I need your help on the MQTT bridging. Currently I can successfully bridge the local MQTT to the Watson IOT messaging, but only in inscure mode, ie. 1883 port. So I got the server certificate by this command
openssl s_client -connect myorg.messaging.internetofthings.ibmcloud.com:8883 -showcerts > server.crt
and removed two lines from the top and two lines from the bottom. When I try to connect this in a secure mode, I get the socket error as below. Could anyone help me on this?
mosquitto.conf
connection bridge-to-watsoniot
bridge_insecure false
bridge_certfile /home/pi/server.crt
address myorg.messaging.internetofthings.ibmcloud.com:8883
cleansession false
try_private false
bridge_attempt_unsubscribe false
notifications true
notification_topic iot-2/type/Raspberry/id/my_mqtt_gateway/evt/status/fmt/raw
remote_username use-token-auth
remote_password ***************
remote_clientid g:myorg:Raspberry:my_mqtt_gateway
topic iot-2/type/+/id/+/cmd/+/fmt/+ in iot-2/type/+/id/+/cmd/+/fmt/+
topic iot-2/type/+/id/+/evt/+/fmt/+ out iot-2/type/+/id/+/evt/+/fmt/+
connection_messages true
mosqutto.log
1487240737: mosquitto version 1.4.10 (build date Thu, 25 Aug 2016 10:12:09 +0100) starting
1487240737: Config loaded from mosquitto.conf.
1487240737: Opening ipv4 listen socket on port 1883.
1487240737: Opening ipv6 listen socket on port 1883.
1487240737: Connecting bridge bridge-to-watsoniot (myorg.messaging.internetofthings.ibmcloud.com:8883)
1487240738: New connection from 127.0.0.1 on port 1883.
1487240738: New client connected from 127.0.0.1 as mqttjs_93a3961c (c1, k10, u'foo').
1487240738: New connection from 127.0.0.1 on port 1883.
1487240738: New client connected from 127.0.0.1 as mqttjs_618c88ab (c1, k10).
1487240739: Socket error on client local.g:myorg:Raspberry:my_mqtt_gateway, disconnecting.
1487240747: New connection from 192.168.82.130 on port 1883.
The bridge_certfile directive is for a client side certificate for the local broker to use to authenticate it's self with the remote broker. You should not need to this to connect to Watson IoT.
You should be using the bridge_cafile or bridge_capath to point to a the CA certificate that signed the Watson IoT certificate so the local broker can verify that the remote end is who they say they are.
Related
in localhost, my broker works great, but when I use broker IP on another device to connect over the internet that's not work,
Websocket is fine
I use this command to subscribe on topic and get the retained messages
mosquitto_sub -h *.*.*.* -p 1883 -t mrt_connections/#
in localhost and when I used VPN I get current information, but when I use broker IP to use with another device over the internet I can't get any data
this log when I used Ip over the internet
1673794013: New connection from ****.****.***.**** on port 1883.
1673794013: New client connected from ****.****.***.**** as auto-48259EF8-9CF7-9CF5-3C2C-20FA8265C33A (p2, c1, k60).
1673794013: No will message specified.
1673794013: Sending CONNACK to auto-48259EF8-9CF7-9CF5-3C2C-20FA8265C33A (0, 0)
1673794017: New connection from *.*.*.* on port 1883.
I guessed that maybe port 1883 is blocked by ISP but another broker with the same port working, I test many IP but the problem is still alive,
can anybody explain to me what is a problem
thanks
I used version 2.0.15
config file
allow_anonymous true
listener 1883 *.*.*.*
log_type all
log_dest topic
log_dest stdout
Finally, I found the problem, the port was blocked by ISP and now MQTT works fine on port 443
I'm trying to create a bridge between my local mosquitto broker and AWS IOT. Unfortunatelly i cannot succesfully make it work :(((
I setup the mosquitto.config file like that:
port 1883
allow_anonymous true
log_type all
tls_version tlsv1.2
bind_address 0.0.0.0
listener 8883
protocol mqtt
connection awsiot
address al3qi2b1mxp67-ats.iot.us-east-2.amazonaws.com:8883
topic # both 0
try_private false
bridge_protocol_version mqttv311
bridge_keyfile C:\Program Files\mosquitto\certs\private.key
bridge_certfile C:\Program Files\mosquitto\certs\certificate.pem
bridge_cafile C:\Program Files\mosquitto\certs\AmazonRootCA1.pem
I'm getting this result in cmd running command mosquitto.exe -c mosquitto.conf
1642763152: The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.
1642763152: The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true.
1642763152: mosquitto version 2.0.14 starting
1642763152: Config loaded from mosquitto.conf.
1642763152: Opening ipv6 listen socket on port 8883.
1642763152: Opening ipv4 listen socket on port 8883.
1642763152: Opening ipv4 listen socket on port 1883.
1642763152: Bridge local.DESKTOP-DC703HB.awsiot doing local SUBSCRIBE on topic #
1642763152: Connecting bridge awsiot (al3qi2b1mxp67-ats.iot.us-east-2.amazonaws.com:8883)
1642763152: Bridge DESKTOP-DC703HB.awsiot sending CONNECT
1642763152: mosquitto version 2.0.14 running
1642763153: Client local.DESKTOP-DC703HB.awsiot disconnected: protocol error.
I'm trying to connect my Tasmota switch over mqtt. i have installed mosquitto on a virtual machine, heres the configuration:
/etc/mosquitto/mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
/etc/mosquitto/acl
# weewx readwrite to the loop
user tasmota
#topic weather/#
/etc/mosquitto/conf.d/myconfig.conf
allow_anonymous true
password_file /etc/mosquitto/passwd
persistence false
protocol mqtt
acl_file /etc/mosquitto/acl
the service is running, and the port is up
this is the configuration of my switch
im trying to take a look at messages with
mosquitto_sub -h 10.11.0.106 -t '#'
also tried to add user and password, but i dont get any output
i can see in the log, that the connection is established
1579896351: Config loaded from /etc/mosquitto/mosquitto.conf.
1579896351: Opening ipv4 listen socket on port 1883.
1579896351: Opening ipv6 listen socket on port 1883.
1579896351: New connection from 10.10.0.137 on port 1883.
1579896351: New client connected from 10.10.0.137 as mosqsub|19705-warmachin (c1, k60).
1579896358: Socket error on client mosqsub|19705-warmachin, disconnecting.
1579896358: New connection from 10.10.0.137 on port 1883.
1579896358: New client connected from 10.10.0.137 as mosqsub|19775-warmachin (c1, k60).
1579896361: New connection from 10.11.1.51 on port 1883.
1579896361: New client connected from 10.11.1.51 as DVES_6CA231 (c1, k30, u'tasmota').
1579896361: New connection from 10.11.1.52 on port 1883.
1579896361: New client connected from 10.11.1.52 as DVES_301DDC (c1, k30, u'tasmota').
1579896362: New connection from 10.11.1.54 on port 1883.
1579896362: New client connected from 10.11.1.54 as DVES_350992 (c1, k30, u'tasmota').
did i miss something or am i missunderstanding something completely wrong?
please help
As thrashed out in the comments, your ACL file is missing any enabled topics either for the anonymous user or the tasmota user.
If you enable ACLs you need to define all the topics you want users to be able to access.
I have Mosquitto running on a local server, and my aim is to have 3 listeners:
all local network clients to connect without TLS on port 1883 (port 1883 is closed by router to public)
External clients to connect using TLS on port 8883
External client to connect without TLS on port 8880
which using this config works fine;
# Local MQTT
listener 1883
# End Local MQTT
# Insecure MQTT
listener 8880
# End Insecure MQTT
# Secure MQTT
listener 8883
## This is standard and should always be this
cafile /etc/ssl/certs/DST_Root_CA_X3.pem
## These are from your installation of LE
certfile /home/pi/.node-red/certs/fullchain.pem
keyfile /home/pi/.node-red/certs/privkey.pem
## Force all clients in this listener to provide a valid certificate, change th$
require_certificate true
## Stop all unauthorised connections
allow_anonymous false
## Use password file
password_file /etc/mosquitto/passwordfile
and which results in healthy Mosquitto log entries;
1575720819: Opening ipv4 listen socket on port 1883.
1575720819: Opening ipv6 listen socket on port 1883.
1575720819: Opening ipv4 listen socket on port 8883.
1575720819: Opening ipv6 listen socket on port 8883.
1575720819: Opening ipv4 listen socket on port 8880.
1575720819: Opening ipv6 listen socket on port 8880.
1575720820: New connection from 140.238.70.128 on port 8880.
1575719390: New client connected from 140.238.70.128 as telegraf (c1, k60, u'raspPi').
BUT... I want to ensure that only the client at 140.238.70.128 is able to connect on port 8880 (TLS isn't an option) so I added the IP address to the config;
# Insecure MQTT
listener 8880 140.238.70.128
# End Insecure MQTT
but that causes Mosquitto to stop, and the log shows;
1575720699: Opening ipv4 listen socket on port 1883.
1575720699: Opening ipv6 listen socket on port 1883.
1575720699: Opening ipv4 listen socket on port 8883.
1575720699: Opening ipv6 listen socket on port 8883.
1575720699: Opening ipv4 listen socket on port 8880.
1575720699: Error: Cannot assign requested address
I would be grateful for any advice as to why this doesn't work, or an alternative solution.
Edit. I also tried restricting the listener to ipv4, but that gave exactly same result;
# Insecure MQTT
listener 8880 140.238.70.128
socket_domain ipv4
# End Insecure MQTT
The listen directive can only take a address that is local to the machine the broker is running on. This is used to bind a socket to that address on the required port.
You can not use it as a filter for a remote machine, in fact there is no way to configure a port to only accept connections from a specific IP address in mosquitto* (or any other broker that I am aware of).
The only way to achieve what you want to do is to use the machines firewall to drop any packets from other IP addresses addressed to that port. You can use iptables to do this. Something like
iptables -A INPUT -p tcp --dport 8880 ! -s 140.238.70.129 DROP
This should drop any TCP packet destined for port 8880 that is not from 140.238.70.129
While this will work it will only block ipv4 clients, so if your networks has a properly routed IPv6 setup you will need to block access with ip6tables as well (and block access to port 1883).
* you might be able to write a custom auth plugin to do this, but I'm not sure if you get the remote IP address in the details about the user connecting. Also I don't think you can bind authentication to just one listener.
1) How to determine the Mosquitto bridge connection name.
The snippet written below is from the EMQx documentation (http://emqtt.io/docs/v2/bridge.html#mosquitto-conf)
connection emqttd
address 127.0.0.1:2883
topic sensor/# out 2
the connection name - emqttd is written on what basis?
2) I have a tcp connection open from EMQX on the host 172.22.25.53 and port 2883.
When i try connecting from the same system. It works absolutely fine. But from a different system, I get this error
C:\Program Files\mosquitto>mosquitto.exe -c mosquitto.conf -v
1542182003: mosquitto version 1.5.3 starting
1542182003: Config loaded from mosquitto.conf.
1542182003: Opening ipv6 listen socket on port 1883.
1542182003: Opening ipv4 listen socket on port 1883.
1542182003: Bridge local.AOI146.emq#172.22.25.53 doing local SUBSCRIBE on topic BA/#
1542182003: Connecting bridge emq#172.22.25.53 (172.22.25.53:2883)
1542182003: Bridge AOI146.emq#172.22.25.53 sending CONNECT
1542182003: Error creating bridge: Unknown error.
1542182003: Warning: Unable to connect to bridge emq#172.22.25.53.
My mosquitto.conf file is:
connection emqx
address 172.22.25.53:2883
cleansession false
topic AB/# both 2
The connection name is the value after connection in the configuration file. As described in the bridge section of the mosquitto.conf man page
e.g.
connection foo
Will result in a connection name of foo.
172.22.25.53 is in the reserved range 172.16.0.0 – 172.31.255.255, I'm going to guess you are running emq in a docker container and you are trying to access the container using it's Docker internal IP address. You will need to expose the port on your host machine to be able to access it from a remote machine.