Skip to content

Securing the mosquitto server

Åke Hedman edited this page Aug 26, 2021 · 3 revisions

Securing the Mosquitto server

A good step by step tutorial on this topic is this article. It works good if you run the mosquitto server under the root user. If not you have to change permissions for the letsencrypt folders.

# Port to use for the default listener.
listener 1883
allow_anonymous false
password_file /etc/mosquitto/password

#listener 8883
#cafile /etc/mosquitto/certs/ca.crt
#certfile /etc/mosquitto/certs/server.crt
#keyfile /etc/mosquitto/certs/server.key
#include_dir /etc/mosquitto/conf.d
listener 8883
allow_anonymous false
password_file /etc/mosquitto/password
cafile /etc/ssl/certs/DST_Root_CA_X3.pem
certfile /etc/letsencrypt/live/demo.vscp.org/fullchain.pem
keyfile /etc/letsencrypt/live/demo.vscp.org/privkey.pem

listener 9001
protocol websockets
allow_anonymous false
password_file /etc/mosquitto/password
websockets_log_level all

listener 9901
protocol websockets
allow_anonymous false
password_file /etc/mosquitto/password
websockets_log_level all
cafile /etc/ssl/certs/DST_Root_CA_X3.pem
certfile /etc/letsencrypt/live/demo.vscp.org/fullchain.pem
keyfile /etc/letsencrypt/live/demo.vscp.org/privkey.pem

If you have previously setup a webserver like nginx it is perfectly fine to use the certificates form this setup. Just remember to set the hook described in the link above so that the mosquitto server gets restarted when the certificates is updated.

Clone this wiki locally