MQTT Mosquitto & zigbee2mqtt

mgim · March 10, 2020, 6:49am

Dear community,
I have flashed a CC2531 usb stick so that I would be able to listen to my Xiaomi sensors without using the proprietary gateway.
From what I understand, I first need to install the Mosquitto add-on MQTT Broker. And this is where I am in trouble. I installed it, it runs but the logs are not looking good:
1583822718: New connection from 172.30.32.1 on port 8883. 1583822718: OpenSSL Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version number 1583822718: Socket error on client <unknown>, disconnecting. 1583822719: Client connection from 172.30.32.1 failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

I have hassio and it is open to external using DuckDNS.
While debugging, I have made the mistake of deleting the automatically generated MQTT user and even after uninstalling and installing back the add-on, it is not there anymore.
I have put the default configuration within the add-on settings and I don’t know what to do to make it work.

Thanks for your help!

Piggyback · March 10, 2020, 8:25am

I have this setup and let’s see if I can help you get this working (im not at all a supertechie). in terms of user to use, I have created a new user specifically for this and it works. see below the user settings (administrator):

Things we can check and compare:

Did you setup mosquitto properly in the addons? I have the below:

logins:
  - username: myuser
    password: mypassword
anonymous: false
customize:
  active: false
  folder: mosquitto
certfile: fullchain.pem
keyfile: privkey.pem
require_certificate: false

did you configure the Zigbee2mqtt right? here is my config:

data_path: /share/zigbee2mqtt
devices: '[]'
groups: groups.yaml
homeassistant: true
permit_join: false
mqtt:
  base_topic: zigbee2mqtt
  server: 'mqtt://homeassistant'
  user: myuser (same as mosquitto)
  password: mypassword (same as mosquitto)
serial:
  port: /dev/ttyUSB0
  disable_led: false
advanced:
  log_level: info
  rtscts: false
  pan_id: 6754
  channel: 11
  network_key:
    - 1
    - 3
    - 5
    - 7
    - 9
    - 11
    - 13
    - 15
    - 0
    - 2
    - 4
    - 6
    - 8
    - 10
    - 12
    - 13
  availability_blacklist: []
ban: []
whitelist: []
queue: {}
socat:
  enabled: false
  master: 'pty,raw,echo=0,link=/dev/ttyZ2M,mode=777'
  slave: 'tcp-listen:8485,keepalive,nodelay,reuseaddr,keepidle=1,keepintvl=1,keepcnt=5'
  restartdelay: 1
  initialdelay: 1
  options: '-d -d'
  log: false

mgim · March 10, 2020, 9:34am

Hi!
Thank you for your answer.
For Mosquitto MQTT, I set up as you did but I still have the same issue:

Piggyback · March 11, 2020, 9:17am

I see you disabled ports 1883 and 1884 which I have enabled and it uses that port. Just type 1883 on the field where it now shows disabled for you.

In my case it connects over that port:

mgim · March 11, 2020, 9:38am

Thank you @Piggyback, it works well now!
But why I did that initially, is this in the Mosquitto doc. Is it safe to leave 1883 and 1884 open?

Disable listening on insecure (1883) ports

Remove the ports from the add-on page network card (set them as blank) to disable them.

Piggyback · March 11, 2020, 10:36am

Great to hear! If you do not keep your ports exposed externally through your router, it should be safe in my opinion. If you want to use the other ports, likely the setup to use those has to be changed in Zigbee2MQTT and you need SSL active on it. Haven´t tried that myself.

Piggyback · March 11, 2020, 10:40am

Just checked the zigbee2mqtt documentation and in the zigbee config you do indicate the port to be used: Defaul it is 1883

mqtt:
  # Required: MQTT base topic for zigbee2mqtt MQTT messages
  base_topic: zigbee2mqtt
  # Required: MQTT server URL (use mqtts:// for SSL/TLS connection)
  server: 'mqtt://localhost:1883'

mgim · March 11, 2020, 12:01pm

How do I know which one are opened and which one are not?
Is it also possible to restrain some users to only local access? For example, I would like my MQTT user not to be accessible from internet.

mgim · March 11, 2020, 12:08pm

Actually, I just removed the 1883 and 1884 ports in Mosquitto MQTT addon.
Here is a part of the log after restarting the addon. It stills open the ports…

1583928191: Opening ipv4 listen socket on port 1883.
1583928191: Opening ipv6 listen socket on port 1883.
1583928191: Opening websockets listen socket on port 1884.

Then, in zigbee2mqtt addon, I do not know what to type in the URL.
I tried mqtts://localhost:8883 and mqtts://homeassistant:8883 but it does not connect to it…

Piggyback · March 11, 2020, 1:04pm

If you use mqtts I would expect you need some kind of certificate. I have not tried it, nor am I too worried about it as I did not open the port on my router to be NAT forwarded, so the port is only used within my LAN.

Anyway, you have a way that works now and can play around or search the forum to get mqtts working if you really want to!

ddppddpp · August 3, 2020, 12:30pm

I’m facing the exact same issue when using a completely different add-on (nothing to do with zigbee).
Setup description:

current (113.3) homeassistant
DuckDNS for LetsEncrypt cert management
Mosquitto MQTT broker add-on v.5.1
When using another add-on to connect to Mosquitto via mqtts on port 8883 I get the same error message. When using mqtt on port 1883 all’s well.
A detailed description how to enable secure mqtt communication would be really appreaciated