Mosquitto setup
How to successfully install and set up *Eclipse Mosquitto*.
This guide describes how to install Mosquitto on Debian (x64, oldstable/stable/testing) and configure it to use the PureLife Cloud.
Mosquitto can also be used on other platforms and these instructions should be transferable, however we do not provide support for this.
Installation
The Mosquitto version in the Debian package sources is outdated. It is therefore recommended to use the package source of the Mosquitto project and install a current Mosquitto version.
To do this, the key for signing the packages must first be added to apt
.
curl -L http://repo.mosquitto.org/debian/mosquitto-repo.gpg.key | sudo apt-key add -
After that, the package sources can be added.
cd /etc/apt/sources.list.d/
sudo wget http://repo.mosquitto.org/debian/mosquitto-buster.list
Now Mosquitto can be installed from the package sources
sudo apt-get update
sudo apt-get install mosquitto mosquitto-clients
Mosquitto version 2.* should now be installed.
sudo mosquitto --help
Extended authentication
For secure operation, Mosquitto’s authentication and authorization capabilities must be extended. This requires the installation of the Mosquitto Auth plugin. We provide this for various platforms and Mosquitto versions.
# Find the appropriate version at https://docs.vayyar-cloud.smart-altern.de/files/
# Download the plugin for your platform and version
wget https://docs.vayyar-cloud.smart-altern.de/files/auth-plugin/debian-{version}-amd64/mosquitto-{version}/auth-plugin-{version}.so
mv auth-plugin-{version}.so /etc/mosquitto/auth-plugin.so
# Download the password tool for your platform
wget https://docs.vayyar-cloud.smart-altern.de/files/password-tool/pw-tool-{version}-{platform}
mv pw-tool-{version}-{platform} /etc/mosquitto/pw-tool
touch /etc/mosquitto/{passwd,acl}
If a plugin is not available for your platform/version, you can contact us, and we will check if a deployment is possible. Please tell us the operating system (name, version), architecture and Mosquitto version of your production environment. Alternatively, you can create the plugin yourself.
The configuration should not be visible to other users
sudo chmod -R o-rwx /etc/mosquitto/
sudo chown -R mosquitto:mosquitto /etc/mosquitto/
More information can be found in the documentation.
Limitation
The auth-plugin offers the possibility to integrate different authentication methods into Mosquitto. However, the plugin does not work simultaneously with other authentication methods. If other authentication methods are to be used, the parameter per_listener_settings true
must be set and the plugin must have its own mosquito listener.
More information can be found in the documentation.
Account für PureLife-Cloud anlegen
To speed up the initialization of the MQTT connection, it is recommended to create a user for the PureLife cloud in the password text file.
# Set variables
export MQ_USER="PureLifeCloud"
export MQ_PASS=`/etc/mosquitto/pw-tool -p password-here`
# Save password and ACL
echo "$MQ_USER:$MQ_PASS" >> /etc/mosquitto/passwd
printf "$MQ_USER\ntopic #\n\n" >> /etc/mosquitto/acl
# Remove variables
unset MQ_PASS
unset MQ_USER
Configuration
Now Mosquitto can be configured. To do this, create a configuration file with a text editor.
sudo nano /etc/mosquitto/conf.d/default.conf
And insert the following:
auth_plugin /etc/mosquitto/auth-plugin.so
auth_opt_backends files, grpc
auth_opt_retry_count 2
# Auth cache
auth_opt_cache true
auth_opt_cache_reset true
auth_opt_cache_refresh false
# 5 min
auth_opt_auth_cache_seconds 300
# 10 min
auth_opt_acl_cache_seconds 600
auth_opt_auth_jitter_seconds 3
auth_opt_acl_jitter_seconds 3
# GRPC for purelife-cloud
auth_opt_grpc_host 127.0.0.1
auth_opt_grpc_port 10001
auth_opt_grpc_fail_on_dial_error false
auth_opt_grpc_dial_timeout_ms 2000
# (optional) Accounts from file
auth_opt_hasher pbkdf2
auth_opt_files_password_path /etc/mosquitto/passwd
auth_opt_files_acl_path /etc/mosquitto/acl
listener 1883
# listener 8883
# certfile /path/to/your/cert.pem
# cafile /path/to/your/chain.pem
# keyfile /path/to/your/privkey.pem
# listener 1884
# protocol websockets
# certfile /path/to/your/cert.pem
# cafile /path/to/your/chain.pem
# keyfile /path/to/your/privkey.pem
After adjusting the configuration, Mosquitto should restart.
sudo systemctl restart mosquitto.service
sudo systemctl status mosquitto.service
For an encrypted connection via MQTTS, store the appropriate certificates and restart the server.