HOW-TO Easily Install and Secure mosquitto MQTT on Raspberry Pi
This HOW-TO is an easy step-by-step guide to getting an MQTT broker working on a Raspberry Pi including TLS and user authentication.
If you haven’t yet set up your Pi here’s a HOW-TO: http://tinab.blog/how-to-headless-pi-easy-setup
You can skip this step but it’s a useful base that ensures a good start: http://tinab.blog/how-to-install-a-standard-base-linux-server-on-raspberry-pi
Start by updating (if you haven’t followed the steps above), having enabled SSH and logged in:
sudo apt update && sudo apt -y upgrade
Then obtain a certificate [instructions to follow] and copy your certificate files into an accessible folder on the Pi – if you’ve followed the steps above then copy it in to the smb_transfer_folder using your favourite file manager (ie you’ll need to know how to do that from Windows or Mac, etc, by Googling if you don’t know already).
Next, install mosquitto and enable the service
sudo apt install mosquitto mosquitto-clients
sudo systemctl enable mosquitto.service
make a folder for the certificates and copy them into it from your shared folder above
sudo mkdir /etc/mosquitto/sslcerts -p
sudo cp /home/chris/smb_transfer_folder/ionos_certs/* /etc/mosquitto/sslcerts/
Then create a user and set a password (remember it)
sudo mosquitto_passwd -c /etc/mosquitto/passwd mqtt_access_user
Edit the config file to enable MQTT over TLS
sudo nano /etc/mosquitto/conf.d/default.conf
by adding the following contents (you’ll have to substitute the filenames for the actual files from your certificates)
listener 1883 localhost
listener 8883
allow_anonymous false
password_file /etc/mosquitto/passwd
certfile /etc/mosquitto/sslcerts/my-smart.haus_ssl_certificate.cer
cafile /etc/mosquitto/sslcerts/_.my-smart.haus_ssl_certificate_INTERMEDIATE.cer
keyfile /etc/mosquitto/sslcerts/_.my-smart.haus_private_key.key
Finally, restart the service (sometimes it requires a reboot for logins to be allowed)
sudo systemctl start mosquitto.service
sudo reboot
You can test by logging in with an MQTT client. You’ll need your Pi’s IP address, the port number 8883, your username (mqtt_access_user if you used the instructions above) and your password (that you remembered from above). If your client asks whether to validate certificates choose YES. If your client asks whether to use TLS choose YES.