Announcement

Collapse
No announcement yet.

SSL Support for mcsMQTT

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL Support for mcsMQTT

    With 3.2.16.0 encryption support was added. I am a novice with encryption and to my knowledge do not have a way to test it. This thread is setup for me to learn and for others to provide feedback on using it with a broker that supports encryption.

    The General Tab adds three user entries. One is for the SSL level with 4 secure options available. There is an entry for the caCert file path and an entry for the Client cert file path.

    I have evaluated the the UI works to enter these items and they are used when setting up the connection to the broker. I have confirmed that dummy files for the certificates generate an cryptography error (as expected). In this case a non-secure connection is attempted. which may or may not succeed based upon the broker port entered.

  • #2
    Still in learning mode here with Node Red.

    Will give it a try with my newest test 1-wire RPi2 hub.


    [ATTACH]68133[/ATTACH]
    - Pete

    Auto mator
    Homeseer 3 Pro - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e 64 bit Intel CPU - Mono 5.20
    Homeseer Zee2 (Lite) - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e BeeLink 4Gb BT3 Pro - Mono 5.20

    X10, UPB, Zigbee, ZWave and Wifi MQTT automation.

    Comment


    • #3
      Configured the RPi Node Red / MQTT with encryption. Should I write a step by step for this here?

      It took about 5 minutes. Put the mcsMQTT certs in the /Homeseer/sslcert directory.

      I do not see the General Tab three user entries in V.3.2.16.0 and just noticed a 3.2.16.1 update.

      Disabled and re enabled plugin and see the entries now.

      Node Red / MQTT lets you put in locations or browse and upload the certs.

      [ATTACH]68134[/ATTACH]

      Was able to put in the caCert (pem) and client cert (crt), username and password.

      Red Node MQTT still shows connecting (not connected)
      Last edited by Pete; April 12th, 2018, 05:20 PM.
      - Pete

      Auto mator
      Homeseer 3 Pro - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e 64 bit Intel CPU - Mono 5.20
      Homeseer Zee2 (Lite) - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e BeeLink 4Gb BT3 Pro - Mono 5.20

      X10, UPB, Zigbee, ZWave and Wifi MQTT automation.

      Comment


      • #4
        Yes, instructions on how to setup Mosquitto for encryption would be useful.
        Where did you get the files that you used for "Put the mcsMQTT certs in the /Homeseer/sslcert directory."
        The screenshot you are showing has "None" for encryption and no entries for the two certificate files.

        Comment


        • #5
          Just noticed that this is for using test.mosquitto.org port 8884.

          Rewriting ...

          need:

          You need three files:

          1: client.key
          2. client.crt
          3. server cert

          The image is incorrect.

          [ATTACH]68136[/ATTACH]
          - Pete

          Auto mator
          Homeseer 3 Pro - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e 64 bit Intel CPU - Mono 5.20
          Homeseer Zee2 (Lite) - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e BeeLink 4Gb BT3 Pro - Mono 5.20

          X10, UPB, Zigbee, ZWave and Wifi MQTT automation.

          Comment


          • #6
            You can get the mosquito.org.crt via ssh doing a

            wget mosquito.org.crt
            to what does one ssh into?
            what address is mosquito.org.crt suppose to resolve? Is it mosquitto or mosquito?

            Note the port is 8884 per the site that issues the certs

            Comment


            • #7
              mosquito.org.crt if for use with the internet.

              That said you just need a local server cert which I did and it remains in a connecting state on Node Red. Here are the steps.

              Mosquitto SSL Configuration -MQTT TLS Security

              Overview of Steps
              1. Create a CA key pair
              2. Create CA certificate and use the CA key from step 1 to sign it.
              3. Create a broker key pair don’t password protect.
              4. Create a broker certificate request using key from step 3
              5. Use the CA certificate to sign the broker certificate request from step 4.
              6. Now we should have a CA key file,a CA certificate file, a broker key file, and a broker certificate file.
              7. Place all files in a directory on the broker e.g. certs
              8. Copy the CA certificate file to the client.
              9. Edit the Mosquitto conf file to use the files -details below
              10. Edit the client script to use TLS and the CA certificate. -details below


              [ATTACH]68137[/ATTACH]

              The connecting piece is good. If I change anything in the set up then it shows disconnected.

              I did not edit the /etc/mosquitto/mosquitto.conf file (not sure that I need to)

              root@ICS-Stretch175:/etc/mosquitto# ls
              ca_certificates certs conf.d mosquitto.conf

              and there are no certs in the ca_certificates directory.

              Thinking in Node Red all of this stuff in stored in the Node Red directories.
              Last edited by Pete; April 12th, 2018, 08:52 PM.
              - Pete

              Auto mator
              Homeseer 3 Pro - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e 64 bit Intel CPU - Mono 5.20
              Homeseer Zee2 (Lite) - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e BeeLink 4Gb BT3 Pro - Mono 5.20

              X10, UPB, Zigbee, ZWave and Wifi MQTT automation.

              Comment


              • #8
                MQTT Mosquitto broker with SSL/TLS transport security

                Hello,
                This here : https://primalcortex.wordpress.com/2...port-security/ could be or may not be about the topic at hand but may apply.


                Apologies if it's off topic!


                Eman.
                The Closer.

                Comment


                • #9
                  Originally posted by Michael McSharry View Post
                  With 3.2.16.0 encryption support was added. I am a novice with encryption and to my knowledge do not have a way to test it. This thread is setup for me to learn and for others to provide feedback on using it with a broker that supports encryption.

                  The General Tab adds three user entries. One is for the SSL level with 4 secure options available. There is an entry for the caCert file path and an entry for the Client cert file path.

                  I have evaluated the the UI works to enter these items and they are used when setting up the connection to the broker. I have confirmed that dummy files for the certificates generate an cryptography error (as expected). In this case a non-secure connection is attempted. which may or may not succeed based upon the broker port entered.
                  Connected fine here in TLS1_2 mode. Haven't tried it with a client cert yet, I can gen one up and see. I'm guessing you're expecting a PEM with both the crt and key?
                  I'm running the MQTT broker in dual port mode so it supports both 1883 and 8883 (secure and non-secure devices). Now if I can just get the ESP32 WifiClientSecure going I'll be set

                  Z

                  Comment


                  • #10
                    Just an fyi, here are the instructions I used when I set up my mosquitto broker on Ubuntu. They were easy to follow and informative. There has been a change with letsencrypt. the instruction: sudo certbot certonly --standalone --standalone-supported-challenges http-01 -d mqtt.example.com, has been deprecated and must use preferred challenges now.

                    https://www.digitalocean.com/communi...n-ubuntu-16-04
                    If it ain't broke, don't fix it!

                    Comment


                    • #11
                      I ran across the blog of the author of the M2Mqtt.Net.dll that I use with mcsMQTT. It gives a description of the process to setup Mosquitto and generate certificates. I have not got all the way through it. This should be a good reference for those who are asking questions about what is expected by mcsMQTT. It does appear that DER format is expected by mcsMQTT.

                      http://www.embedded101.com/Blogs/Pao...squitto-broker

                      Comment


                      • #12
                        This morning updated to 3.2.18.0 of the plugin.

                        That said I followed the M2Mqtt.Net.dll link relating to encryption and it did not work for me with the Node Red 1-wire message broker.

                        That said though was at a point with Red Node where status showed connecting while never connecting using other documented Node Red encryption for MQTT.

                        Using the above referenced link I do not see it trying to connect (only disconnect shows up in Node Red).

                        Guessing right now if I went to a pure MQTT connection using Python that I would not have these issues).

                        So for time bean disabled encryption and all is fine right now with the RPi2 / Stretch / Node-Red / OWFS 1-wire network.

                        I have added more sensors to said network - a mixture of temperature, Midon combo (12VDC), Hobby Boards combo (5VDC) and AAG combo (parasitic) sensors. (ethernet wired)

                        I do have MQTT running now on a micro combo router using OpenWRT (so I can test wireless / wired connections) and will be using Python for these devices.
                        - Pete

                        Auto mator
                        Homeseer 3 Pro - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e 64 bit Intel CPU - Mono 5.20
                        Homeseer Zee2 (Lite) - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e BeeLink 4Gb BT3 Pro - Mono 5.20

                        X10, UPB, Zigbee, ZWave and Wifi MQTT automation.

                        Comment


                        • #13
                          I tried a combination of the m2mqtt.net.dll author's blog and Pete's Mosquitto encryption link and did not have success either. The mcsMQTT debug output shows Mosquitto broker rejected the connection due to authorization. The Mosquitto log show
                          Code:
                          1523712749: New connection from 192.168.0.200 on port 8883.
                          1523712751: OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
                          1523712751: Socket error on client (null), disconnecting.
                          Being a novice with encryption I do not have insight with what I did not setup correctly. I did get Mosquitto to start with the modified mosquitto.conf file and it asked for the PEM pass phrase so it looks as if I have something reasonable there.
                          Code:
                          # Place your local configuration in /etc/mosquitto/conf.d/
                          #
                          # A full description of the configuration file is at
                          # /usr/share/doc/mosquitto/examples/mosquitto.conf.example
                          
                          pid_file /var/run/mosquitto.pid
                          
                          persistence true
                          persistence_location /var/lib/mosquitto/
                          
                          log_dest file /var/log/mosquitto/mosquitto.log
                          port 1883
                          listener 8883
                          cafile /usr/local/HomeSeer/Certs/m2mqtt_ca.crt
                          keyfile /usr/local/HomeSeer/Certs/m2mqtt_srv.key
                          certfile /usr/local/HomeSeer/Certs/m2mqtt_srv.crt
                          tls_version tlsv1.2
                          
                          
                          include_dir /etc/mosquitto/conf.d
                          Before this approach I tried LetsEncrypt which seems to want a domain and a server on that domain. I used mcsSprinklers.com, but it hosted elsewhere so the challenged failed. I did not get past that.
                          Attached Files
                          Last edited by Michael McSharry; April 14th, 2018, 08:48 AM.

                          Comment


                          • #14
                            Last edited by mwolter; April 14th, 2018, 11:06 AM.

                            Comment


                            • #15
                              Yes here only using self signed certs for my testing and only testing Mosquitto indoors with no communication to the Internet and currently only using Node Red / MQTT / RPi-1Wire only for testing.

                              The examples I have seen for using Red Node MQTT relating to using the mosquitto dot org test site and indoors arduinos and python scripts.

                              @Michael...btw on my Linux HS3 Pro box seeing this file: HomeSeerDatamcsMQTTmcsMQTT Debug.txt being written to the root drive with one line of text

                              4/14/2018 5:54:23 AM 5 | HS Request Name

                              and the /HomeSeer/Data/mcsMQTT/mcsMQTT Debug.txt correctly updated.

                              4/14/2018 11:47:59 AM 84739392 | ActoOnMessageFor Trigger Topic 10.A147E9000800/temperature,Payload=70.6
                              4/14/2018 11:47:59 AM 84739491 | Update Accepted 2183 to 39.3
                              4/14/2018 11:47:59 AM 84739500 | HSEvent Do= False VALUE_CHANGE for Device 2183
                              4/14/2018 11:47:59 AM 84739511 | ActoOnMessageFor Trigger Topic 26.F372E7000000/humidity,Payload=39.3

                              Here disabled the Node Red MQTT security and used the above mentioned mosquitto.conf on my test RPi2.

                              It sort of worked in Node Red giving me the connecting message...

                              Testing with Node Red I was just encrypting the temperature sensors and not the humidity sensors.

                              Using the Mosquitto configuration file it encrypts all of the Mosquitto stuff.
                              Last edited by Pete; April 14th, 2018, 01:02 PM.
                              - Pete

                              Auto mator
                              Homeseer 3 Pro - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e 64 bit Intel CPU - Mono 5.20
                              Homeseer Zee2 (Lite) - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e BeeLink 4Gb BT3 Pro - Mono 5.20

                              X10, UPB, Zigbee, ZWave and Wifi MQTT automation.

                              Comment

                              Working...
                              X