I used the Cloud9 IDE add-on (which offers access to the share folder) to create the missing file structure.
Thanks!!!
It worked!!
Dear all,
this is my working setup:
1- create a user Home Assistant and define a password;
2- configure add.on with the user & password with anonymous off and active as true:
{
“logins”: [
{
“username”: “my user”,
“password”: “my password”
}
],
“anonymous”: false,
“customize”: {
“active”: true,
“folder”: “mosquitto”
},
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
}
3- Create “mosquitto” folder in /share
4- Create two files there: acl.conf and accesscontrollist
5- In acl.conf add line
6- acl_file /share/mosquitto/accesscontrollist
7- In accesscontrollist add this 2 lines:
user my user
topic readwrite #
Log output:
1552422490: New client connected from 10.0.0.157 as sensore07 (c1, k10, u’my user’).
1552422490: |-- mosquitto_auth_unpwd_check(my user)
1552422490: |-- ** checking backend http
1552422490: |-- url=http://127.0.0.1:8080/login
1552422490: |-- data=username=my user&password=user password&topic=&acc=-1&clientid=[INFO] found on local database
1552422492: |-- getuser(my user) AUTHENTICATED=1 by http
I did exactly that and I can’t get it to work. I’ve gone back to active false and it works perfectly. Setup files exactly like you show.
Here’s my setup which worked before and after the update:
{
"logins": [],
"anonymous": false,
"customize": {
"active": false,
"folder": "mosquitto"
},
"certfile": "fullchain.pem",
"keyfile": "privkey.pem"
}
I create a new home assistant user and password. Those credentials are are what my mqtt clients use to authenticate to the broker.
There is no mqtt:
config. I went to configuration > integrations and the broker was discovered by HA. I checked the box for mqtt discovery and hit submit.
I don’t touch any ACL files.
Everything works.
Yeah but if you try and use active: true it falls in a heap… There’s also a lot of noise in the logs…
I put full logs and stuff here https://community.home-assistant.io/t/acl-with-mqtt-broker-4-1-hass-io/
I haven’t found a need for restricting topics using acl I guess. I don’t have a lot of mqtt devices so there may be some benefit I am missing.
I was more interested in eliminating the shit flooding the logs… my MQTT isn’t exposed externally anyway
We were on mosquitto 1.4 and this is 1.5.6 https://mosquitto.org/blog/
I think the logs have seen more changes and become more verbose through all the version we have…missed.
Interesting. A bugfix in 1.5.8 is possible relevant to the issue I’m seeing…
Yes I just noticed that too because I was skimming older updates and working backwards.
- Fix clients being disconnected when ACLs are in use. This only affects the case where a client connects using a username, and the anonymous ACL list is defined but specific user ACLs are not defined. Closes #1162.
I tagged @pvizeli in the other thread… hopefully he can shed some light on it.
I am using a Home Assistant User and someone else said they have it working if they define a local user for MQTT… Dunno… I always assume I’m screwing something up but maybe not.
Finally v4.1 works!!
My MQTT devices uses user & password, I was crazy touching conf file and customize files, rebooting, changing over and over…
Mosquitto Browser add-on config set as default:
{
"logins": [],
"anonymous": false,
"customize": {
"active": false,
"folder": "mosquitto"
},
"certfile": "fullchain.pem",
"keyfile": "privkey.pem"
}
Don’t need to create custom files.
An you need to create your MQTT users in ‘Configuration -> Users’ section. Restart Mosquitto Browser add-on and voila!
EDIT:
Same solution as @cogneato
Good God I don’t think I’ve ever had a good experience from hitting the Update button for a Hassio addon.
I also updated to 4.1, lost all MQTT control, ensured I had the config set correctly (set up a user, correct configuration.yaml, used the Integrations page etc) but no joy.
Thankfully I had a snapshot to restore 4.0, so I’m back in business. Will wait 6 - 8 weeks upon the next addon update before I proceed with the update myself.
The addon works exactly like it did before unless you try and use the acl and set active to true… then it falls in a hole unless you are using a local user for some reason.
I have the below configuration, if I put on a device the HASSIO users/password (those setup under Configuration/Users) as MQTT user/password, the device is not connecting
Is this a bug? (I know I should not use “”, but I have a couple of devices already flashed like this and for me is very difficult to reflash them)
{
"logins": [
{
"username": "",
"password": ""
},
{
"username": "test",
"password": "test"
}
],
"anonymous": true,
"customize": {
"active": true,
"folder": "mosquitto"
},
"certfile": "fullchain.pem",
"keyfile": "privkey.pem"
}
this the HASSIO log
1552645215: New connection from 192.168.1.3 on port 1883.
1552645215: |-- mosquitto_auth_unpwd_check(xxxx)
1552645215: |-- ** checking backend http
1552645215: |-- url=http://127.0.0.1:8080/login
1552645215: |-- data=username=xxxx&password=xxxx&topic=&acc=-1&clientid=
1552645215: |-- http req fail url=http://127.0.0.1:8080/login re=Couldn't connect to server
1552645215: |-- url=http://127.0.0.1:8080/login
Strange thing is that if I put the USer/Password (of Configuration/User) also in the HASSIO Aaddon config, I receive a different error, but still an error
{
"logins": [
{
"username": "",
"password": ""
},
{
"username": "test",
"password": "test"
},
{
"username": "xxx",
"password": "yyy"
}
],
"anonymous": true,
"customize": {
"active": true,
"folder": "mosquitto"
},
"certfile": "fullchain.pem",
"keyfile": "privkey.pem"
}
log
1552645566: New connection from 192.168.1.3 on port 1883.
1552645566: |-- mosquitto_auth_unpwd_check(xxx)
1552645566: |-- ** checking backend http
1552645566: |-- url=http://127.0.0.1:8080/login
1552645566: |-- data=username=xxx&password=yyy&topic=&acc=-1&clientid=
/bin/auth_srv.sh: line 37: LOCAL_DB["${username}"]: bad array subscript
2019/03/15 11:26:06 socat[36] E waitpid(): child 37 exited with status 1
1552645870: |-- http req fail url=http://127.0.0.1:8080/login re=Server returned nothing (no headers, no data)
1552645870: |-- getuser(test) AUTHENTICATED=0 by none
1552645870: |-- getuser(test) AUTHENTICATED=N HAS_ERROR=Y => ERR_UNKNOWN
You don’t need to reflash them to change the username and password… in any case, most likely, your problem is that you have active set to true… try false and delete the username/password as you have anonymous setup.
Then, put in a real username and password in everything!
With the below configuration in HASSIo (keeping mqtt username/password as “” in the devices) tey connect, but the command are not sent/received
{
"logins": [],
"anonymous": true,
"customize": {
"active": false,
"folder": "mosquitto"
},
"certfile": "fullchain.pem",
"keyfile": "privkey.pem"
}
If I use in the device my Configuration/User password xxx/yyy) I recieve another type of error
1552653357: New client connected from 192.168.1.176 as oven (c1, k10, u'xxx').
1552653357: |-- mosquitto_auth_acl_check(..., client id not available, xxx, tele/oven/LWT, MOSQ_ACL_WRITE)
1552653357: |-- url=http://127.0.0.1:8080/superuser
1552653357: |-- data=username=xxx&password=&topic=&acc=-1&clientid=
1552653357: |-- aclcheck(xxx, tele/oven/LWT, 2) SUPERUSER=Y by http
1552653357: |-- Cached [49BB42F66FDED0458ABA68CE158C9B794D5375FF] for (client id not available,xxx,2)
What happens if you configure one of the switches with a Home Assistant user? (The one you use to login to Home Assistant)?