I made an MQTT broker on the server set up with Ubuntu 18.04, so a work memo.
In working on this article, we assume the following:
--The Ubuntu 18.04 server is already installed.
--Work as a user other than the root user and with sudo privileges.
--You can SSH to the Ubuntu 18.04 server.
--Ubunbu18.04 The server is assigned a subdomain. In this article, we will assume mqtt.example.com.
--Port 80 is available. No other program is using port 80.
First of all, we will install the programs necessary for the work.
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt install certbot mosquitto mosquitto-clients
Allow 80 for the firewall.
$ sudo ufw allow 80
Then use Certbot to issue an SSL certificate.
sudo certbot certonly --standalone --preferred-challenges http -d mqtt.example.com
mqtt.example.com is just a sample, so please use the domain you assigned to the server.
When you run this command, you will be prompted to enter your email address and accept the terms of use. Please work according to the procedure. If the process is successful, you will see a message indicating where the certificate is stored.
Using the certificate issued here, we will set up Mosquitto from the next.
Username and password authentication is used for security when connecting to Mosquitto.
First, let's create a password setting file. It can be created using the mosquitto_passwd command. your-username is used for connection authentication, so set any name you like.
You will be asked to enter the password twice, so be careful not to make a mistake.
$ sudo mosquitto_passwd -c /etc/mosquitto/passwd your-username
Next, create a Mosquitto configuration file.
$ sudo nano /etc/mosquitto/conf.d/default.conf
Then enter the following text: As usual, replace mqtt.example.com with your own domain.
allow_anonymous false
password_file /etc/mosquitto/passwd
listener 8883
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem
listener 8083
protocol websockets
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem
Save the file and close it when you are done.
In this file, the following settings are described.
--Disable anonymous login
--Use password for connection authentication
--Set port 8883 to TCP connection using SSL
--Set port 8083 to WebSocket connection using SSL
Restart Mosquitto with the following command for the settings to take effect.
$ sudo systemctl restart mosquitto
Confirm that it can be started normally with the following command.
$ sudo systemctl status mosquitto
● mosquitto.service - LSB: mosquitto MQTT v3.1 message broker
Loaded: loaded (/etc/init.d/mosquitto; generated)
Active: active (running) since Mon 2018-07-16 15:03:42 UTC; 2min 39s ago
Docs: man:systemd-sysv-generator(8)
Process: 6683 ExecStop=/etc/init.d/mosquitto stop (code=exited, status=0/SUCCESS)
Process: 6699 ExecStart=/etc/init.d/mosquitto start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 1152)
CGroup: /system.slice/mosquitto.service
└─6705 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
Next, set the firewall.
$ sudo ufw allow 8883
$ sudo ufw allow 8083
Basically, the Mosquitto settings should be completed and you should be able to connect.
However, Let's Encrypt has an expiration date, and it is convenient to have it automatically renewed. Set the automatic update.
Open the Certbot configuration file with the following command.
$ sudo nano /etc/letsencrypt/renewal/mqtt.example.com.conf
Then add the following line.
renew_hook = systemctl restart mosquitto
When you're done, save and close the file.
Then, check if there is a syntax error with the following command.
$ sudo certbot renew --dry-run
When you reach this point, check the operation.
For mqtt.example.com, your-username, and your-password, enter the values you set earlier.
The following command subscribes to the topic test.
$ mosquitto_sub -h mqtt.example.com -t test -p 8883 --capath /etc/ssl/certs/ -u "your-username" -P "your-password"
Let's send a message to the test topic from the following command by launching another window.
$ mosquitto_pub -h mqtt.example.com -t test -m "hello world" -p 8883 --capath /etc/ssl/certs/ -u "your-username" -P "your-password"
If you can receive the message safely, it is working properly.
That's all for the work. Thank you for your hard work.
Recommended Posts