[SOLVED] Home Assistant keeps getting rejected by Mosquitto (MQTT) within a Docker setup

Hi everyone,

I’ve started a bit early on my New Year resolution of converting my new house into a smart home. I’ve been spending the last few days tinkering with Home Assistant on my Raspberry Pi 3B in a Docker environment.

After learning about the need for a specific Raspberry Pi Docker image to run Home Assistant, I got everything up and running. Next mission, using the Mosquitto MQTT broker.

Fairly easy that was up and running as well. My initial tests with

mosquitto_sub -h -v -t "/homeassistant/test" -u "rugaard" -P "secret"

connects smoothly and looks nice and pretty in the logs.

But as soon as I setup Home Assistant to connect to the Mosquitto (by following the official docs) it keeps getting Connection Refused: not authorised and in the Mosquitto logs it looks like it’s because it tries to connect with an incorrect auth (or without auth):

1546249748: mosquitto version 1.5.5 starting
1546249748: Config loaded from /mosquitto/config/mosquitto.conf.
1546249748: Opening ipv4 listen socket on port 1883.
1546249748: Opening ipv6 listen socket on port 1883.
1546249761: New connection from on port 1883.
1546249761: Socket error on client <unknown>, disconnecting.

And the Home Assistant logs prints the following:

2018-12-31 09:49:21 ERROR (Thread-2) [homeassistant.components.mqtt] Unable to connect to the MQTT broker: Connection Refused: not authorised.

I’m really confused to how this can happen, when I’m using the exact same username and password in Home Assistant, as I did in my initial test with mosquitto_sub where it worked perfectly.

I’ve searched Google thin and tried all kinds of solution here in the Home Assistant community. None of them with any hint of success.

My Home Assistant configuration for MQTT looks like this (follwed the official docs)

  client_id: home-assistant
  keepalive: 60
  username: !secret mqtt_username
  password: !secret mqtt_password

And my docker-compose.yml file looks like this:

version: '2.1'
    container_name: home-assistant
    image: homeassistant/raspberrypi3-homeassistant
        condition: service_started
      - /home/pi/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
    network_mode: host
      test: ["CMD", "curl", "-f", ""]
      interval: 30s
      timeout: 10s
      retries: 6
    restart: on-failure
    container_name: mqtt
    image: eclipse-mosquitto
    user: 1000:1000
      - /srv/docker/mosquitto/config:/mosquitto/config
      - /srv/docker/mosquitto/data:/mosquitto/data
      - /srv/docker/mosquitto/log:/mosquitto/log
      - /etc/localtime:/etc/localtime:ro
    network_mode: host
    restart: on-failure

I’ve tried removing the network_mode: host and used ports instead as was mentioned as a solution in this post: https://community.home-assistant.io/t/solved-docker-mqtt-mosquitto-setup-what-am-i-missing/87381

But since my problem isn’t connection to the broker, but rather the authenticating, I’m not sure what to do.

Any help or suggestions is MUCH appreciated!

Happy new year everyone :slight_smile:

// Rugaard

Are you sure your mosquitto broker requires authentication, is a password file specificed in the config and if it is, do you have anything in it?

Yes, I’ve set the allow_anonymous to false.

This is my entire mosquitto.conf file:

# PID location inside Docker image.
pid_file /var/run/mosquitto.pid

# Persist mosquitto data.
persistence true
persistence_file mosquitto.db
persistence_location /mosquitto/data/

# Only allow authenticated requests.
allow_anonymous false
password_file /mosquitto/config/passwd

# Logging.
log_dest stdout
log_dest file /mosquitto/log/mosquitto.log
log_type all
log_timestamp true
connection_messages true

# Port to use for the default listener.
port 1883
protocol mqtt

# Port to use for WebSockets.
listener 9001
protocol websockets

And there one user in the /mosquitto/config/passwd file:


And like I said, it works fine with authentication when I use the mosquitto_sub command outside of Home Assistant. But when Home Assistant tries, the connection fails :frowning:

Next point of failure is your secrets file having wrong info.

Happened to me the other day, I accidentally pasted in a wrong password and spent an hour debugging

I’ve made sure of that as well. Even tried hardcoding the credentials into mqtt: section, to avoid using secrets. But all for nothing.

I’m close to just throw in the towel. But I don’t want to. I’m not the type of guy that gives up :scream:

Why do you need passwords for your broker? Are you exposing MQTT to the internet?

Not at the moment. But you never know? :smile: I just don’t think you can be too careful when it comes to security and especially when it’s something that connects a lot of stuff in my home.

I don’t see that unencrypted passwords are really going to help your security. Anybody knowledgable enough to break in to your network is going to be able to snoop and see your passwords anyway, if that is what they want to do.

I’ll no doubt add SSL to the whole setup once I’ve got it all up and running. So in the end it’ll be encrypted. Just don’t see the point of it, when it’s not even fully operational yet :slight_smile:

If it work with anonymous access then you know it’s the user and password fault

I tried setting allow_anonymous to true and removed the credentials from the Home Assistant configuration.yml file.

And voila, it worked. So like you said, it must be something regarding my password. Which got me looking into how the mosquitto_passwd command actually generates the encoded password.

I found out that it uses bcrypt and that was where it hit me. I generated the password outside of the container, which means it would most like have used a different salt than inside the Docker container.

I jumped into the running container, executed the mosquitto_passwd command to generate a new password.

And eureka :tada: now Home Assistant successfully connect with username and password! :smile:

Thanks for all the help and suggestions!!

Happy new year! :clinking_glasses::fireworks::sparkler:


I run HA in Docker and I have two instances of MQTT brokers running: one outside of Docker directly on the host machine that I used before my old venv days and one in a container using the eclipse-mosquitto image.

I also have two HA instances running in separate Docker containers and each is connected to one of the MQTT brokers.

I don’t remember ever having to go into the container to generate the passwords to get them to connect. They pretty much just worked as soon as I set them up.

Precisely my issue. For me, the HA integration was able to connect but my router wasn’t. Changed the password and that also connected fine. Thanks a lot.