🚀 ThingsBoard Deployment Overview (v4.0.1) - telemetryinsights/thingsboard GitHub Wiki

This document provides a complete overview of the current ThingsBoard deployment, including the Raspberry Pi setup, AWS relay configuration, protocols and ports, certificates, and end-to-end testing procedures.

🖥️ Raspberry Pi (Edge Host)

Hostname: thingsboard

Username: piadmin

IP Address (LAN): 192.168.86.122

SSH Access: Local only (use FRP tunnel via AWS)

Core Components

ThingsBoard CE v4.0.1 (Java, systemd service)
PostgreSQL (local, bound to 127.0.0.1:5432)
FRPC (reverse proxy client to AWS)

Protocols and Ports (internal bindings)

Protocol	Port	Encryption	Listener
HTTP	8080	No	Java (ThingsBoard)
MQTT	1883	No	Java
MQTT TLS	8883	Yes	Java
CoAP	5683	No	Java
CoAP DTLS	5684	Yes	Java

Certificate Usage

Single cert/key pair used for both MQTT TLS and CoAP DTLS:
- mqttserver.pem
- mqttserver_key.pem
Stored at: /etc/thingsboard/certs/
Also copied to ~/coap/ for testing
Root CA for testing: Let's Encrypt ISRG Root X1 (letsencrypt-root.pem)

Cert Sync & Automation

Certs are renewed on AWS (see below)
Synced to Pi via SSH over FRP tunnel (port 60022)
Pi script logs to:
- ~/coap/cert_update.log
- /var/log/cert_update.log
Pi restarts ThingsBoard and emails results to [email protected]

☁️ AWS Server (Relay / Public Endpoint)

Hostname (SSH): thingsboard-aws

SSH Access:

ssh -i ~/thingsboard.pem [email protected]

Domains

✅ awetimation.com (primary, used for MQTT & CoAP)
➡️ telemetryinsights.com, homemations.com (redirect to awetimation.com)

Services

NGINX (HTTPS termination, HTTP → HTTPS redirect)
FRPS (Fast Reverse Proxy Server)
- TCP Forwarded Ports:
  - 80 → NGINX (HTTP UI)
  - 443 → NGINX (HTTPS UI)
  - 1883 → ThingsBoard MQTT (insecure)
  - 8883 → ThingsBoard MQTT TLS
  - 8080 → ThingsBoard HTTP API (direct)
  - 60022 → SSH to Pi via tunnel
- UDP Forwarded Ports:
  - 5683 → ThingsBoard CoAP
  - 5684 → ThingsBoard CoAP DTLS

Certbot Renewal + Pi Sync

Certbot on AWS issues cert via DNS-01 with Route 53
push-to-pi.sh hook copies certs to Pi via SSH tunnel
Uses key-based SSH over 127.0.0.1:60022
Triggers ~/update-thingsboard-certs.sh on Pi
Fully automated, logs results, and emails sysadmin

🔐 Protocol Authentication + Cert Info

MQTT (TLS)

Port: 8883
Cert: mqttserver.pem (Let's Encrypt)
Authentication: Access token via MQTT username
Client ID: Must match device ID (ThingsBoard)

CoAP (DTLS)

Port: 5684
Cert: mqttserver.pem trusted via Let's Encrypt Root CA
Authentication: Access token embedded in URI
Client cert not required (no mutual TLS)

🧪 Testing

MQTT Secure Publish (TLS 8883)

Using mosquitto_pub from a PC:

mosquitto_pub -h awetimation.com -p 8883 \
  --cafile mqtt-ca.pem \
  -u T1_TEST_TOKEN \
  -t v1/devices/me/telemetry \
  -m '{"soil":33, "pump":false}'

CoAP Secure Publish (DTLS 5684)

Using coap-client-dtls:

./coap-client-dtls -m POST \
  -C letsencrypt-root.pem \
  -e '{"temp":42}' \
  coaps://awetimation.com:5684/api/v1/T1_TEST_TOKEN/telemetry

📁 File Locations

On Raspberry Pi

Path	Purpose
`/etc/thingsboard/certs/mqttserver.pem`	Server TLS cert (live)
`/etc/thingsboard/certs/mqttserver_key.pem`	Server private key (live)
`~/coap/mqttserver.pem`	Copy for coap-client testing
`~/coap/mqttserver_key.pem`	Copy for coap-client testing
`~/coap/cert_update.log`	Cert update script log (user-owned)
`/var/log/cert_update.log`	Cert update log (mirrored system copy)
`~/update-thingsboard-certs.sh`	Pi-side script run after sync
`/etc/frp/frpc.ini`	FRPC config (includes ssh tunnel)

On AWS EC2

Path	Purpose
`/etc/letsencrypt/live/thingsboard.awetimation.com/`	Live cert + key
`/etc/letsencrypt/renewal-hooks/deploy/push-to-pi.sh`	Deploy hook (scp + ssh trigger)
`~/.ssh/pitoaws`	Private key for Pi tunnel access

✅ Summary

Full ThingsBoard CE system running securely on a Raspberry Pi
Secure and insecure MQTT + CoAP supported
Certs renewed and pushed via FRP tunnel from AWS
Restart, logging, and email updates are all automated