Local MQTT Broker with Certificates

buentead · October 15, 2020, 7:12am

I installed the add-on “Mosquitto Broker” v5.1 and verified the installation with port 1883 and user id / password. Everything is working fine.

Then I created the server and client certificates and configured the MQTT broker as follows:

logins: []
anonymous: false
customize:
  active: true
  folder: mosquitto
certfile: mqttserver.pem
keyfile: mqttserver.key
require_certificate: true
cafile: rootCA.pem
use_identity_as_username: true

With this configuration I would assume, that the user ID is taken from the CN (which is “mqttclient”) of the client certificate and would allow me to connect to the broker without user id / psw. But the following command doesn’t work:

 mosquitto_pub -h 192.168.1.123 -p 8883 --cafile rootCA.pem --cert mqttclient.pem --key mqttclient.key -t home/test -m "Switch is OFF" --insecure

With this I get the error:
Connection error: Connection Refused: not authorized

And on the broker log the following message is shown:
1602744913: New connection from 172.30.32.1 on port 8883.
1602744913: Socket error on client <unknown>, disconnecting.

If I add user id / psw to the command, it works, e.g.

 mosquitto_pub -h 192.168.1.123 -p 8883 --cafile rootCA.pem --cert mqttclient.pem --key mqttclient.key -t home/test -m "Switch is OFF1" --insecure -u mqttclient -P verysecret

And on the broker log I can see:
1602745114: New connection from 172.30.32.1 on port 8883.
[INFO] found mqttclient on Home Assistant
1602745115: New client connected from 172.30.32.1 as mosq-T06Wb4jAt9WvSjjkvJ (p2, c1, k60, u'mqttclient').
1602745115: Client mosq-T06Wb4jAt9WvSjjkvJ disconnected.

Hence, I assume that the configuration line “use_identity_as_username: true” is not taken into account.

How can I connect to the Home Assistant MQTT Broker by just using the certificate without user id / psw.

Thanks, Adrian

Software Version
Home Assistant 0.116.2
HassOS 5.3

buentead · October 16, 2020, 2:19pm

I reviewed the Mosquitto Broker run.sh script. The configuration option “use_identity_as_username: true” is not supported in this version.

Hence, I filed a feature request:
MQTT Broker: use Common Name (CN) from client certificate as username
If you like to support this feature, please vote for it. Thanks.

buentead · October 16, 2020, 3:26pm

In the meantime, I changed the MQTT Broker configuration as follows in order to support certificate CN as username.

Mosquitto Broker - Configuration
mqtt_config
I configured the “certfile” and “keyfile” in such a way, the the certificates cannot be found by the Mosquitto “run.sh” script. Therefore, the SSL configuration will not be enabled by this script as the extract from the Mosquitto broker log confirms:

[17:01:54] INFO: Setup mosquitto configuration
[17:01:54] WARNING: SSL not enabled - No valid certs found!
[17:01:54] INFO: No local user available
[17:01:54] INFO: Initialize Hass.io Add-on services
[17:01:54] INFO: Initialize Home Assistant discovery
[17:01:55] INFO: Start Mosquitto daemon

However, I enabled the customizing folder “mosquitto”. In there, I created a new configuration file with the following content:
ssl.conf

listener 8883
protocol mqtt
cafile /ssl/rootCA.pem
certfile /ssl/mqttserver.pem
keyfile /ssl/mqttserver.key
require_certificate true
use_identity_as_username true

listener 8884
protocol websockets
cafile /ssl/rootCA.pem
certfile /ssl/mqttserver.pem
keyfile /ssl/mqttserver.key
require_certificate true
use_identity_as_username true

As you can see, I was able to include the option “use_identity_as_username true”. The Mosquitto broker log confirms, that the configuration file “ssl.conf” was successfully loaded.

1602860515: mosquitto version 1.6.3 starting
1602860515: Config loaded from /etc/mosquitto.conf.
1602860515: Loading plugin: /usr/share/mosquitto/auth-plug.so
1602860515:  ├── Username/password checking enabled.
1602860515:  ├── TLS-PSK checking enabled.
1602860515:  └── Extended authentication not enabled.
1602860515: Opening ipv4 listen socket on port 8883.
1602860515: Opening ipv6 listen socket on port 8883.
1602860515: Loading config file /share/mosquitto/ssl.conf
1602860515: |-- *** auth-plug: startup
1602860515: Opening websockets listen socket on port 8884.
1602860515: Opening ipv4 listen socket on port 1883.
1602860515: Opening ipv6 listen socket on port 1883.
1602860515: Opening websockets listen socket on port 1884.

The ‘proof of the pudding’ comes with the execution of the following statement:

mosquitto_pub -h 192.168.1.123 -p 8883 --cafile rootCA.pem --cert mqttclient.pem --key mqttclient.key -t home/test -m "Switch is OFF" --insecure

The Mosquitto broker log confirms a successful connection to the username “mqttclient” taken from the client certificate common name (CN).

1602860545: New connection from 172.30.32.1 on port 8883.
1602860545: New client connected from 172.30.32.1 as mosq-BXvdjbdFhXQuEgpMCQ (p2, c1, k60, u'mqttclient').
1602860545: Client mosq-BXvdjbdFhXQuEgpMCQ disconnected.

lordratner · September 17, 2021, 5:32pm

Hello,

Could you explain the process you used to generate the server files? (cafile, certfile, and keyfile)

buentead · February 28, 2022, 5:32pm

Sorry for my late answer. I missed your inquiry.
You may use the following procedures: Self Signed Certificate with Custom Root CA (github.com)