Notes on MQTT and Mosquitto

TODO

  • [ ] Check how the broker (Mosquitto) manage the data
  • [ ] Check the security with SSL
  • [ ] Check the authentication
  • [ ] Check WPS for authentication
  • [x] Wait to DNS spread and create the cert using certbot for mosquitto.wimp.today
  • [ ] Assess all possibilities of security

MQTT

security concerns

AWS

  • Public IP of instances are reset when it STOP
  • Use Elastic IP, which is paid

Mosquitto

Mosquitto is the message broker that implements MQTT

Setup Mosquitto server

Mosquitto versions
adduser mosquitto
# requirements for ubuntu
apt-get update
apt-get install build-essential libwrap0-dev libssl-dev libc-ares-dev uuid-dev xsltproc
# download and install
cd /home/mosquitto
wget http://mosquitto.org/files/source/mosquitto-VERSION.tar.gz
tar xvzf mosquitto-VERSION.tar.gz
cd mosquitto-VERSION
make
make install
# create the user for mosquitto
mosquitto_passwd -c /etc/mosquitto/pwfile MY_USER
mkdir /var/lib/mosquitto/
chown mosquitto:mosquitto /var/lib/mosquitto/ -R
# config file
vim /etc/mosquitto/mosquitto.conf
# configure dynamic linker run-time bindings
/sbin/ldconfig
# run
mosquitto -c /etc/mosquitto/mosquitto.conf

mosquitto.conf (see docs):

listener 8883
persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
log_dest syslog
log_dest stdout
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
connection_messages true
log_timestamp true
allow_anonymous false
password_file /etc/mosquitto/pwfile
# extra options
tls_version tlsv1.3

Server running after boot

sudo vim /etc/systemd/system/mosquitto.service
sudo chmod 644 /etc/systemd/system/mosquitto.service
sudo systemctl enable mosquitto
[Unit]
Description=Mosquitto server.

[Service]
ExecStart=/usr/local/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf

[Install]
WantedBy=multi-user.target

Mosquitto with CertBot

The DNS type A must be pointed to the server IP.

sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install certbot
sudo ufw allow 80 # or 443
sudo certbot certonly --standalone --preferred-challenges http -d MY_SERVER_DNS
  • TODO: check problems when using port 443
  • TODO: add automatic renew of the certs
  • TODO: make it work

Publishing

see docs
  • Example: mosquitto_pub -h SERVER -p 8883 -V mqttv5 -i sensor-test --tls-version tlsv1.3 -t 'TOPIC' -m "My msg"  -u USER -P PASS
  • SERVER: the IP address of the server
  • TOPIC: the topic you want to publish (see best practices)
  • MESSAGE: MQTT imposes a maximum payload size of 268435455 bytes.
  • Can be modified
  • Check WILL

Subscribing

see docs

Misc