I’m trying to setup MQTT with Home assistant, but it doesn’t want to work. I’m running Mosquitto broker (not add-on) with configured SSL/TLS, but with require_certificate set to false, since I want encryption, but not necesserily having to hand out certificate files to each client. I have also set a username and password authentication. I have tested this with a mobile app and two devices, and all checks out good (I can publish something on one device and the other device that is subscribed to that topic receives the message).
In Home Assistant I have added this code to configuration.yaml
and respectively username and password to the secrets.yaml file.
Now here comes the weird part. In the mosquitto log I can see
New connection from 192.168.0.245 on port 8883.,
but when I try to publish something from the MQTT tab in the Developer Tools the value doesn’t change. The same goes, when I try to subscribe to a topic. When I publish to it from another device, Home assistant doesn’t see any changes. I can confirm that the message has been in fact published with the second device.
I also tried to add a binary sensor to confirm, that there is something work with this added to configuration.yaml
I’m running Home Assistant 0.107.3 with Hass.io as a Docker Container on a Raspberry Pi 3 B+. My Python version is 3.7.6, not sure that it would change anything. The MQTT broker is running on the same machine. What am I doing wrong?
Ok, so I checked and a couple of things are happening. The Home Assistant seems to connect to the broker but doesn’t register as a client. By that I mean, that I do receive
New connection from 192.168.0.245 on port 8883. ,
but nothing after that. My phone, on the other hand, does this
New connection from 192.168.0.246 on port 8883. New client connected from 192.168.0.246 as MqttDashboard-56921 (c1, k60, u'user').
Moreover, I seem to get these errors
OpenSSL Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version number Socket error on client <unknown>, disconnecting.
Quick Google search didn’t help. I tried to add set the TLS version on both Home Assistant and Mosquitto to 1.2, without any luck. I also tried adding a constant clientID, but still didn’t work.
Turns you MUST include a certificate file in configuration.yaml. The certificate you include is the same file you included in mosquitto.conf as a certfile. To avoid accessability issues, I suggest you place a copy in the same directiory that configuration.yaml resides. Then under mqtt: add certification: yourfile.crt (I don’t think that the cert file extension matters). I’m still tracking down some issues involving self-signed certificates but I’ll keep looking for the anwsers or open a new thread for it. But anyways I’m closing this thread.
Edit: I’m stupid, this is all wrong, use the guide in post #11
Yes, it still works. I had an sd card failure and after reinstalling the self-signed issues dissappeared. My current configuration entry looks like this:
but doesn’t help. For both the logs of MQTT show that it is finding the cert:
[02:49:40] INFO: Setting up user homeassistant
[02:49:40] INFO: Certificates found: SSL is available
But then the version error on connection:
1626688294: New connection from 172.30.32.1 on port 8883.
1626688294: OpenSSL Error[0]: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
1626688294: Socket error on client <unknown>, disconnecting.
1626688296: Client connection from 172.30.32.1 failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.
In mosquito you need to supply all 3 (certfile is the server certificate, not CA; iirc CA was declared by cafile:)
In configuration.yaml certificate: is the ca cert. You don’t need client_cert: and client_key: if you’ve set mosquito with require_certificate: false. CA cert (certificate:), however, is required.
Yeah, I’m not sure what I was smoking back then .
Steve’s internet guide has made an updated TLS guide, with all of the stuff clearly explained, it’s a good read, if you feel like it. Also if you want to make it a bit more secure you can add domain (and ip addresses) to the cert and remove tls_insecure: false.
Create a configuration file - this you must do on your own, here is an example:
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = v3_req
[ dn ]
C = XX
ST = Province
L = Cty
O = OrgName
CN = domain.local
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = domain.local
DNS.2 = 192.168.0.xxx
What to change?
The dn section is the details of your certificate. Available variables can be found at What is a Distinguished Name (DN)? or by googling “distinguished name ssl”
The alt_names section are the FQDNs of the sites that the certificate will be used for. This is used by browsers to confirm that a given certificate was meant for a given site.
Save it as server.cnf
Create a certificate request from a configuration file (this is a file containing all the details for a CA to create a server-side certificate, since we are the ca we’ll generate (sign) it ourselves, hence the name self-signed) $ openssl req -new -config server.cnf -key server.key -out server.csr -extensions v3_req
NOTE:
This uses a workaround due to a bug to get x509v3 extensions working (SANs). By the time this was written the bug was fixed and a solution has been created, but not released.
REPLACE
-extfile server.cnf -extensions v3_req
WITH
-copy_extensions copyall
NOTE2:
When creating you first certificate with the CA use the -CAcreateserial flag, however, if this is not your first cert then use -CAserial ca.srl option to load your already existing serial file.
Add CA certificate, Server certificate and server key to the mosquitto.conf file (cafile, certfile, keyfile) and require_certificate false. Add CA certificate to configuration.yaml (certificate). You can use certificate based authentication as well - set require_certificate true in mosquitto.conf and add client_cert: and client_key: in configuration.yaml.
Thanks for the guide, but I’m still not getting a connection over 8883. The only part of your guide I’m not sure on is this part:
I want both 1883 and 8883 enabled, (insecure for LAN traffic, secure for remote MQTT clients over WAN), so I believe I leave out " - set require_certificate true in mosquitto.conf" for this. But I’m not sure what should be in configuration.yaml and mosquitto.yaml.
In HA: Put you CA certificate in /config or any other subfolder of /config. Then in configuration.yaml under mqtt: add certificate: /path/to/cacert. Use certfile: and certkey: only for certificate based authentication (for iot devices keep away from certificate based auth)
For protected and unprotected use my solution above but do remember that it’s not secure as all traffic from encrypted mqtt will be visible on the unencrypted one
There’s nothing in my mosquitto.conf file. None of the guides have included it. I definitely have no idea how to have two servers, let alone linked. Can you share your MQTT broker setup and .conf?
And all of the guides have said to leave out the mqtt: block from configuration.yaml, since it’s in the integration now. I’m fine with the homeassistant mqtt client using insecure to talk to the mqtt broker, since they are on the same network. But I want the mqtt clients that are connected through the WAN to be encrypted, such as my sprinkler controller in a different city. Right now I can’t get clients on the LAN or from the WAN to connect to the MQTT broker with 8883, so my broker settings are wrong probably?
Putting the mqtt: block in configuration.yaml stopped the insecure traffic from working (1884), and did not fix the secure problem (8883).
Sorry for all the questions, I’m lost on this one.
Could you please send me the part that you`ve use in your config.yaml(mqtt part) and mqtt add-oc config with the names used in your example config?
Im new in this certificate stuff and Im not clear what is fullchain, privkey… You mention that we need 3 files but in config.yaml (or at least the thing that I`ve rd) are mentioned only 2 files.
.