Enabling Mosquitto SSL TLS - padogrid/padogrid GitHub Wiki
◀️ Cluster Archetypes :link: Mosquitto Docker Compose ▶️
This section describes how to to enable SSL/TLS for a Mosquitto cluster. We walk through the steps involved in generating self-signed certificates, configuring Mosquitto brokers, and making SSL/TLS client connections to the cluster.
1. Create Mosquitto cluster
create_cluster -product mosquitto -cluster mosquitto_tls
switch_cluster mosquitto_tls
2. Generate self-signed SSL/TLS certificates
Let's create a directory where we will generate certificate authority, private keys, public certificates. The steps shown here are extracted from [1].
:exclamation: As noted by [1], it is important that CN
(Command Name) must be set to the host name for both broker and client private keys. In our example, we have it set to localhost
.
mkdir tls && cd tls
- Generate CA ceritificate
mkdir ca && cd ca
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ca.key -out ca.crt -subj "/C=US/ST=NY/L=New York/O=MyCo/CN=myca"
Output:
Generating a RSA private key
............+++++
......................+++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
- Generate broker certificates
cd ..
mkdir broker && cd broker
openssl genrsa -out broker.key 2048
openssl req -out broker.csr -key broker.key -new -subj "/C=US/ST=NY/L=New York/O=MyCo/CN=localhost"
openssl x509 -req -in broker.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -CAcreateserial -out broker.crt -days 3650
rm broker.csr
- Generate client certificates
cd ..
mkdir client && cd client
openssl genrsa -out client.key 2048
openssl req -out client.csr -key client.key -new -subj "/C=US/ST=CT/L=CT/O=SELFSIGNED/CN=localhost"
openssl x509 -req -in client.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -CAcreateserial -out client.crt -days 3650
rm client.csr
cd ..
- View generated files
tree
Output:
.
├── broker
│ ├── broker.crt
│ └── broker.key
├── ca
│ ├── ca.crt
│ ├── ca.key
│ └── ca.srl
└── client
├── client.crt
└── client.key
3. Configure Mosquitto brokers
We now configure each broker with the generated certificates. Due to Mosquitto configuration limitations, we need to supply tailored configuration files for each broker. We do this by generating a TLS specific configuration file, tls.conf
, for each broker. The following generates tls.conf
in each broker's working directory.
# Change directory into the broker run directory
cd_cluster mosquitto_tls/run
# Generate tls.conf file for each broker.
port=8883
for i in *-0?; do
cat > $i/tls.conf << EOF
listener $port
cafile ../../tls/ca/ca.crt
certfile ../../tls/broker/broker.crt
keyfile ../../tls/broker/broker.key
require_certificate true
EOF
let port=port+1
done
unset port
View generated tls.conf
files.
cat *-0?/tls.conf
Output:
listener 8883
cafile ../../tls/ca/ca.crt
certfile ../../tls/broker/broker.crt
keyfile ../../tls/broker/broker.key
require_certificate true
listener 8884
cafile ../../tls/ca/ca.crt
certfile ../../tls/broker/broker.crt
keyfile ../../tls/broker/broker.key
require_certificate true
listener 8885
cafile ../../tls/ca/ca.crt
certfile ../../tls/broker/broker.crt
keyfile ../../tls/broker/broker.key
require_certificate true
4. Start cluster
start_cluster
You can check each broker's TLS status by executing openssl s_client
as follows.
openssl s_client -connect localhost:8883 -showcerts
openssl s_client -connect localhost:8884 -showcerts
openssl s_client -connect localhost:8885 -showcerts
5. Test clients
5.1. Mosquitto clients
-
Subscribers -
mosquitto_sub
:cd_cluster mosquitto_sub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/# -h localhost -p 8883 mosquitto_sub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/# -h localhost -p 8884 mosquitto_sub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/# -h localhost -p 8885
-
Publishers -
mosquitto_pub
:cd_cluster mosquitto_pub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/topic1 -m hello -h localhost -p 8883 mosquitto_pub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/topic1 -m hello -h localhost -p 8884 mosquitto_pub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/topic1 -m hello -h localhost -p 8885
perf_test
5.2. Create the perf_test
app.
create_app -product mosquitto -app perf_test -name perf_test_mosquitto
Configure perf_test
with TLS.
cd_app perf_test_mosquitto
vi etc/mqttv5-client.yaml
Add the following in etc/mqttv5-client.yaml
.
clusters:
...
connections:
...
- tls:
...
# Path to a file containing trusted CA certificates to enable encrypted communication.
cafile: ../../../clusters/mosquitto_tls/tls/ca/ca.crt
# client certificate for authentication, if required by server.
certfile: ../../../tls/client/client.crt
# client private key for authentication, if required by server.
keyfile: ../../../tls/client/client.key
...
connection:
...
serverURIs: [ssl://localhost:8883-8885]
...
-
Subscriber -
perf_test
:cd_app perf_test_mosquitto/bin_sh ./subscribe_topic test/#
-
Publisher -
perf_test
:cd_app perf_test_mosquitto/bin_sh ./test_group -run
5.3. Virtual cluster clients
Create pubsub.yaml
as follows.
cd_app perf_test_mosquitto
vi etc/pubsub.yaml
Add the following in the new file, pubsub.yaml
. (The file paths must be absolute paths. Replace /...
with the cluster directory path.)
:pencil2: The cluster directory path can be obtained by running echo $PADOGRID_WORKSPACE/clusters/$(pwd_cluster)
.
defaultCluster: mosquitto_tls
clusters:
- name: mosquitto_tls
connections:
- tls:
cafile: /.../tls/ca/ca.crt
certfile: /.../tls/client/client.crt
keyfile: /.../tls/client/client.key
connection:
serverURIs: [ssl://localhost:8883-8885]
-
VC Subscriber -
vc_subscribe
:cd_app perf_test_mosquitto vc_subscribe -config etc/pubsub.yaml -t test/#
-
VC Publisher -
vc_publsh
:cd_app perf_test_mosquitto vc_publish -config etc/pubsub.yaml -t test/topic1 -m hello
6. Teardown
stop_cluster
References
- MQTTS : How to use MQTT with TLS?, https://openest.io/en/services/mqtts-how-to-use-mqtt-with-tls/.