Mosquitto in a home automation environment - TLS help?

[John Connolly]

I'm fresh to the whole MQTT scene and have come here from a step in my OpenHAB journey - integrating OwnTracks for presence detection.

I'm running a RPi and have Mosquitto installed and working, but without any security.

I'm working on building Arduino based sensors for home that'll feed data to the RPi via MQTT (once I can find a reliable comms method after having poor reliability with W5100 shields...).  As far as I'm aware, the Arduino MQTT libraries don't support TLS, and given my external OwnTracks integration, I DO need TLS on that side.

I presume it's possible to have Mosquitto running in both TLS and non-TLS modes on 8883 and 1883 respectively.  The Arduinos can chat 'unprotected' locally on the LAN at home and then I can open the MQTT-TLS port on my router to let external traffic in to my broker.  Am I on the right track?

Secondly, I still need to get Mosquitto secured and am struggling to find a simple guide or tutorial on how to get that nailed - easily.  I have obtained a free certificate from StartSSL and I can't find a simple, idiots guide to getting TLS enabled using my cert.

[nemik]

I would suggest taking a look at ESP8266 modules. There is a nice dev-kit for them called the NodeMCU. It's basically an integrated wifi and microcontroller chip, together, that's pretty easy to use. It has a firmware you can flash onto it made just for MQTT too: https://github.com/tuanpmt/esp_mqtt and it supports TLS. I use it and really like it.

I know it can be programmed from the Arduino IDE too but not sure if it will support MQTT that way. I'd recommend the esp_mqtt firmware instead.

[John Connolly]

Thanks, I've been looking at those too, and great if they support TLS.  I'll order a few to test.  Which model is the best one to get?  There seems to be a number of different types.

[nemik]

Just get something like http://www.amazon.com/Diymall%C2%AElua-Nodemcu-Network-Development-Esp8266/dp/B00UY8C3N0 to do development with. They're usually just called "NodeMCU dev kit". Comes with everything you need to get started.

But if you want to produce your own PCB, base it on the ESP-12 module. They're FCC certified and very cheap, but need some support circuitry to run, which that dev kit all has on it.

[Sergei Silnov]

Now NodeMCU is almost suspended (due to memory limits on newer sdk), Arduino port (https://github.com/esp8266/Arduino) is alive and it have active community. 

With Arduino port for esp8266 you can use well known (and known to work) MQTT lib: https://github.com/knolleary/pubsubclient

Or newer port of Paho project library: https://github.com/256dpi/arduino-mqtt

Both libs support only QoS 0

I'll ask maintainer of esp8266/Arduino about TLS support, and it either possible right now or work in progress.

[nemik]

Just to be clear, I was recommending the NodeMCU kit only for its hardware, not for actually using Lua and the NodeMCU firmware. I agree with you that it's too memory-constrained and doesn't perform well for most cases.

I think the "esp_mqtt" firmware is the best one for pure MQTT but if you must use Arduino, like you said it is an option. 

From what I see in the source code though, neither Paho's Arduino client not the pubsubclient support TLS yet.

[Vlad Babii]

I'm also using ESP8266 and I'm securing the WIFI connection instead of adding TLS to mqtt. My access points have a new network for home automation that is tied to a virtual network on my server. Only there mqtt listens without TLS. I can add TLS later if I want but for now I'm doing the development work trusting an automated generating WPA2 key (every 24 hours the key is changed on each AP).