[SOLVED] Home Assistant keeps getting rejected by Mosquitto (MQTT) within a Docker setup

rugaard · December 31, 2018, 9:56am

Hi everyone,

I’ve started a bit early on my New Year resolution of converting my new house into a smart home. I’ve been spending the last few days tinkering with Home Assistant on my Raspberry Pi 3B in a Docker environment.

After learning about the need for a specific Raspberry Pi Docker image to run Home Assistant, I got everything up and running. Next mission, using the Mosquitto MQTT broker.

Fairly easy that was up and running as well. My initial tests with

mosquitto_sub -h 192.168.1.240 -v -t "/homeassistant/test" -u "rugaard" -P "secret"

connects smoothly and looks nice and pretty in the logs.

But as soon as I setup Home Assistant to connect to the Mosquitto (by following the official docs) it keeps getting Connection Refused: not authorised and in the Mosquitto logs it looks like it’s because it tries to connect with an incorrect auth (or without auth):

1546249748: mosquitto version 1.5.5 starting
1546249748: Config loaded from /mosquitto/config/mosquitto.conf.
1546249748: Opening ipv4 listen socket on port 1883.
1546249748: Opening ipv6 listen socket on port 1883.
1546249761: New connection from 192.168.1.240 on port 1883.
1546249761: Socket error on client <unknown>, disconnecting.

And the Home Assistant logs prints the following:

2018-12-31 09:49:21 ERROR (Thread-2) [homeassistant.components.mqtt] Unable to connect to the MQTT broker: Connection Refused: not authorised.

I’m really confused to how this can happen, when I’m using the exact same username and password in Home Assistant, as I did in my initial test with mosquitto_sub where it worked perfectly.

I’ve searched Google thin and tried all kinds of solution here in the Home Assistant community. None of them with any hint of success.

My Home Assistant configuration for MQTT looks like this (follwed the official docs)

mqtt:
  broker: 192.168.1.240
  client_id: home-assistant
  keepalive: 60
  username: !secret mqtt_username
  password: !secret mqtt_password

And my docker-compose.yml file looks like this:

version: '2.1'
services:
  homeassistant:
    container_name: home-assistant
    image: homeassistant/raspberrypi3-homeassistant
    depends_on:
      mosquitto:
        condition: service_started
    volumes:
      - /home/pi/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
    network_mode: host
    healthcheck:
      test: ["CMD", "curl", "-f", "http://192.168.1.240:8123"]
      interval: 30s
      timeout: 10s
      retries: 6
    restart: on-failure
  mosquitto:
    container_name: mqtt
    image: eclipse-mosquitto
    user: 1000:1000
    volumes:
      - /srv/docker/mosquitto/config:/mosquitto/config
      - /srv/docker/mosquitto/data:/mosquitto/data
      - /srv/docker/mosquitto/log:/mosquitto/log
      - /etc/localtime:/etc/localtime:ro
    network_mode: host
    restart: on-failure

I’ve tried removing the network_mode: host and used ports instead as was mentioned as a solution in this post: https://community.home-assistant.io/t/solved-docker-mqtt-mosquitto-setup-what-am-i-missing/87381

But since my problem isn’t connection to the broker, but rather the authenticating, I’m not sure what to do.

Any help or suggestions is MUCH appreciated!

Happy new year everyone

// Rugaard

blakadder · December 31, 2018, 10:46am

Are you sure your mosquitto broker requires authentication, is a password file specificed in the config and if it is, do you have anything in it?

rugaard · December 31, 2018, 1:20pm

Yes, I’ve set the allow_anonymous to false.

This is my entire mosquitto.conf file:

# PID location inside Docker image.
pid_file /var/run/mosquitto.pid

# Persist mosquitto data.
persistence true
persistence_file mosquitto.db
persistence_location /mosquitto/data/

# Only allow authenticated requests.
allow_anonymous false
password_file /mosquitto/config/passwd

# Logging.
log_dest stdout
log_dest file /mosquitto/log/mosquitto.log
log_type all
log_timestamp true
connection_messages true

# Port to use for the default listener.
port 1883
protocol mqtt

# Port to use for WebSockets.
listener 9001
protocol websockets

And there one user in the /mosquitto/config/passwd file:

rugaard:$6$yfCX4kUZU8XmvPjo$9YDFp1qa+cjQgd7z9H0Q8XhyDB4Xttwf+NUImcZU4GZtBDw3k2wsoyVr3s/V54IVYTTFkXfZWJvX4FTbZcnaId==

And like I said, it works fine with authentication when I use the mosquitto_sub command outside of Home Assistant. But when Home Assistant tries, the connection fails

blakadder · December 31, 2018, 1:57pm

Next point of failure is your secrets file having wrong info.

Happened to me the other day, I accidentally pasted in a wrong password and spent an hour debugging

rugaard · December 31, 2018, 2:16pm

I’ve made sure of that as well. Even tried hardcoding the credentials into mqtt: section, to avoid using secrets. But all for nothing.

I’m close to just throw in the towel. But I don’t want to. I’m not the type of guy that gives up

gpbenton · December 31, 2018, 3:16pm

Why do you need passwords for your broker? Are you exposing MQTT to the internet?

rugaard · December 31, 2018, 3:26pm

Not at the moment. But you never know? I just don’t think you can be too careful when it comes to security and especially when it’s something that connects a lot of stuff in my home.

gpbenton · December 31, 2018, 3:30pm

I don’t see that unencrypted passwords are really going to help your security. Anybody knowledgable enough to break in to your network is going to be able to snoop and see your passwords anyway, if that is what they want to do.

rugaard · December 31, 2018, 3:32pm

I’ll no doubt add SSL to the whole setup once I’ve got it all up and running. So in the end it’ll be encrypted. Just don’t see the point of it, when it’s not even fully operational yet

blakadder · December 31, 2018, 5:19pm

If it work with anonymous access then you know it’s the user and password fault

rugaard · December 31, 2018, 5:53pm

I tried setting allow_anonymous to true and removed the credentials from the Home Assistant configuration.yml file.

And voila, it worked. So like you said, it must be something regarding my password. Which got me looking into how the mosquitto_passwd command actually generates the encoded password.

I found out that it uses bcrypt and that was where it hit me. I generated the password outside of the container, which means it would most like have used a different salt than inside the Docker container.

I jumped into the running container, executed the mosquitto_passwd command to generate a new password.

And eureka now Home Assistant successfully connect with username and password!

Thanks for all the help and suggestions!!

Happy new year!

finity · January 1, 2019, 8:38pm

I run HA in Docker and I have two instances of MQTT brokers running: one outside of Docker directly on the host machine that I used before my old venv days and one in a container using the eclipse-mosquitto image.

I also have two HA instances running in separate Docker containers and each is connected to one of the MQTT brokers.

I don’t remember ever having to go into the container to generate the passwords to get them to connect. They pretty much just worked as soon as I set them up.

backslashv · August 31, 2022, 5:27am

Precisely my issue. For me, the HA integration was able to connect but my router wasn’t. Changed the password and that also connected fine. Thanks a lot.