Skip to main content
Version: Mosquitto 3.0

Prerequisites

Ensure you have the following files ready before configuring Mosquitto:

  • Server Certificate (server.crt): The public server certificate.
  • Private Key (server.key): The private key associated with the server certificate.

Configuring Pro Mosquitto Broker with a Server Certificate

Pro Mosquitto TLS termination

Open your mosquitto.conf file to add a certificate to a certain port. Add or modify the following settings to configure the Pro Mosquitto broker to use the server certificate:

# Enable a listener on port 8883 for SSL/TLS connections
listener 8883
protocol mqtt

# SSL/TLS certificate paths
certfile /path/to/server.crt
keyfile /path/to/server.key
  • listener 8883: Sets the port for SSL/TLS communication. Port 8883 is the standard MQTT SSL/TLS port.
  • certfile: Specifies the path to the server's public certificate file.
  • keyfile: Specifies the path to the server's private key file.

HA Proxy TLS termination

In a cluster setup an HA Proxy is used for TLS termination. This is the default config of the frontend haproxy.jsonfile:

frontend mqtt_frontend
bind *:1883
mode tcp
default_backend mqtt_backend
timeout client 10m

In order to enable TLS termination here add the following behind the bind *:<port> parameter: ssl crt /path/to/certs/server.pem This will do the TLS termination at the frontend stage before routing the traffic further to the set backend (here mqtt_backend ).

Client connections

Use an MQTT client to connect to the broker using the secure port (e.g., 8883) to verify that the server certificate is being used:

mosquitto_sub -h <broker-ip> -p 8883 -t test/topic --cafile /path/to/ca.crt

In this example, a --cafile parameter is added to the test because, depending on the device and the server certificate, your underlying system may not have the required CA in place to validate the server certificate you set.

Configuring Cedalo Platform with a Server Certificate

Currently, this is not yet natively supported for the platform. You can still achieve this today via a proxy of your choice. If you have any questions regarding implementation, please contact our support.

Certificate access

It is important that the files from the specified path are available to Pro Mosquitto. Ensure that the private key file is securely accessible to the Mosquitto service:

sudo chmod 640 /path/to/server.key
sudo chown mosquitto:mosquitto /path/to/server.key

This ensures that only the Mosquitto service has access to the private key, enhancing security.

To apply the changes, restart Pro Mosquitto. Check the Mosquitto logs for troubleshooting if needed.