Publishing data to MQTT broker using only with certificate

Hello!

I am running Home Assistant OS on a virtual machine and I am running into an issue with the MQTT broker that I am unable to overcome. I have two kind of devices posting data to the broker:

  • Tasmota devices using port 1883 and username/password authentication
  • a kind of custom device using port 8883 which requires certificates and no username/password authentication

The Tasmota devices are working fine, but I cannot get the custom device to work. The log file is showing this error all over:

1659523426: New connection from 31.210.232.54:40391 on port 8883.
error: received null username or password for unpwd check

I am aware that a recent change in the MQTT broker enables username/password authentication by default, but I don’t seem able to disable it even by adding allow_anonymous true in an additional .conf file.
It should be possible to publish data using only certificate and without username/password, right?

To make sure that my certificates and setup is fine, I started an MQTT broker in a RPi and it is working fine. I know it is overdoing it, but could I bridge both brokers so Home Assistant can read the data published by the custom device?

Thanks.

I don’t think this works. I had suggested it on a GitHub issue as a workaround but in testing it didn’t work, anonymous logins aren’t supported by the addon.

However before you go down the road of bridging, quick question. Does the second device actually require it be able to connect anonymously? Or is it expecting you to give it a client certificate? Because if it’s the latter that’s not necessarily an anonymous login, mosquitto supports using client certificates as an alternative form of authentication (the CN on the certificate becomes the username).

Here’s a guide I found useful when looking into client certificates:

For the three options mentioned at the top:

  • require_certificates - this addon option with the same name sets this field
  • use_identity_as_username - this is the one that tells mosquitto to use the certificate as auth. You will need to provide this via customization, there is no addon option for it
  • crlfile - this is optional. You’ll need to set it via customization if you want it but start without it.

I will note that although I got client certificates working I did not do the next step of use_identity_as_username because I didn’t need to. So I’m not sure if there’s any challenges. But it is supported by mosquitto so seems worth a shot before attempting running two brokers and bridging.

However before you go down the road of bridging, quick question. Does the second device actually require it be able to connect anonymously? Or is it expecting you to give it a client certificate?

The second device is using a certificate (its configuration defines ca, client certificate and key) but is unable to send username/password. The certificate part works flawlessly when I set up an MQTTS broker in a RPi, but I cannot make it work on HA.

I have also seen the use_identity_as_username setting, and it also works fine with the RPi MQTT broker. But right now, I am not even able to customize the HA MQTT broker to add that… As soon as I set customize.active to true and add a .conf file in the /share/mosquitto folder, the broker cannot even start because it tries to listen twice on port 1883…

I have this configuration file:

logins: []
require_certificate: true
certfile: homeassistant-broker.crt
keyfile: homeassistant-broker.key
customize:
  active: true
  folder: mosquitto
cafile: ca.crt

The .conf file only has this line homeassistant-broker.conf, but after restarting the add-on, the log just shows this:

[17:04:22] INFO: Starting mosquitto MQTT broker...
1659539062: Loading config file /share/mosquitto/homeassistant-broker.conf
1659539062: Warning: Mosquitto should not be run as root/administrator.
1659539062: mosquitto version 2.0.11 starting
1659539062: Config loaded from /etc/mosquitto/mosquitto.conf.
1659539062: Loading plugin: /usr/share/mosquitto/go-auth.so
1659539062:  ├── Username/password checking enabled.
1659539062:  ├── TLS-PSK checking enabled.
1659539062:  └── Extended authentication not enabled.
1659539062: Opening ipv4 listen socket on port 1883.
1659539062: Opening ipv6 listen socket on port 1883.
1659539062: Opening websockets listen socket on port 1884.
1659539062: Opening ipv4 listen socket on port 8883.
1659539062: Opening ipv6 listen socket on port 8883.
1659539062: Opening websockets listen socket on port 8884.
1659539062: Opening ipv4 listen socket on port 1883.
1659539062: Error: Address already in use
[17:04:22] INFO: Successfully send discovery information to Home Assistant.
[17:04:23] INFO: Successfully send service information to the Supervisor.

Can you share the conf file you have put in the customize folder? it seems like you have may have copied and pasted an entire mosquitto.conf file. If so that won’t work. The files you put in that folder are included within the existing mosquitto.conf file of the addon like so:

The expectation is that your conf file(s) would contain a few additions. Like for example I think in your case the conf file would just have this and nothing else:

use_identity_as_username true

The addon does not have an option to use an entirely custom mosquitto.conf file. The expectation is that anyone that needs that much customization should host their own broker and not use the addon.

Sure, I believe this should be correct:

$ ls -l /share/mosquitto/
-rw-r--r--    1 root     root            30 Aug  3 17:02 homeassistant-broker.conf
$ cat /share/mosquitto/homeassistant-broker.conf 
use_identity_as_username true

And the add-on configuration is the one I posted when submitting the question:

logins: []
require_certificate: true
certfile: homeassistant-broker.crt
keyfile: homeassistant-broker.key
customize:
  active: true
  folder: mosquitto
cafile: ca.crt

As soon as I set customize.active: false then the message Error: Address already in use disappears.

I wouldn’t mind doing this, but can I have HA polling data from two different MQTT brokers?
For instance, I want to keep the HA add-on with the username/password authentication for the tasmota devices. That is working fine, no need to touch it.
If I use the RPi MQTTS broker for this device that requires client certificate, how can I configure the HA add-on to subscribe to this second broker as well?

Oh this is my bad, that option won’t work here. The reason is because of where customize is included in mosquitto.conf. It is included above the definition for the listeners but if you look in here use_identity_as_username is an option for a listener. Which in retrospect makes sense, this option obviously doesn’t apply to the 1883 listener as that’s not even using SSL.

This was actually bugging me. I had tried to use this option once and didn’t understand why it wasn’t working. I thought it was because of the authentication plugin at the time. Now that I know I decided to add it as an option to the addon since its pretty simple: