Configuring TLS for MQTT correctly

2,075 views
Skip to first unread message

Walter Kraembring

unread,
Jun 18, 2017, 2:08:16 PM6/18/17
to Node-RED
Hello, I might be temporary blind so any help is very much appreciated

The following Python code works fine (also in a Python function node in Node-RED) and I get a secure connection established, using only one certificate

import paho.mqtt.client as mqtt

client = mqtt.Mosquitto()
client.tls_set("/home/pi/mosquitto.org.crt")
client.connect("test.mosquitto.org", 8883, 10)
for i in range(5):
    result, mid = client.publish('node-red', 'hello', 0)
    if result == 0:
        break
client.disconnect()
del client



But what is the correct configuration in the MQTT node when configuring TLS? What I have tried so far, with the same certificate, just gives error messages



urs.epp...@switch.ch

unread,
Jun 20, 2017, 2:56:34 AM6/20/17
to Node-RED
I'm no expert at all on the certificate topic in general.
I use my own MQTT broker and I wanted to secure the connection. Therefore I created a self-signed certificate using open-ssl, and I ended up with a number of files, three of which I had to configure in the tls-config node for node-red. See screenshot below.
Maybe it helps to get you one step closer.
Kind regards,
Urs.


Walter Kraembring

unread,
Jun 21, 2017, 3:38:59 AM6/21/17
to Node-RED
Thank You Urs, yes, I have already my own mqtt brokers on my home network configured securely as in your example, there it works without problems. I was just struggling with the test.mosquitto.org broker, following this guide
https://test.mosquitto.org/ssl/

But it is not so important, was just a test out of curiosity

Kind regards, Walter

urs.epp...@switch.ch

unread,
Jun 21, 2017, 5:29:38 AM6/21/17
to Node-RED
Hello Walter
Ah, I think I got it. I'm not able to try it, so this might be wrong.

You need three files:
1: client.key
2. client.crt
3. mosquito.org.crt

The page https://test.mosquitto.org/ssl/ shows you how to create the client.key file
The you create the client.csr file in text encoded form, paste it onto the mosquitto web page which sends you the signed and encoded client.crt file back.
Then you need to download from the test.mosquitt.org web page the mosquitto.org.crt (PEM format) file.
Put all three of them in a place where node-red has access and you will be fine.

Kind regards,

Urs.

Walter Kraembring

unread,
Jun 22, 2017, 3:14:17 AM6/22/17
to Node-RED
Interesting, noticed that the configuration below actually works, securely connected to the broker via port 8883 but the NR configuration is indicated as "not properly configured"

Seems that the TLS configuration for MQTT in NR does not accept "empty" fields. But it is still working with just one certificate entered (enough requirement from the brokers point of view) 

Besides, the Security tab is automatically filled in with a user name and password (should be left blank once saved I think) that you have to clear out every time you go into the configuration dialog, otherwise it does not work

Then moving on trying with self signed client certificate and key on port 8884 (supported by test.mosquitto.org) I cannot make work at all in NR. Trying with MQTT.fx is however working as expected so certificates must be ok I think











Walter Kraembring

unread,
Jun 22, 2017, 3:19:08 AM6/22/17
to Node-RED
And this works as well, but is it supposed to?


Reply all
Reply to author
Forward
0 new messages