Recently picked up a Sonoff 433mhz RF Bridge, flashed it to Tasmota (and the RF chip to Portisch), and set up the Mosquitto add-on, and successfully connected the Sonoff bridge to it, and installed the MQTT integration.
I have several dashboard buttons and automations that can control 433mhz lights, and set up MQTT binary sensors to monitor status for a set of Govee 433mhz leak sensors. So far, so good.
Today, I tried to get the Sonoff bridge to connect to the local Mosquitto instance using TLS (port 8883).
I was initially unable to connect via TLS using MQTT Explorer, because my cert is a letsencrypt that points to my duckdns domain name. At this point, I was not able to connect on port 8333 to the internal Mosquitto server from the Sonoff Bridge either.
So my next step was to forward port 8883 in my router to my home assistant internal IP, which worked fine connecting to port 8883 on my duckdns domain name via MQTT Explorer, but was still unable to connect to port 8883 on the same domain from the Sonoff Bridge.
At this point, I was seeing a number of errors in the Mosquitto log with the message: “ssl3_get_record:wrong version number”.
Tried adding a custom configuration to pin the TLS version to 1.2, still no luck.
I’ve checked both this link, and this one, and was not able to figure out from them what I might be doing wrong.
Would really like to get the Sonoff Bridge and Mosquitto to play nice together, so I’m hoping maybe someone has gone down this road and was able to make it work.
Hate replying to myself, but I did finally find a solution…so…
The trick, it turns out, is two-fold:
If you’re using Tasmota on the Sonoff 433mhz RF Bridge and you want to use TLS, you MUST compile a custom version of Tasmota. The default version only enables TLS for ESP32-based devices, and the Sonoff RF Bridge is based on ESP8265 (not a typo, that’s a cousin to the ESP8266). Easiest way to get the custom version is to use TasmoCompiler via Gitpod, as discussed at tasmocompiler/README.md at master · benzino77/tasmocompiler (github.com).
The default encryption algorithm for the DuckDNS/Let’sEncrypt HA add-on is apparently not compatible with Tasmota’s TLS implementation (or there’s some other issue there I don’t understand). I found the following discussion on the Tasmota GH repo, and it provided the solution to the certificate issue, which was to change the algo configuration parameter to rsa. In my case, I had to force renewal of the certificate by backing up my DuckDNS add-on, uninstalling, reinstalling, and then restoring the config. Without that step, even changing the algorithm didn’t renew the cert, because the expiration was > 30 days away.
Once I changed the algorithm on the cert, restarted Mosquitto, DuckDNS, NGINX Home Assistant SSL Proxy, and HA itself, I was able to get my Sonoff RF Bridge to connect to the Mosquitto add-on broker instance via TLS on port 8883.
Hopefully, this will be helpful if someone else needs to get this working.