OwnTracks and Mosquitto Private Broker with TLS

I used the RaspPi AIO installer for Home Assistant and am now trying to get mosquitto running with TLS enabled to eventually use with OwnTracks. I would like my location information to be as secure as possible. I do have SSL set up for http, I’m not sure if this is affecting things.

I decided to generate self-signed certificates. I used the shell script at the bottom of the OwnTracks TLS page to generate certificates. Here is the direct link to the script.

I downloaded the shell script to /home/pi/Download/mosquitto_certs. Then un-commented and edited the HOSTLIST setting to include my Home Assistant URL. then ran the script with sudo bash ./generate-CA.sh. This generated ca.crt, ca.key, ca.srl, raspberrypi.crt, raspberrypi.csr, and raspberrypi.key.

Then I made a directory in /etc/mosquitto called certs.
sudo mkdir /etc/mosquitto/certs

Then I changed to that directory.
cd /etc/mosquitto/certs
And copied ca.crt, ca.key, raspberrypi.crt, and raspberrypi.key to the certs folder. Then gave permission to mosquitto to access those files.
sudo chown mosquitto:mosquitto *

Next, I edited the pre-made mosquitto.conf that must have been included with the AIO installer.
sudo nano /etc/mosquitto/mosquitto.conf

Here are the edits I made to that file:
Lines 134-138:

# Port to use for the default listener.
#port 1883
port 8883
#listener 8883
protocol websockets

Lines 189-196:

cafile /etc/mosquitto/certs/ca.crt
#capath

# Path to the PEM encoded server certificate.
certfile /etc/mosquitto/certs/raspberrypi.crt

# Path to the PEM encoded keyfile.
keyfile /etc/mosquitto/certs/raspberrypi.key

Line 203:

tls_version tlsv1

Line 212:

require_certificate true

Line 217:

use_identity_as_username true

Now, I need to generate client certificates for Home Assistant.
cd /home/pi/Downloads/mosquitto_certs
sudo bash ./generate-CA.sh client hass
Which generated hass.crt, hass.csr, and hass.key.
I created a new directory to store these certs for Home Assistant.
sudo mkdir /home/hass/.homeassistant/certs
cd /home/hass/.homeassistant/certs
Then I copied the three files generated for hass to this new directory and gave permission to hass to access them.
sudo chown hass:hass *

This is what I added to my Home Assistant configuration for Home Assistant.

mqtt:
  broker: 127.0.0.1
  port: 8883
  client_id: home-assistant-1
  username: !secret mqtt_user
  password: !secret mqtt_password
  client_key: /home/hass/.homeassistant/certs/hass.key
  client_cert: /home/hass/.homeassistant/certs/hass.crt

And then for OwnTracks:

device_tracker:
  platform: owntracks
  max_gps_accuracy: 200

When I reboot the Raspberry Pi, Home Assistant shows this error:

16-09-13 22:43:49 homeassistant.components.device_tracker: Error setting up platform owntracks
Traceback (most recent call last):
  File "/srv/hass/hass_venv/lib/python3.4/site-packages/homeassistant/components/device_tracker/__init__.py", line 146, in setup_platform
    if not platform.setup_scanner(hass, p_config, tracker.see):
  File "/srv/hass/hass_venv/lib/python3.4/site-packages/homeassistant/components/device_tracker/owntracks.py", line 235, in setup_scanner
    mqtt.subscribe(hass, LOCATION_TOPIC, owntracks_location_update, 1)
  File "/srv/hass/hass_venv/lib/python3.4/site-packages/homeassistant/components/mqtt/__init__.py", line 177, in subscribe
    MQTT_CLIENT.subscribe(topic, qos)
  File "/srv/hass/hass_venv/lib/python3.4/site-packages/homeassistant/components/mqtt/__init__.py", line 351, in subscribe
    _raise_on_error(result)
  File "/srv/hass/hass_venv/lib/python3.4/site-packages/homeassistant/components/mqtt/__init__.py", line 449, in _raise_on_error
    raise HomeAssistantError('Error talking to MQTT: {}'.format(result))
homeassistant.exceptions.HomeAssistantError: Error talking to MQTT: 1

Not sure what is wrong. Any help would be appreciated, and I’ll definitely update some documentation if we can get this figured out!

I also enabled logging for mosquitto with log_level 16. Here is the output of the log file. It looks like Home Assistant is trying to connect repeatedly but is getting SSL errors.

pi@raspberrypi:~ $ cat /tmp/mosquitto.log
1473872715: mosquitto version 1.4.9 (build date 2016-08-15 13:41:01-0400) starting
1473872715: Config loaded from /etc/mosquitto/mosquitto.conf.
1473872715: Opening websockets listen socket on port 8883.
1473872744: SSL_accept failed 1 / error:00000001:lib(0):func(0):reason(1)
1473872744: SSL_accept failed skt 7: error:00000001:lib(0):func(0):reason(1)
1473872744: close: just_kill_connection
1473872744: not calling back closed
1473872744: SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
1473872750: close: just_kill_connection
1473872750: not calling back closed
1473872754: SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
1473872755: SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
1473872755: SSL_accept failed skt 8: error:00000005:lib(0):func(0):DH lib
1473872755: close: just_kill_connection
1473872755: not calling back closed
1473872755: SSL_accept failed 1 / error:00000001:lib(0):func(0):reason(1)
1473872755: SSL_accept failed skt 7: error:00000001:lib(0):func(0):reason(1)
1473872755: close: just_kill_connection
1473872755: not calling back closed
1473872756: SSL_accept failed 2 / error:00000002:lib(0):func(0):system lib
1473872757: SSL_accept failed 1 / error:00000001:lib(0):func(0):reason(1)
1473872757: SSL_accept failed skt 7: error:00000001:lib(0):func(0):reason(1)
1473872757: close: just_kill_connection
1473872757: not calling back closed
1473872757: SSL_accept failed 5 / error:00000005:lib(0):func(0):DH lib
1473872757: SSL_accept failed skt 8: error:00000005:lib(0):func(0):DH lib
1473872757: close: just_kill_connection
1473872757: not calling back closed

I tried using the MQTT protocol instead of websockets by changing the protocol line in the mosquitto.conf file. That still doesn’t work but returns different errors in the mosquitto.log.

pi@raspberrypi:~ $ cat /tmp/mosquitto.log
1473873042: mosquitto version 1.4.9 (build date 2016-08-15 13:41:01-0400) starting
1473873042: Config loaded from /etc/mosquitto/mosquitto.conf.
1473873042: Opening ipv4 listen socket on port 8883.
1473873042: Opening ipv6 listen socket on port 8883.
1473873073: New connection from 127.0.0.1 on port 8883.
1473873073: OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
1473873073: Socket error on client <unknown>, disconnecting.
1473873078: New connection from 127.0.0.1 on port 8883.
1473873085: OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
1473873085: Socket error on client <unknown>, disconnecting.
1473873085: New connection from 127.0.0.1 on port 8883.
1473873086: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1473873086: Socket error on client <unknown>, disconnecting.
1473873086: New connection from 127.0.0.1 on port 8883.
1473873086: OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
1473873086: Socket error on client <unknown>, disconnecting.
1473873086: New connection from 127.0.0.1 on port 8883.
1473873087: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1473873087: Socket error on client <unknown>, disconnecting.

I know it may sound like an stupid question, however, did you updated/changed the values from the script from owntracks.org site to your own custom settings?..

@aleg305 The only thing I changed in the generate-CA.sh file was the HOSTLIST variable. I un-commented it and added the URL I use to access Home Assistant.
For Example:

HOSTLIST="homeassistant.duckdns.org"

This issue seems potentially related.
https://github.com/home-assistant/home-assistant/issues/2389

Is this working? i tried and getting error

‘Error talking to MQTT: {}’.format(mqtt.error_string(result)))
homeassistant.exceptions.HomeAssistantError: Error talking to MQTT: Out of memory.

update:
I noticed port 1883 and changed it to port 8883 instead, rebooted raspberry
I still get error : Connection refused

any hep would be appreciated. thanks.

Does anyone found a solution for this?
I have the same problem even I’m using the latest versions of Home Assistant and Mosquitto.

I have setup up an extra listener on Mosquitto. This is a minimum config for Mosquito to work via TLS and port 8883 to the outside world and via port 1883 without TLS in the home network. Connect HA to port 1883 and your devices to port 8883 and your public ip-address.

# Config file for mosquitto
#
# Port to use for the default listener.
bind_address 192.168.1.10
port 8883
protocol mqtt

# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
cafile /pathto/ca.pem
certfile /pathto/cert.pem
keyfile /pathto/privkey.pem

# =================================================================
# Extra listeners
# =================================================================
listener 1883 192.168.1.10
protocol mqtt

# -----------------------------------------------------------------
# Default authentication and topic access control
# -----------------------------------------------------------------
password_file /pathto/passwd

In configuration.yaml I have for MQTT and Owntracks:

# Set debug logging on to see if it is working
logger:
  default: info
  logs:
    homeassistant.components.device_tracker: debug
    homeassistant.components.mqtt: debug

# MQTT Broker
mqtt:
  broker: 192.168.1.10
  port: 1883
  username: !secret mqtt_username
  password: !secret mqtt_password
  discovery: true
  discovery_prefix: owntracks

# Owntrack
owntracks:
  max_gps_accuracy: 200
  waypoints: true
  mqtt_topic: "owntracks/#"
  events_only: false

The logger entry let you see some results in the HA logfile, remove the debug lines when you have it working.