{"id":7964,"date":"2015-02-16T00:16:41","date_gmt":"2015-02-15T22:16:41","guid":{"rendered":"http:\/\/lukse.lt\/uzrasai\/?p=7964"},"modified":"2015-02-16T11:16:25","modified_gmt":"2015-02-16T09:16:25","slug":"internet-of-things-messaging-mqtt-1-installing-mosquitto-server","status":"publish","type":"post","link":"https:\/\/lukse.lt\/uzrasai\/2015-02-internet-of-things-messaging-mqtt-1-installing-mosquitto-server\/","title":{"rendered":"Internet of Things messaging MQTT 1: Installing mosquitto server"},"content":{"rendered":"

\"mqttorg\"<\/a>MQTT is a extremely lightweight machine-to-machine connectivity protocol. If you have Internet connected things talking to each other, you should consider MQTT as the best choice.<\/p>\n

<\/div>\n

Installation<\/h2>\n

\"mosquitto_mqtt\"<\/a>Mosquitto<\/a> is the most popular MQTT<\/a> broker at the time, also it is open sourced, works pretty well and has large community. I will be using this broker. Here are installation notes:<\/p>\n

 <\/p>\n

Install some libraries and tools<\/p>\n

apt-get update\r\napt-get install pkg-config cmake openssl libc-ares-dev libssl-dev python-mosquitto<\/pre>\n
Then install mosquitto from sources<\/a> (please double check that you will be installing latest version). Of course you can install it on other operating systems and platforms (OSX, Windows, Openwrt, Various Linux, Raspberry) using prepared setup files<\/a>.<\/p>\n
wget http:\/\/mosquitto.org\/files\/source\/mosquitto-1.3.5.tar.gz\r\ntar xzf mosquitto-1.3.5.tar.gz\r\ncd mosquitto-1.3.5\r\ncmake .\r\nmake install<\/pre>\n
Pretty easy. Mosquitto is installed and should be ready to serve. Interesting part comes next – if secure messaging using SSL or TLS is need, you will need to generate certificates.<\/p>\n
Edit configuration file<\/h3>\n
Make some adjustments to configuration file, there are more settings to adjust, but I provide only basic set<\/p>\n
mkdir \/etc\/mosquitto\/conf.d\/certs\r\nnano \/etc\/mosquitto\/conf.d\/mosquitto.conf<\/pre>\n
Here is how my configuration looks like<\/p>\n
allow_anonymous false\r\nautosave_interval 1800\r\nconnection_messages true\r\nlog_dest stderr\r\nlog_dest topic\r\nlog_type error\r\nlog_type warning\r\nlog_type notice\r\nlog_type information\r\nlog_type all\r\nlog_type debug\r\nlog_timestamp true\r\npassword_file \/etc\/mosquitto\/conf.d\/jp.pw\r\nacl_file \/etc\/mosquitto\/conf.d\/jp.acl\r\npersistence true\r\npersistence_location \/tmp\/\r\npersistence_file mosquitto.db\r\npersistent_client_expiration 1m\r\nretained_persistence true\r\nlistener 1883 127.0.0.1\r\nlistener 8883\r\ntls_version tlsv1\r\ncafile \/etc\/mosquitto\/conf.d\/certs2\/ca.crt\r\ncertfile \/etc\/mosquitto\/conf.d\/certs2\/server.crt\r\nkeyfile \/etc\/mosquitto\/conf.d\/certs2\/server.key\r\nrequire_certificate false\r\nallow_anonymous false<\/pre>\n
SSL key generation<\/h2>\n
Go to certificated directory, I have prepared earlier and run few commands. You will be asked to enter some data. There are few tricky parts:<\/p>\n
    \n
  • If your certificate will be used on local machine without valid hostname (i.e. only IP address), you must use special settings in your program to make it a bit less secure (don’t check hostname). Though connection still be encrypted.<\/li>\n
  • Don’t set -days xxxx to big – certificate will be invalid and you might get strange errors.<\/li>\n<\/ul>\n
    cd \/etc\/mosquitto\/conf.d\/certs\/<\/pre>\n
    openssl req -new -x509 -days 1000 -extensions v3_ca -keyout ca.key -out ca.crt\r\n\r\n\u00a0\u00a0\u00a0 > Generating a 2048 bit RSA private key\r\n\u00a0\u00a0 \u00a0> .....................................................................................+++\r\n\u00a0\u00a0 \u00a0> ..+++\r\n\u00a0\u00a0 \u00a0> writing new private key to 'ca.key'\r\n\u00a0\u00a0 \u00a0> Enter PEM pass phrase:123\r\n\u00a0\u00a0 \u00a0> Verifying - Enter PEM pass phrase:123\r\n\u00a0\u00a0 \u00a0> -----\r\n\u00a0\u00a0 \u00a0> You are about to be asked to enter information that will be incorporated\r\n\u00a0\u00a0 \u00a0> into your certificate request.\r\n\u00a0\u00a0 \u00a0> What you are about to enter is what is called a Distinguished Name or a DN.\r\n\u00a0\u00a0 \u00a0> There are quite a few fields but you can leave some blank\r\n\u00a0\u00a0 \u00a0> For some fields there will be a default value,\r\n\u00a0\u00a0 \u00a0> If you enter '.', the field will be left blank.\r\n\u00a0\u00a0 \u00a0> -----\r\n\u00a0\u00a0 \u00a0> Country Name (2 letter code) [AU]:LT\r\n\u00a0\u00a0 \u00a0> State or Province Name (full name) [Some-State]:\r\n\u00a0\u00a0 \u00a0> Locality Name (eg, city) []:Vilnius\r\n\u00a0\u00a0 \u00a0> Organization Name (eg, company) [Internet Widgits Pty Ltd]:lukse.lt\r\n\u00a0\u00a0 \u00a0> Organizational Unit Name (eg, section) []:\r\n\u00a0\u00a0 \u00a0> Common Name (e.g. server FQDN or YOUR name) []:lukse.lt\r\n\u00a0\u00a0 \u00a0> Email Address []:e@mail.com<\/pre>\n
    openssl genrsa -des3 -out server.key 2048\r\n\r\n\u00a0\u00a0\u00a0 > Generating RSA private key, 2048 bit long modulus\r\n\u00a0\u00a0 \u00a0> ............................................................................................................+++\r\n\u00a0\u00a0 \u00a0> ..............+++\r\n\u00a0\u00a0 \u00a0> e is 65537 (0x10001)\r\n\u00a0\u00a0 \u00a0> Enter pass phrase for server.key:123\r\n\u00a0\u00a0 \u00a0> Verifying - Enter pass phrase for server.key:123<\/pre>\n
    openssl genrsa -out server.key 2048\r\n\r\n\u00a0\u00a0\u00a0 > Generating RSA private key, 2048 bit long modulus\r\n\u00a0\u00a0 \u00a0> ....................................................................+++\r\n\u00a0\u00a0 \u00a0> ................................................+++\r\n\u00a0\u00a0 \u00a0> e is 65537 (0x10001<\/pre>\n
    openssl req -out server.csr -key server.key -new\r\n\r\n\u00a0\u00a0\u00a0 > You are about to be asked to enter information that will be incorporated\r\n\u00a0\u00a0 \u00a0> into your certificate request.\r\n\u00a0\u00a0 \u00a0> What you are about to enter is what is called a Distinguished Name or a DN.\r\n\u00a0\u00a0 \u00a0> There are quite a few fields but you can leave some blank\r\n\u00a0\u00a0 \u00a0> For some fields there will be a default value,\r\n\u00a0\u00a0 \u00a0> If you enter '.', the field will be left blank.\r\n\u00a0\u00a0 \u00a0> -----\r\n\u00a0\u00a0 \u00a0> Country Name (2 letter code) [AU]:LT\r\n\u00a0\u00a0 \u00a0> State or Province Name (full name) [Some-State]:\r\n\u00a0\u00a0 \u00a0> Locality Name (eg, city) []:Vilnius\r\n\u00a0\u00a0 \u00a0> Organization Name (eg, company) [Internet Widgits Pty Ltd]:lukse.lt\r\n\u00a0\u00a0 \u00a0> Organizational Unit Name (eg, section) []:\r\n\u00a0\u00a0 \u00a0> Common Name (e.g. server FQDN or YOUR name) []:lukse.lt\r\n\u00a0\u00a0 \u00a0> Email Address []:e@mail.com\r\n\u00a0\u00a0 \u00a0> \r\n\u00a0\u00a0 \u00a0> Please enter the following 'extra' attributes\r\n\u00a0\u00a0 \u00a0> to be sent with your certificate request\r\n\u00a0\u00a0 \u00a0> A challenge password []:123\r\n\u00a0\u00a0 \u00a0> An optional company name []:<\/pre>\n
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000\r\n\r\n\u00a0\u00a0\u00a0 > Signature ok\r\n\u00a0\u00a0 \u00a0> subject=\/C=LT\/ST=Some-State\/L=Vilnius\/O=lukse.lt\/CN=lukse.lt\/emailAddress=e@mail.com\r\n\u00a0\u00a0 \u00a0> Getting CA Private Key\r\n\u00a0\u00a0 \u00a0> Enter pass phrase for ca.key:123<\/pre>\n
    \u00a0This is it. We can run secured mosquitto now. Just to test I will run it in verbose mode.<\/p>\n
    service mosquitto stop\r\n\/usr\/sbin\/mosquitto -v -c \/etc\/mosquitto\/mosquitto.conf<\/pre>\n
    If you see output like this, everyting is good and you are ready to dig deeper.<\/p>\n
    root@397063:\/home\/mqtt\/remote_shell# \/usr\/sbin\/mosquitto -v -c \/etc\/mosquitto\/mosquitto.conf\r\n1424034500: mosquitto version 1.3.5 (build date 2014-10-18 00:28:57+0000) starting\r\n1424034500: Config loaded from \/etc\/mosquitto\/mosquitto.conf.\r\n1424034500: Opening ipv4 listen socket on port 1883.\r\n1424034500: Opening ipv4 listen socket on port 8883.\r\n1424034500: Opening ipv6 listen socket on port 8883.<\/pre>\n
    User managing<\/h2>\n
    Mosquitto has built in features to manage users. It uses two config files: jp.pw – for managing passwords and jp.acl – for access level configuration.<\/p>\n
    Passwords<\/h3>\n
    To create new user<\/p>\n
    mosquitto_passwd \/etc\/mosquitto\/conf.d\/jp.pw test\r\n    > Password: secret\r\n    > Reenter password: secret<\/pre>\n
    To delete user<\/p>\n
    mosquitto_passwd -D \/etc\/mosquitto\/conf.d\/jp.pw test<\/pre>\n
    Password file looks like<\/p>\n
    root@397063:\/etc\/mosquitto\/conf.d# cat \/etc\/mosquitto\/conf.d\/jp.pw                    \r\ntest1:$6$GWjNhmdRHTBKTwx0gIAWwerH0epp4Wb6q4sam7AhUAwboIdDVUhI9NiV32sY9rzhS7DlrznhOkUF\/2pb4GOg5O4dhcCB2tAwlb\/hmoQ==\r\ntest2:$6$v61hb9FpQ53KS0jZ$m94VacLuKntD\/Fhqi9Sw9gBWPMDVQo76ZnznIvm0C3G0XVNfys\u0116hNFEVlIWByJt9Bq41reBHrx4yYbxmu5aNjLXEVw==<\/pre>\n
    Access level<\/h3>\n
    This file jp.acl must be eddited by hand, and sample file looks like<\/p>\n
    root@397063:\/etc\/mosquitto\/conf.d# cat jp.acl \r\n\r\n# anonymus access\r\ntopic read $SYS\/#\r\ntopic test\/#\r\n\r\nuser test1\r\ntopic write zz\/#\r\ntopic read zz\/#<\/pre>\n
    Enable and start service<\/h2>\n
    After installing mosquitto server, creating SSL keys, configuring users you are ready to start MQTT server with these commands<\/p>\n
    service mosquitto enable\r\nservice mosquitto start<\/pre>\n","protected":false},"excerpt":{"rendered":"
    MQTT is a extremely lightweight machine-to-machine connectivity protocol. If you have Internet connected things talking to each other, you should consider MQTT as the best choice.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[38,21,5],"tags":[],"class_list":["post-7964","post","type-post","status-publish","format-standard","hentry","category-in-english","category-projektai","category-uzrasai"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p2rU5c-24s","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/lukse.lt\/uzrasai\/wp-json\/wp\/v2\/posts\/7964","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lukse.lt\/uzrasai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lukse.lt\/uzrasai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lukse.lt\/uzrasai\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lukse.lt\/uzrasai\/wp-json\/wp\/v2\/comments?post=7964"}],"version-history":[{"count":43,"href":"https:\/\/lukse.lt\/uzrasai\/wp-json\/wp\/v2\/posts\/7964\/revisions"}],"predecessor-version":[{"id":8040,"href":"https:\/\/lukse.lt\/uzrasai\/wp-json\/wp\/v2\/posts\/7964\/revisions\/8040"}],"wp:attachment":[{"href":"https:\/\/lukse.lt\/uzrasai\/wp-json\/wp\/v2\/media?parent=7964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lukse.lt\/uzrasai\/wp-json\/wp\/v2\/categories?post=7964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lukse.lt\/uzrasai\/wp-json\/wp\/v2\/tags?post=7964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}