HOW-TO Easily Install and Secure mosquitto MQTT on Raspberry Pi

HOW-TO Easily Install and Secure mosquitto MQTT on Raspberry Pi

This HOW-TO is an easy step-by-step guide to getting an MQTT broker working on a Raspberry Pi including TLS and user authentication.

If you haven’t yet set up your Pi here’s a HOW-TO: http://tinab.blog/how-to-headless-pi-easy-setup

You can skip this step but it’s a useful base that ensures a good start: http://tinab.blog/how-to-install-a-standard-base-linux-server-on-raspberry-pi

Start by updating (if you haven’t followed the steps above), having enabled SSH and logged in:

sudo apt update && sudo apt -y upgrade

Then obtain a certificate [instructions to follow] and copy your certificate files into an accessible folder on the Pi – if you’ve followed the steps above then copy it in to the smb_transfer_folder using your favourite file manager (ie you’ll need to know how to do that from Windows or Mac, etc, by Googling if you don’t know already).

Next, install mosquitto and enable the service

sudo apt install mosquitto mosquitto-clients
sudo systemctl enable mosquitto.service

make a folder for the certificates and copy them into it from your shared folder above

sudo mkdir /etc/mosquitto/sslcerts -p
sudo cp /home/chris/smb_transfer_folder/ionos_certs/* /etc/mosquitto/sslcerts/

Then create a user and set a password (remember it)

sudo mosquitto_passwd -c /etc/mosquitto/passwd mqtt_access_user

Edit the config file to enable MQTT over TLS

sudo nano /etc/mosquitto/conf.d/default.conf

by adding the following contents (you’ll have to substitute the filenames for the actual files from your certificates)

listener 1883 localhost
listener 8883
allow_anonymous false
password_file /etc/mosquitto/passwd
certfile /etc/mosquitto/sslcerts/my-smart.haus_ssl_certificate.cer
cafile /etc/mosquitto/sslcerts/_.my-smart.haus_ssl_certificate_INTERMEDIATE.cer
keyfile /etc/mosquitto/sslcerts/_.my-smart.haus_private_key.key

Finally, restart the service (sometimes it requires a reboot for logins to be allowed)

sudo systemctl start mosquitto.service
sudo reboot

You can test by logging in with an MQTT client. You’ll need your Pi’s IP address, the port number 8883, your username (mqtt_access_user if you used the instructions above) and your password (that you remembered from above). If your client asks whether to validate certificates choose YES. If your client asks whether to use TLS choose YES.

Leave a Reply

Your email address will not be published. Required fields are marked *