Skip to main content
Version: Mosquitto 2.9

HTTPS, TLS termination

2.5
Premium


This page describes how to use the HTTPS (SSL/TLS Termination) Feature, which is part of the Security Plugin that is provided by the Management Center for the Pro Edition of Eclipse Mosquitto (MMC).

info

We recommend using a setup with a reverse proxy that handles TLS termination, but if your use case requires terminating TLS on the MMC side, this can now be done using this feature.

HTTPS (SSL/TLS Termination) Feature Overview

TLS Termination on the MMC side allows you to use HTTPs protocol without the need to set up a reverse proxy in front of the MMC.

Enable HTTPS Plugin

To enable the plugin, you should make sure you are using Pro Edition of Mosquitto and that you have the User Management security feature enabled in your license. Also, ensure that your config file (specified with CEDALO_MC_PROXY_CONFIG environmental variable or by default saved in management-center/config/config.json) contains the following entry inside of the plugins array:

    {
  "name": "https"
}

Also, you need to specify the following environmental variables for HTTPS configuration:

  • CEDALO_MC_PLUGIN_HTTPS_KEY_PATH (required)
  • CEDALO_MC_PLUGIN_HTTPS_CERT_PATH (required)
  • CEDALO_MC_PLUGIN_HTTPS_CA_PATH (optional)

You can read more about these variables below.

On start-up, the Management Center will print a message that the https plugin is enabled and loaded into the console:

Loaded plugin: "cedalo_https" (Cedalo MMC SSL/TLS termination)

You will also see the messages like:

Starting Mosquitto proxy server at https://localhost:443

and

Started Mosquitto proxy server at https://localhost:443
info

When using HTTPS, we recommend using the standard HTTPs 443 port. To configure it, change the value of the CEDALO_MC_PROXY_PORT environmental variable

HTTPS Environment variables

More information on the HTTPS configuration variables:

  • CEDALO_MC_PLUGIN_HTTPS_KEY_PATH- path to server's private key file (required)
  • CEDALO_MC_PLUGIN_HTTPS_CERT_PATH- path to server's certificate (required)
  • CEDALO_MC_PLUGIN_HTTPS_CA_PATH- path to CA certificate (optional)
info

Note that if the HTTPS plugin is enabled in the config file but encounters an error, which in most cases is due to misconfiguration, then the MMC will not be started and will shut down.