-
-
Notifications
You must be signed in to change notification settings - Fork 20
Securing the mosquitto server
Åke Hedman edited this page Aug 26, 2021
·
3 revisions
A good step by step tutorial on this topic is this article. It works good if you run the mosquitto server under the root user. If not you have to change permissions for the letsencrypt folders.
# Port to use for the default listener.
listener 1883
allow_anonymous false
password_file /etc/mosquitto/password
#listener 8883
#cafile /etc/mosquitto/certs/ca.crt
#certfile /etc/mosquitto/certs/server.crt
#keyfile /etc/mosquitto/certs/server.key
#include_dir /etc/mosquitto/conf.d
listener 8883
allow_anonymous false
password_file /etc/mosquitto/password
cafile /etc/ssl/certs/DST_Root_CA_X3.pem
certfile /etc/letsencrypt/live/demo.vscp.org/fullchain.pem
keyfile /etc/letsencrypt/live/demo.vscp.org/privkey.pem
listener 9001
protocol websockets
allow_anonymous false
password_file /etc/mosquitto/password
websockets_log_level all
listener 9901
protocol websockets
allow_anonymous false
password_file /etc/mosquitto/password
websockets_log_level all
cafile /etc/ssl/certs/DST_Root_CA_X3.pem
certfile /etc/letsencrypt/live/demo.vscp.org/fullchain.pem
keyfile /etc/letsencrypt/live/demo.vscp.org/privkey.pem
If you have previously setup a webserver like nginx it is perfectly fine to use the certificates form this setup. Just remember to set the hook described in the link above so that the mosquitto server gets restarted when the certificates is updated.
The VSCP Project (https://www.vscp.org) - Copyright © 2000-2024 Åke Hedman, the VSCP Project