MQTT SSL Problems

[miso k]

Hello,

I am trying to run MQTT throug SSL. 

Before everything was working, as soon I have added Let's Encrypt certificate to my webpage jastrabie.online, Belchertown skin and weather34 too autoupdate was not working.

Problem is, HTTPS page cant handle HTTP MQTT, it throws an error.

So I started to reconfigure my MQTT to use SSL. I used this manual from author of Belchertown skin: https://obrienlabs.net/how-to-setup-your-own-mqtt-broker/

weewx.conf:

    [[MQTT]]

        server_url = mqtt://pi:<password>@jastrabie.online:8883/

        topic = weather

        unit_system = METRIC

        binding = archive, loop

        aggregation = aggregate

        [[[tls]]]

            tls_version = tlsv1

            ca_certs = /etc/ssl/certs/ca-certificates.crt

tail -f shows this:

WeeWX weewx[18183] ERROR weewx.restx: MQTT: Failed to publish record 2020-12-23 16:47:00 CET (1608738420): Failed upload after 3 tries

When I comment the whole [[[tls]]] section, MQTT then is like:

Dec 23 16:56:33 WeeWX weewx[19872] ERROR user.mqtt: publish failed for weather/loop: 4

Dec 23 16:56:33 WeeWX weewx[19872] INFO weewx.restx: MQTT: Published record 2020-12-23 16:56:00 CET (1608738960)

if I run:

sudo netstat -tulpn | grep -E '8883|9001' 

result is:

tcp        0      0 0.0.0.0:9001            0.0.0.0:*               LISTEN      3722/mosquitto      

tcp        0      0 0.0.0.0:8883            0.0.0.0:*               LISTEN      3722/mosquitto  

Belchertown skin.conf:

    # MQTT Websockets defaults

    mqtt_websockets_enabled = 1

    mqtt_websockets_host = "192.168.1.17"

    mqtt_websockets_port = 9001

    mqtt_websockets_ssl = 1

    mqtt_websockets_topic = "weather/loop"

    disconnect_live_website_visitor = 1800000

what I am doing wrong?

WeeWX4.2.0, Belchertown 1.2.0, Raspberry Pi, https://jastrabie.online

Thank you for help!

Miso, Slovakia

[Greg Troxel]

Hard to say what's wrong, but use mosquitto_publish to test. I have
the emqtt extension publishing to mqtt/tls just fine and I do not run
mqtt w/o ssl at all.

Turn on logging on th broker, and look with tcpdump.

[miso k]

Thank you Greg,

so I have tried:

pi@WeeWX:~ $ mosquitto_pub -h localhost -p 8883 -t "weather/test" -m "hello world. this is to the weather topic with authentication" -u "pi" -P "<passwd>" -d

Client mosqpub|24614-WeeWX sending CONNECT

Error: The connection was lost.

with port 1883 it works:

pi@WeeWX:~ $ mosquitto_pub -h localhost -p 1883 -t "weather/test" -m "hello world. this is to the weather topic with authentication" -u "pi" -P " <passwd> " -d

Client mosqpub|24645-WeeWX sending CONNECT

Client mosqpub|24645-WeeWX received CONNACK (0)

Client mosqpub|24645-WeeWX sending PUBLISH (d0, q0, r0, m1, 'weather/test', ... (61 bytes))

Client mosqpub|24645-WeeWX sending DISCONNECT

mosquitto_sub is like:

pi@WeeWX:~ $ mosquitto_sub -h localhost -p 8883 -t weather/# -d

Client mosqsub|24569-WeeWX sending CONNECT

Client mosqsub|24569-WeeWX sending CONNECT

again, with port 1883 it works:

pi@WeeWX:~ $ mosquitto_sub -h localhost -p 1883 -t weather/# -d

Client mosqsub|24659-WeeWX sending CONNECT

Client mosqsub|24659-WeeWX received CONNACK (0)

Client mosqsub|24659-WeeWX sending SUBSCRIBE (Mid: 1, Topic: weather/#, QoS: 0)

Client mosqsub|24659-WeeWX received SUBACK

Subscribed (mid: 1): 0

I have installed tcpdump, which parameters am I looking for?

Thanks,

Michal

Dátum: streda 23. decembra 2020, čas: 20:55:28 UTC+1, odosielateľ: Greg Troxel

[mh081...@gmail.com]

Hi,

have you set tlsv12 in weewx.conf under [[MQTT]] Section?

Like 

[mh081...@gmail.com]

I mean

    [[MQTT]]

        server_url = mqtt://pi:password@url:8883/

        topic = weather

        unit_system = METRIC

        binding = archive, loop

        aggregation = aggregate

        log_success = False

        log_failure = True

        [[[tls]]]

            tls_version = tlsv12

            ca_certs = /etc/ssl/certs/ca-certificates.crt

        [[[inputs]]]

            [[[[dayRain]]]]

                name = dayRain_mm

                units = mm

            [[[[rainRate]]]]

                name = rainRate_mm_per_hour

                units = mm_per_hour

[miso k]

Wow!

that tlsv12 has really helped! now tail -f is showing no errors.

just to be sure -  server_url = mqtt://pi:password@url:8883/ 

URL can be localhost, or should I use my https:// webpage "jastrabie.online"? 

My Belchertown settings still does not work:

    # MQTT Websockets defaults

    mqtt_websockets_enabled = 1

    mqtt_websockets_host = "jastrabie.online"

    mqtt_websockets_port = 9001

    mqtt_websockets_ssl = 1

    mqtt_websockets_topic = "weather/loop"

    disconnect_live_website_visitor = 1800000

webpage debugger shows this:

WebSocket connection to 'wss://jastrabie.online:9001/mqtt' failed: Connection closed before receiving a handshake response

d._doConnect @ paho-mqtt.min.js:37

d.connect @ paho-mqtt.min.js:31

Client.connect @ paho-mqtt.min.js:70

connect @ belchertown.js?1608760733:1308

(anonymous) @ (index):156

l @ jquery.min.js:2

c @ jquery.min.js:2

Thank you!

Michal

Dátum: streda 23. decembra 2020, čas: 22:47:56 UTC+1, odosielateľ: mh081...@gmail.com

[miso k]

I have proofed, that

pi@WeeWX:~ $ mosquitto_sub -h jastrabie.online -p 8883 -t weather/# -d --tls-version tlsv1.2 --cafile /etc/ssl/certs/ca-certificates.crt

works!

so now only setup the belchertown correctly?

Dátum: streda 23. decembra 2020, čas: 23:05:28 UTC+1, odosielateľ: miso k

[vince]

On Wednesday, December 23, 2020 at 2:05:28 PM UTC-8 misk...@gmail.com wrote:

just to be sure -  server_url = mqtt://pi:password@url:8883/ 

URL can be localhost, or should I use my https:// webpage "jastrabie.online"? 

Never localhost

Always use the MQTT broker's ip address or hostname or ideally FQDN

In your example, 'jastrable.online' hopefully is a fully qualified domain name, but I've never heard of that domain and it doesn't resolve for me here.    I'd suggest initially using your MQTT broker system's ip address there for initial testing to know that the broker config works.  Then move later to putting in the fully qualified domain name that ip resolves to as step 2.

 

[miso k]

it is FQDN -  jastrabie.online - look at the letter behind B

so i let the host as it is. 

is my port correct -9001?

SSL should be 1 as "On", or should be the TLS protocol version - 1.2, or even 12?

    # MQTT Websockets defaults

    mqtt_websockets_enabled = 1

    mqtt_websockets_host = "jastrabie.online"

    mqtt_websockets_port = 9001

    mqtt_websockets_ssl = 1

    mqtt_websockets_topic = "weather/loop"

    disconnect_live_website_visitor = 1800000

Dátum: streda 23. decembra 2020, čas: 23:27:40 UTC+1, odosielateľ: vince

[miso k]

maybe i am using different certificates for both - MQTT pub:

        [[[tls]]]

            tls_version = tlsv12

            ca_certs = /etc/ssl/certs/ca-certificates.crt

and what is defined in /etc/mosquitto/conf.d/myconfig.conf 

...

# Insecure mqtt to localhost only, and secure mqtt

listener 1883 localhost

listener 8883

certfile /etc/letsencrypt/live/jastrabie.online/cert.pem

cafile /etc/letsencrypt/live/jastrabie.online/chain.pem

keyfile /etc/letsencrypt/live/jastrabie.online/privkey.pem

protocol mqtt

# websockets

listener 9001

certfile /etc/letsencrypt/live/jastrabie.online/cert.pem

cafile /etc/letsencrypt/live/jastrabie.online/chain.pem

keyfile /etc/letsencrypt/live/jastrabie.online/privkey.pem

protocol websockets

am I right/wrong?

Miso

Dátum: streda 23. decembra 2020, čas: 23:49:18 UTC+1, odosielateľ: miso k

[miso k]

So I checked from other browser, it is working. Cleared cache and it works also on my PC browser.

Main thing was tls12 instead of tls1 in weewx.conf.

Thank you all!!! 

Dátum: štvrtok 24. decembra 2020, čas: 0:18:27 UTC+1, odosielateľ: miso k