Nice explanation. But, you really should have warned more against actually using the "insecure" option. It's useful to get things working. But, well... it's insecure. There is no point in using TLS without also properly checking certificates for validity.
Yes you can. SSL is only necessary if you are sending sensitive data like medical records. Sending temperature and humidity readings an the like doesn't need SSL. Rgds Steve
When asnwering the questions given after running the command in step 2 and 4, it just enters a new line and the next question is not given. In order to make it work I can enter a spacebar after whatever value I put in, the next question does show up then. Any idea why I have to enter a space bar after filling in an answer? for e.g. my company name is now "Fontys " isntead of "Fontys". But I had to enter the spacebar or else it would not go to the next question..
Hey @@stevecope ! thank you many times for still replying to comments. I do not quite get what u mean with "enter return" do u mean I should put /r after each answer? Or am I overthinking it Thank you once again
Oh yes, it sadly still enters a newline without going to the next question unless I put a space after the answer. Only the first question (country code) works. Odd @@stevecope I don't have a return button on my keyboard I assume its labeled as "enter" for me so that is what I been using after filling in each answer. Recently got windows 11 I wonder if thats got to do anything with it
I'm after following all the steps and everything is exactly the same but my mosquitto.conf on my raspberry pi broker is totally different? Any help would be appreciated here as I'm not sure where I'm meant to make changes
Hello Steve, thanks for the video. I am using 2 raspberry pi 3, created with MQTT communication, now i want to secure this communication with TLS. i have generated server-key and configured mosquitto.conf. but I always get the error message: " connection refused " when I give the following command: sudo mosquitto_sub --cafile /etc/mosquitto/ca_certificates/ca.crt -h fd28::1 -u hsrm -P password -t Topic:6LoWPAANover802.15.4 -p 8883 And the error message: " A TLS error occurred " when I give the following command: sudo mosquitto_sub --cafile /etc/mosquitto/ca_certificates/ca.crt -h fd28::1 -u hsrm -P password -t Topic:6LoWPAANover802.15.4 -p 1883 What else do I have to do from client ´s side? I need your help? I've been stuck for two weeks and I'm stuck. I thank you in advance
hiGo over to the web site and use the ask steve page and send me the conf file.Also try one thing at a time so disable password authentication until you get ssl working
They are both certificates. You can think of them as passports. However the ca.crt contains the keys used to sign the server.crt. By distributing the ca.crt to other machines you allow them to verifiy the public key sent by the server as it is signed by the key contained in the ca.crt. Does that help?
Both are certificates. You can consider them as the same as passports. The server certificate contains the public keys for that server. The CA certificate contains the public keys of the certificate authority which can be self signed or signed by an higher certificate authority. The ca private signature key is used to sign the server certificate. It is the trusted authority. When a client connects to a server to use SSL the server sends the client its certificate which contains its public key (which has been signed by a CA (trusted authority) and the client uses the public signature key in the CA certificate to verify that the server public key is valid. For this to work the client must have a copy of the CA certificate. CA certificates for public certificate authorities like verisign are included with your browser. Does this make sense?
Hello everyone, I hope I can get some help here. When I'm doing this I get the next error: TLS Error: File not found. When I look for what solutions I could get it's always that I might have done some certificate/key wrong. So, the only step that is not clear at all for me is the Common Name, I have tried using the hostname of my device ("raspberrypi.local"; I'm going to try "raspberrypi"), a random name ("Raspberry", "MyName"), the server's IP address (in this case, Raspberry's IP address) and still get the same error. Of course I have checked the mosquitto.conf, even made an 'extension file' for the configuration in the conf.d folder. Naturally I use 'mosquitto -c directory... mosquito.conf' to check errors; commonly I get the "unable to write PID file" but it usually works fine when I'm using it (the server) for authentication and not authenticated modes. Please, any suggestions are welcome.
When testing tls place all of the fles (conf and cert) in your local folder(home folder) to avoid permission issues. You need to use the name that you entered for the common name when you created the certificate. However this name issue gives a different error message and can be over ridden using the insecure switch. My guess is a permission issue Rgds Steve
@@stevecope actually when I create the files I create them in the local folders (ca_certificates and certs) I also use chown mosquitto for the files I've created to avoid errors when starting the server, so instead of making "root" as user, it is "mosquitto". And when do I use the common name? When I'm signing in as user and password or as host? And is there a way to use it without the insecure option? Also somewhere in the web I've seen they were giving reading permission. When using " ls -la " in the directory of the files, these looks like: -rw-r--r-- 1 root root 1200 date ca.crt -rw-------- 1 root root 1751 date ca.key And when using sudo chown mosquitto ca* And also sudo chmod g+r ca* It goes like this -rw-r--r-- 1 mosquitto root 1200 date ca.crt -rw-r------ 1 mosquitto root 1751 date ca.key But... The guy who made that tutorial gets the next: -rw-r--r-- 1 root root 1200 date ca.crt -rw-r--r-- 1 root root 1751 date ca.key So, well I'm noticing that the lecture has "two r" in the key file and he keeps the root as user, maybe that would be the problem, but as I previously said, if I don't get to do that, the server won't start correctly. When launching with "mosquitto -c" it gives me an error in the ".conf" files (which leads to a problem with the key). So, maybe I get those two rs instead of one r in the .key file and keeping it as root user I would get a different result, but I have no idea how to get that and consulting that on the web browser 😅
@@kingastaroth7912 Create a mew conf fie in your local folder and then open the old file and copy the contents into the new one and use the new one that should fix any permission problems. Rgds Steve
@@stevecope thank you steve. I have already solved the problem, it was the reading permissions on the key file. I used: sudo chmod 644 server.key Restarted server and it worked. As I said previously The original content was wr----- root root server.key I used chmod g+r server.key And changed to wr-r--- root root server.key But it was not enough. But with the new command it changed to wr-r-r-- root root server.key And it worked. Seems that changing user to mosquitto made the file impossible to find. But with the mode shifted to wr-r--- and mosquitto user changed, just enabled the settings to being able to read for mosquitto purposes. I haven't tried chmod g+r _file_ with root user, but maybe it should work too. I hope this goes useful for someone who is having the same trouble as me, I hope this is understandable. Again, thank you Steve for your suggestions, greetings.
Nice explanation. But, you really should have warned more against actually using the "insecure" option. It's useful to get things working. But, well... it's insecure. There is no point in using TLS without also properly checking certificates for validity.
Yes I agree it shouln't be used in production. It is useful as a troubleshooting aid.
Could you take a class teaching how to use the new aedes mqtt broker using ssl / tls in conjunction with arduino or esp32?
Can I choose not to use SSL communication if both the MQTT server and its client are located in the same local PC?
Many thanks in advance.
Yes you can. SSL is only necessary if you are sending sensitive data like medical records. Sending temperature and humidity readings an the like doesn't need SSL.
Rgds
Steve
Amazing tutorial, thank you!
When asnwering the questions given after running the command in step 2 and 4, it just enters a new line and the next question is not given. In order to make it work I can enter a spacebar after whatever value I put in, the next question does show up then. Any idea why I have to enter a space bar after filling in an answer?
for e.g. my company name is now "Fontys " isntead of "Fontys". But I had to enter the spacebar or else it would not go to the next question..
You need to enter return after each answer
rgds
steve
Hey @@stevecope ! thank you many times for still replying to comments.
I do not quite get what u mean with "enter return" do u mean I should put /r after each answer? Or am I overthinking it
Thank you once again
No the return key on your keyboard.
Does that make sense?
Rgds
Steve
Oh yes, it sadly still enters a newline without going to the next question unless I put a space after the answer. Only the first question (country code) works. Odd @@stevecope
I don't have a return button on my keyboard I assume its labeled as "enter" for me so that is what I been using after filling in each answer.
Recently got windows 11 I wonder if thats got to do anything with it
No idea it could be something with the keyboard. Where are you located? Have you tried running the scripts on another machine?
Rgds
Steve
Please explain how to configure Last will and testament in mqttfx
I'm after following all the steps and everything is exactly the same but my mosquitto.conf on my raspberry pi broker is totally different? Any help would be appreciated here as I'm not sure where I'm meant to make changes
Go to the site www.steves-internet-guide.com and use the ask-steve tab to get in touch via email and send me your mosquitto.conf file
Steve Cope Thank you very much, I've sent the email now :)
Can you show as an node-red example?
Hi
I cover it in the tutorial here
www.steves-internet-guide.com/configuring-the-mqtt-publish-node/
Hello Steve,
thanks for the video. I am using 2 raspberry pi 3, created with MQTT communication, now i want to secure this communication with TLS. i have generated server-key and configured mosquitto.conf. but I always get the error message: " connection refused " when I give the following command:
sudo mosquitto_sub --cafile /etc/mosquitto/ca_certificates/ca.crt -h fd28::1 -u hsrm -P password -t Topic:6LoWPAANover802.15.4 -p 8883
And the error message: " A TLS error occurred " when I give the following command: sudo mosquitto_sub --cafile /etc/mosquitto/ca_certificates/ca.crt -h fd28::1 -u hsrm -P password -t Topic:6LoWPAANover802.15.4 -p 1883
What else do I have to do from client ´s side? I need your help? I've been stuck for two weeks and I'm stuck.
I thank you in advance
hiGo over to the web site and use the ask steve page and send me the conf file.Also try one thing at a time so disable password authentication until you get ssl working
thank you for your feedback. i wrote to you today
hi
i need a broker for android
have you ever work on android broker such as moquette for android or something like that with android manifest file?
Well done. Thank you!
sir i need to use SSL connection on public MQTT broker ex:iot.eclipse.org how to do it help me out
what client are you using?
i am using python code to subscribe to my private server and library is paho MQTT
Please expain the significance of ca.crt and server.crt....I am not able to distinguish..
They are both certificates. You can think of them as passports. However the ca.crt contains the keys used to sign the server.crt. By distributing the ca.crt to other machines you allow them to verifiy the public key sent by the server as it is signed by the key contained in the ca.crt.
Does that help?
Both are certificates. You can consider them as the same as passports.
The server certificate contains the public keys for that server.
The CA certificate contains the public keys of the certificate authority which can be self signed or signed by an higher certificate authority.
The ca private signature key is used to sign the server certificate. It is the trusted authority.
When a client connects to a server to use SSL the server sends the client its certificate which contains its public key (which has been signed by a CA (trusted authority) and the client uses the public signature key in the CA certificate to verify that the server public key is valid.
For this to work the client must have a copy of the CA certificate.
CA certificates for public certificate authorities like verisign are included with your browser.
Does this make sense?
Great videos but the video is low quality so it is hard to read screen shots.
720p should be view-able on any standard computer monitor. Check your settings. I had no issues.
Hello everyone, I hope I can get some help here.
When I'm doing this I get the next error: TLS Error: File not found.
When I look for what solutions I could get it's always that I might have done some certificate/key wrong.
So, the only step that is not clear at all for me is the Common Name, I have tried using the hostname of my device ("raspberrypi.local"; I'm going to try "raspberrypi"), a random name ("Raspberry", "MyName"), the server's IP address (in this case, Raspberry's IP address) and still get the same error.
Of course I have checked the mosquitto.conf, even made an 'extension file' for the configuration in the conf.d folder.
Naturally I use 'mosquitto -c directory... mosquito.conf' to check errors; commonly I get the "unable to write PID file" but it usually works fine when I'm using it (the server) for authentication and not authenticated modes.
Please, any suggestions are welcome.
When testing tls place all of the fles (conf and cert) in your local folder(home folder) to avoid permission issues.
You need to use the name that you entered for the common name when you created the certificate.
However this name issue gives a different error message and can be over ridden using the insecure switch.
My guess is a permission issue
Rgds
Steve
@@stevecope actually when I create the files I create them in the local folders (ca_certificates and certs)
I also use chown mosquitto for the files I've created to avoid errors when starting the server, so instead of making "root" as user, it is "mosquitto".
And when do I use the common name? When I'm signing in as user and password or as host?
And is there a way to use it without the insecure option?
Also somewhere in the web I've seen they were giving reading permission.
When using " ls -la " in the directory of the files, these looks like:
-rw-r--r-- 1 root root 1200 date ca.crt
-rw-------- 1 root root 1751 date ca.key
And when using sudo chown mosquitto ca*
And also sudo chmod g+r ca*
It goes like this
-rw-r--r-- 1 mosquitto root 1200 date ca.crt
-rw-r------ 1 mosquitto root 1751 date ca.key
But... The guy who made that tutorial gets the next:
-rw-r--r-- 1 root root 1200 date ca.crt
-rw-r--r-- 1 root root 1751 date ca.key
So, well I'm noticing that the lecture has "two r" in the key file and he keeps the root as user, maybe that would be the problem, but as I previously said, if I don't get to do that, the server won't start correctly. When launching with "mosquitto -c" it gives me an error in the ".conf" files (which leads to a problem with the key).
So, maybe I get those two rs instead of one r in the .key file and keeping it as root user I would get a different result, but I have no idea how to get that and consulting that on the web browser 😅
@@kingastaroth7912 Create a mew conf fie in your local folder and then open the old file and copy the contents into the new one and use the new one that should fix any permission problems.
Rgds
Steve
@@stevecope thank you steve.
I have already solved the problem, it was the reading permissions on the key file.
I used:
sudo chmod 644 server.key
Restarted server and it worked.
As I said previously
The original content was
wr----- root root server.key
I used chmod g+r server.key
And changed to
wr-r--- root root server.key
But it was not enough.
But with the new command it changed to
wr-r-r-- root root server.key
And it worked.
Seems that changing user to mosquitto made the file impossible to find. But with the mode shifted to wr-r--- and mosquitto user changed, just enabled the settings to being able to read for mosquitto purposes.
I haven't tried chmod g+r _file_ with root user, but maybe it should work too.
I hope this goes useful for someone who is having the same trouble as me, I hope this is understandable.
Again, thank you Steve for your suggestions, greetings.