mosquitto & SSL

[Stefan Gliessmann]

I am trying to get my weather station web presence secure with https://

Therefore, I also need my MQTT server be secure via SSL.

I followed the setup by https://obrienlabs.net/how-to-setup-your-own-mqtt-broker/

I received my certificates from Let's encrypt and edited my mosquitto config file accordingly:

  GNU nano 6.2             /etc/mosquitto/conf.d/myconfig.conf                      

persistence false

allow_anonymous true

#allow_zero_length_clientid true

password_file /etc/mosquitto/passwd

acl_file /etc/mosquitto/acl

# mqtt

#listener 1883 localhost

listener 8883

certfile /etc/letsencrypt/live/weewx.bz3gfkrlqtrsc3sv.myfritz.net/cert.pem

cafile /etc/letsencrypt/live/weewx.bz3gfkrlqtrsc3sv.myfritz.net/chain.pem

keyfile /etc/letsencrypt/live/weewx.bz3gfkrlqtrsc3sv.myfritz.net/privkey.pem

tls_version tlsv1.2

protocol mqtt

# websockets

listener 9001

certfile /etc/letsencrypt/live/weewx.bz3gfkrlqtrsc3sv.myfritz.net/cert.pem

cafile /etc/letsencrypt/live/weewx.bz3gfkrlqtrsc3sv.myfritz.net/chain.pem

keyfile /etc/letsencrypt/live/weewx.bz3gfkrlqtrsc3sv.myfritz.net/privkey.pem

protocol websockets

every time I reboot now mosquitto, I get an error by mosquitto:

root@weewx:/# sudo systemctl restart mosquitto.service 

Job for mosquitto.service failed because the control process exited with error code.

See "systemctl status mosquitto.service" and "journalctl -xeu mosquitto.service" for details.

root@weewx:/# sudo systemctl status mosquitto.service 

× mosquitto.service - Mosquitto MQTT Broker

     Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled; vendor preset: enabled)

     Active: failed (Result: exit-code) since Fri 2023-09-29 15:32:19 CEST; 1s ago

       Docs: man:mosquitto.conf(5)

             man:mosquitto(8)

    Process: 542132 ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto (code=exited, status=0/SUCCESS)

    Process: 542133 ExecStartPre=/bin/chown mosquitto /var/log/mosquitto (code=exited, status=0/SUCCESS)

    Process: 542134 ExecStartPre=/bin/mkdir -m 740 -p /run/mosquitto (code=exited, status=0/SUCCESS)

    Process: 542135 ExecStartPre=/bin/chown mosquitto /run/mosquitto (code=exited, status=0/SUCCESS)

    Process: 542136 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf (code=exited, status=1/FAILURE)

   Main PID: 542136 (code=exited, status=1/FAILURE)

        CPU: 22ms

Sep 29 15:32:19 weewx systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.

Sep 29 15:32:19 weewx systemd[1]: Stopped Mosquitto MQTT Broker.

Sep 29 15:32:19 weewx systemd[1]: mosquitto.service: Start request repeated too quickly.

Sep 29 15:32:19 weewx systemd[1]: mosquitto.service: Failed with result 'exit-code'.

Sep 29 15:32:19 weewx systemd[1]: Failed to start Mosquitto MQTT Broker.

root@weewx:/# 

Once I command the certificates out, mosquitto starts up fine.

I double checked that the certificates can be read by everybody.

Any clue what else I check for?

TIA,

Stefan

[Graham Eddy]

try sudo journalctl -u mosquitto -n 50 to see the log messages (or sudo tail -50 /var/log/mosquitto/* if it puts them there instead)

⊣GE⊢

--
You received this message because you are subscribed to the Google Groups "weewx-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to weewx-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/0fb5acdb-156e-489c-a3bb-06acfe4381a8n%40googlegroups.com.

[Stefan Gliessmann]

root@weewx:/# sudo journalctl -u mosquitto -n 50

Sep 29 15:31:52 weewx mosquitto[542060]: 1695994312: Loading config file /etc/mosquitto/conf.d/myconfig.conf

Sep 29 15:31:52 weewx systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE

Sep 29 15:31:52 weewx systemd[1]: mosquitto.service: Failed with result 'exit-code'.

Sep 29 15:31:52 weewx systemd[1]: Failed to start Mosquitto MQTT Broker.

Sep 29 15:31:52 weewx systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.

Sep 29 15:31:52 weewx systemd[1]: Stopped Mosquitto MQTT Broker.

Sep 29 15:31:52 weewx systemd[1]: mosquitto.service: Start request repeated too quickly.

Sep 29 15:31:52 weewx systemd[1]: mosquitto.service: Failed with result 'exit-code'.

Sep 29 15:31:52 weewx systemd[1]: Failed to start Mosquitto MQTT Broker.

Sep 29 15:32:18 weewx systemd[1]: Starting Mosquitto MQTT Broker...

Sep 29 15:32:18 weewx mosquitto[542113]: 1695994338: Loading config file /etc/mosquitto/conf.d/myconfig.conf

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Failed with result 'exit-code'.

Sep 29 15:32:18 weewx systemd[1]: Failed to start Mosquitto MQTT Broker.

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 1.

Sep 29 15:32:18 weewx systemd[1]: Stopped Mosquitto MQTT Broker.

Sep 29 15:32:18 weewx systemd[1]: Starting Mosquitto MQTT Broker...

Sep 29 15:32:18 weewx mosquitto[542119]: 1695994338: Loading config file /etc/mosquitto/conf.d/myconfig.conf

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Failed with result 'exit-code'.

Sep 29 15:32:18 weewx systemd[1]: Failed to start Mosquitto MQTT Broker.

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 2.

Sep 29 15:32:18 weewx systemd[1]: Stopped Mosquitto MQTT Broker.

Sep 29 15:32:18 weewx systemd[1]: Starting Mosquitto MQTT Broker...

Sep 29 15:32:18 weewx mosquitto[542125]: 1695994338: Loading config file /etc/mosquitto/conf.d/myconfig.conf

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Failed with result 'exit-code'.

Sep 29 15:32:18 weewx systemd[1]: Failed to start Mosquitto MQTT Broker.

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 3.

Sep 29 15:32:18 weewx systemd[1]: Stopped Mosquitto MQTT Broker.

Sep 29 15:32:18 weewx systemd[1]: Starting Mosquitto MQTT Broker...

Sep 29 15:32:18 weewx mosquitto[542130]: 1695994338: Loading config file /etc/mosquitto/conf.d/myconfig.conf

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE

Sep 29 15:32:18 weewx systemd[1]: mosquitto.service: Failed with result 'exit-code'.

Sep 29 15:32:18 weewx systemd[1]: Failed to start Mosquitto MQTT Broker.

Sep 29 15:32:19 weewx systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 4.

Sep 29 15:32:19 weewx systemd[1]: Stopped Mosquitto MQTT Broker.

Sep 29 15:32:19 weewx systemd[1]: Starting Mosquitto MQTT Broker...

Sep 29 15:32:19 weewx mosquitto[542136]: 1695994339: Loading config file /etc/mosquitto/conf.d/myconfig.conf

Sep 29 15:32:19 weewx systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE

Sep 29 15:32:19 weewx systemd[1]: mosquitto.service: Failed with result 'exit-code'.

Sep 29 15:32:19 weewx systemd[1]: Failed to start Mosquitto MQTT Broker.

Sep 29 15:32:19 weewx systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.

Sep 29 15:32:19 weewx systemd[1]: Stopped Mosquitto MQTT Broker.

Sep 29 15:32:19 weewx systemd[1]: mosquitto.service: Start request repeated too quickly.

Sep 29 15:32:19 weewx systemd[1]: mosquitto.service: Failed with result 'exit-code'.

Sep 29 15:32:19 weewx systemd[1]: Failed to start Mosquitto MQTT Broker.

Sep 29 15:36:37 weewx systemd[1]: Starting Mosquitto MQTT Broker...

Sep 29 15:36:37 weewx mosquitto[542525]: 1695994597: Loading config file /etc/mosquitto/conf.d/myconfig.conf

Sep 29 15:36:37 weewx systemd[1]: Started Mosquitto MQTT Broker.

Mosquitto has issues with reading my mosquitto/conf.d/myconfig.conf when the certificates are active.

It works fine when certificates are commanded out ...

You received this message because you are subscribed to a topic in the Google Groups "weewx-user" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/weewx-user/wP9f-eDW6tk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to weewx-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/049C6B06-B1C3-4335-A1A3-B690452E44B1%40geddy.au.

[Stefan Gliessmann]

Well - I just moved my certs from the lets encrypt dir to the mosquitto/cert dir and now mosquitto restarted without problems ... :)

On Fri, Sep 29, 2023 at 3:41 PM Graham Eddy <g...@geddy.au> wrote:

You received this message because you are subscribed to a topic in the Google Groups "weewx-user" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/weewx-user/wP9f-eDW6tk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to weewx-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/049C6B06-B1C3-4335-A1A3-B690452E44B1%40geddy.au.

[Graham Eddy]

i was expecting log file to show either file not found (misnamed) or permission denied (user ‘mosquitto’ not able to read). maybe need to add log_type debug to config file to get that message. anyway, looks like you fixed perms problem

note: if you moved (not copied) them from letsencrypt, better put them back then copy them, or the cert refresh will get confused

⊣GE⊢

To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/CACXWM9Rx8n03ZtFY%3DKjAn%2BN-4YxpGnemgO%2BjiZ-BX4Pf4JqOPA%40mail.gmail.com.

[Stefan Gliessmann]

good catch - I had them actually copied ... but nevertheless, I shall probably link them as I copied cert1.pem, etc ... otherwise, in three months I will wonder why MQTT stopped working suddenly ;)

To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/3FF61460-DF86-4D66-AA8C-EE99B0978672%40geddy.au.