Mosquito update 4.1 - ACL messages in logs

DavidFW1960 · April 4, 2019, 11:50pm

ACL wouldn’t work for me until I added homeassistant user as well. I have no idea why. You also need to set active: true in the broker. You should then see the errors and warnings go away.

tom_l · April 5, 2019, 12:00am

So to be 100% clear, I do this:

Edit the broker config to be this and save:

  "customize": {
    "active": true,
    "folder": "mosquitto"

create /share/mosquitto/acl.conf and add the line

acl_file /share/mosquitto/accesscontrollist

create /share/mosquitto/accesscontrollist and add

user mqtt_user
topic #
user homeassistant
topic #

restart broker

DavidFW1960 · April 5, 2019, 12:13am

That did it for me yes.

tom_l · April 5, 2019, 12:28am

I’ve completed it and everything still seems to be working. The test will be next HA version update.

DavidFW1960 · April 5, 2019, 12:32am

I’m on 0.91.0 now and it’s working well… A few custom components needed to be updated but otherwise no issues. (all the ones I was using updated already) The early betas were so bad I had to roll back but the release version is awesome. I also had to reconfigure my Yeelights as they are now their own platform but it is pretty stable here.

tom_l · April 5, 2019, 12:36am

I’m on 0.91.0 as well. The last two updates (including that one) caused mqtt broker spaz-outs for me (fixed with more HA restarts). I believe this started to occur after updating the broker to v4.1 so I’m hoping this fixes it when the 0.92 update comes around.

DavidFW1960 · April 5, 2019, 12:47am

I saw @cogneato had the same issue but I have never seen that.

tom_l · April 5, 2019, 2:04am

Well that didn’t last long. Just lost connection to all my mqtt devices.

Seems to be authenticating correctly, system log:

19-04-05 02:00:32 INFO (MainThread) [hassio.auth] Auth request from core_mosquitto for mqtt_user
19-04-05 02:00:33 INFO (MainThread) [hassio.auth] Success login from mqtt_user
19-04-05 02:00:34 INFO (MainThread) [hassio.auth] Auth request from core_mosquitto for mqtt_user
19-04-05 02:00:35 INFO (MainThread) [hassio.auth] Success login from mqtt_user
19-04-05 02:00:35 INFO (MainThread) [hassio.auth] Auth request from core_mosquitto for mqtt_user
19-04-05 02:00:37 INFO (MainThread) [hassio.auth] Success login from mqtt_user
19-04-05 02:00:37 INFO (MainThread) [hassio.auth] Auth request from core_mosquitto for mqtt_user

But there are socket errors in the broker log:

1554429736: |-- getuser(mqtt_user) AUTHENTICATED=1 by http
1554429736: Client sonoff_dining_heater_north already connected, closing old connection.
1554429736: Socket error on client sonoff_dining_heater_north, disconnecting.
1554429736: |-- mosquitto_auth_unpwd_check(mqtt_user)
1554429736: |-- ** checking backend http
1554429736: |-- url=http://127.0.0.1:8080/login
1554429736: |-- data=username=mqtt_user&password=readcted&topic=&acc=-1&clientid=
1554429736: New client connected from 10.1.1.188 as sonoff_dining_heater_north (c1, k15, u'mqtt_user').
[INFO] found mqtt_user on Home Assistant
1554429737: Client sonoff_dishwasher already connected, closing old connection.
1554429737: Socket error on client sonoff_dishwasher, disconnecting.
1554429737: New client connected from 10.1.1.192 as sonoff_dishwasher (c1, k15, u'mqtt_user').
1554429737: |-- getuser(mqtt_user) AUTHENTICATED=1 by http
1554429737: |-- mosquitto_auth_unpwd_check(mqtt_user)
1554429737: |-- ** checking backend http
1554429737: |-- url=http://127.0.0.1:8080/login
1554429737: |-- data=username=mqtt_user&password=redacted&topic=&acc=-1&clientid=
[INFO] found mqtt_user on Home Assistant
1554429740: |-- getuser(mqtt_user) AUTHENTICATED=1 by http
1554429740: Client sonoff_lounge_dehumidifier already connected, closing old connection.
1554429740: Socket error on client sonoff_lounge_dehumidifier, disconnecting.
1554429740: New client connected from 10.1.1.185 as sonoff_lounge_dehumidifier (c1, k15, u'mqtt_user').
1554429740: |-- mosquitto_auth_unpwd_check(mqtt_user)
1554429740: |-- ** checking backend http
1554429740: |-- url=http://127.0.0.1:8080/login
1554429740: |-- data=username=mqtt_user&password=redacted&topic=&acc=-1&clientid=
[INFO] found mqtt_user on Home Assistant
1554429742: |-- getuser(mqtt_user) AUTHENTICATED=1 by http
1554429742: |-- mosquitto_auth_unpwd_check(mqtt_user)
1554429742: Client sonoff_washing_machine already connected, closing old connection.
1554429742: Socket error on client sonoff_washing_machine, disconnecting.
1554429742: New client connected from 10.1.1.193 as sonoff_washing_machine (c1, k15, u'mqtt_user').
1554429742: |-- ** checking backend http
1554429742: |-- url=http://127.0.0.1:8080/login
1554429742: |-- data=username=mqtt_user&password=redacted&topic=&acc=-1&clientid=

Restarting the broker did not help.

Restarting HA seems to have restored the service for now…

DavidFW1960 · April 5, 2019, 2:10am

is that a home assistant user or have you defined a local user in the broker?

tom_l · April 5, 2019, 2:11am

mqtt_user is a HA user.

DavidFW1960 · April 5, 2019, 2:15am

are you using discovery or manual config? can you share your config

tom_l · April 5, 2019, 2:19am

Manual config for some (sonoff’s) discovery for others (ESPhome ESP boards).

Broker config:

{
  "logins": [],
  "anonymous": false,
  "customize": {
    "active": true,
    "folder": "mosquitto"
  },
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

No mqtt entry in configuration.yaml.

DavidFW1960 · April 5, 2019, 2:23am

you’re using esp with MQTT?

tom_l · April 5, 2019, 2:26am

Yep. I like to be able to see what is going on when things go awry. “If it ain’t broke don’t fix it” also applies as I do not want to introduce more problems while planning a move from pi to mini pc. I’ll try the api eventually but it’s a low priority at the moment.

DavidFW1960 · April 5, 2019, 2:28am

some people have tried disabling the broker and reenabling it as well as restarting the host a couple of times… but that does not make any sense to me.

tom_l · April 5, 2019, 2:30am

It’s what has been rectifying the problem for me too. It’s like HA stops talking to the broker until it is restarted than all is well for a while.

Crhass · April 8, 2019, 5:46pm

I finally found the time to set up the ACL file. It has stopped all the logging as I wanted it to. Thought I would move to using a home assistant user to login instead of the local user in the add-on configuration.

Result was socket errors and clients disconecting and reconnecting. Tried adding the user homeassistant to the ACL file but don’t appear to need this.

Went back to config file user for now

Jasperhb · April 9, 2019, 11:55am

Same here.

If I flip set Customize:Active to true then Mosquitto MQTT is unable to connect to IP Address?

johny_mnemonic · April 19, 2019, 12:28am

I finally made the official MQTT addon working, basically the same way as described in this post.

I only added one extra line in ACL config “topic $SYS/#” to be able to check Mosquitto internal stats.

My concern is the same as yours: “What is the benefit of this new configuration using HA user with password, when it reveals the password to the log in plain text?!”

signaleleven · April 21, 2019, 7:26pm

I’m waiting for this pull request to be merged to remove the plaintext logging of the password.

If you want it now, you can move mosquitto to a local addon directory and apply my patch manually. But I guess it’ll be merged soon.