0.0.0.0
cafile /etc/mosquitto/ssl/ca.crt
certfile /etc/mosquitto/ssl/cloudgarden.crt
keyfile /etc/mosquitto/ssl/cloudgarden.key
allow_anonymous true
max_connections -1
persistence true
Believe it or not, I’ve never made (self-signed?) certificates for a domain I do not own. LetsEncrypt makes it look easy. I’m not sure how to properly make the subdomains work. Here is what the internet told me so far:
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 9999 -out ca.crt -subj "/CN=LocalRootCA"
openssl genrsa -out cloudgarden.key 2048
openssl req -new -key cloudgarden.key -out cloudgarden.csr -subj "/CN=cloudgarden"
openssl x509 -req -in cloudgarden.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cloudgarden.crt -days 9999 -sha256
Full disclosure: This is for testing purposes only. I put all my barely updated security risk devices on a separate VLAN that cannot communicate with my main network, except for a single container, so I still need to make that proxy/relay work. I can’t have an open allow_anonymous listener on my main network because I’m paranoid afraid careful.
You don’t really need to fake the cloud garden domain (and id advise against it anyway), the devices don’t do any verification either of the common name, the SANs or the chain of trust.
In other words, as long as the server has a non-expired certificate, it’ll most likely work.