At this point, I have a few IOT things on my home network. The first were a couple of EcoPlugs Wifi outlets that I use to control my gutter heaters in the winter, and the next was a custom garage door controller. For the former, I’m basically controlling them by using a replay attack (I hope to make a post about this soon)…re-sending packets that I observed the EcoPlugs app sending. For the latter, I’m using a custom http interface. Since both of these contain an ESP8266, I’d like re-program them and unify them both to use the MQTT protocol.<\/p>\n
While browsing Hackaday<\/a>, I came across their Minimal MQTT series<\/a>. In this post, I’ll begin by walking through that series, noting my thoughts, then conclude by getting things set up the way I want. Link to article<\/a><\/p>\n Not really much to say here. On Ubuntu, I ran the following commands to install a recent version of The example Link to article<\/a><\/p>\n In my experience, NodeMCU sucks. It’s quick for prototyping, but it doesn’t have the fine-grained control that I want, and it’s unreliable. I’ll use the Arduino IDE instead.<\/p>\n This blogger<\/a> recommends PubSubClient<\/a>. The library doesn’t support publishing as QoS=1, but does support “retain”, which is really what I want anyway.<\/p>\n The library is really easy to install in Arduino IDE. In the menu, do The example code works perfectly.<\/p>\n The “inTopic” messages show up in the serial output, but don’t toggle the LED for me. I think I selected the wrong board… Yes, when I programmed as “WeMos D1 R2 & mini” instead of “Adafruit HUZZAH ESP8266” the LED works as expected!<\/p>\n Next, I modified the code to publish a “retain” message for the LED state, and it works great:<\/p>\n And from a terminal:<\/p>\n Link to Article<\/a><\/p>\n Probably the most useful part is the “MQTT Dashboard” Android app. There isn’t much else interesting to me here.<\/p>\n Link to Article<\/a><\/p>\n The power stuff isn’t too interesting…my devices will have constant power, not battery (for now).<\/p>\n Privacy is more interesting, but it doesn’t really describe what I want.<\/p>\n I want:<\/p>\n This section is kind of stream-of-consciousness notes of my trial-and-error in trying to accomplish these stated goals. If you just want to see when I ended up with, then skip to the next section<\/a>.<\/p>\n Unfortunately, the Sounds like these folks<\/a> bridge two brokers to accomplish this, but I’d rather just run a single instance of Maybe ACLs?<\/a> This guy<\/a> uses a PSK to accomplish it. Ok, so how do I use a PSK on my phone? “MQTT Dashboard” has something for a BSK file…<\/p>\n I guess what I really want isn’t “PSK”, but it’s the keyfile.<\/p>\n Use my listener 8883 After a reload, I get this error:<\/p>\n Duh, I realized that the “keyfile” isn’t the key from the client that I want to trust, it’s the SSL\/TLS key that the server uses.<\/p>\n I also read that mosquitto may not have access to \/etc\/ssl\/private (due to apparmor?), so I copied the keys into the mosquitto directory<\/p>\n listener 8883 And it loads now!<\/p>\n So, now to create a client key…<\/p>\n Back in Now, I’m using the mosquitto-tls man page<\/a> as a guide: <\/p>\n I ran this command to create a new CA for myself:<\/p>\n Then, I already had the server side set up, and I already had the client through the certificate signing request, so I only had to run this command to sign the key (created by Then, back in Now, I think I have to get 1479444878: New connection from 192.168.1.1 on port 8883. Ok, so I’m getting somewhere…Let’s try this without involving the app.<\/p>\n client side:<\/p>\n server error:<\/p>\n A new day…let’s start over a bit.<\/p>\n Let’s walk through the steps on the mosquitto-tls man page<\/a> again: <\/p>\n It works!!!<\/b><\/p>\n Let’s remove this line from Good, it fails:<\/p>\n Ok, let’s fire up This site<\/a> clued me into the fact that the Great!<\/p>\n In the meantime, I’ve upgraded Ubuntu. For whatever reason, the changes I made above to enable the unlimited crypto stuff are no longer there, and there’s not even the
\n<\/p>\n\nBuilding a Broker<\/h2>\n
mosquitto<\/code>:<\/p>\n> sudo add-apt-repository ppa:mosquitto-dev\/mosquitto-ppa
\n> sudo apt-get update
\n> sudo apt-get install mosquitto mosquitto-clients<\/code><\/p><\/blockquote>\nmosquitto_sub<\/code> and mosquitto_pub<\/code> commands work…good.<\/p>\n Networked Nodes<\/h2>\n
Sketch->Include Library->Manage Libraries...<\/code> then search for PubSubClient, select it, and click install.<\/p>\n\n
File->Examples->PubSubClient->mqtt_esp8266<\/code><\/li>\n\n
mosquitto_sub -h localhost -v -t \"outTopic\"<\/code><\/li>\nmosquitto_pub -h localhost -t \"inTopic\" -m \"1\"<\/code><\/li>\nmosquitto_pub -h localhost -t \"inTopic\" -m \"0\"<\/code><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n \/\/ Switch on the LED if an 1 was received as first character
\n if ((char)payload[0] == '1') {
\n digitalWrite(BUILTIN_LED, LOW); \/\/ Turn the LED on (Note that LOW is the voltage level
\n client.publish(\"LED_state\", \"ON\", true);
\n \/\/ but actually the LED is on; this is because
\n \/\/ it is acive low on the ESP-01)
\n } else {
\n digitalWrite(BUILTIN_LED, HIGH); \/\/ Turn the LED off by making the voltage HIGH
\n client.publish(\"LED_state\", \"OFF\", true);
\n }
\n<\/code><\/p><\/blockquote>\n> mosquitto_sub -h localhost -v -t \"LED_state\"
\nLED_state ON
\n<\/code><\/p><\/blockquote>\nControl and Clients<\/h2>\n
Power and Privacy<\/h2>\n
My custom setup – investigation<\/h2>\n
\n
allow_anonymous<\/code> config option is a global option, not per-listener (see the mosquitto.conf man page<\/a>).<\/p>\nmosquitto<\/code>.<\/p>\n
\nThe ACL description in acl_file<\/code> (in the mosquitto-conf documentation linked above) doesn’t sound like you can ACL based on IP or anything.<\/p>\nportecle<\/code><\/a> to create a BKS file, and export the key to PEM format for mosquitto<\/code>. NOTE: I had to use java-9-oracle<\/code>, and I had to do this:<\/p>\n> sudo update-alternatives --config java
\n(select java-9-oracle)
\n> cd \/usr\/lib\/jvm\/java-9-oracle\/lib\/security\/
\n> sudo mkdir limited_policy
\n> sudo cp *.jar limited_policy\/
\n> sudo cp unlimited_policy\/*.jar .\/<\/code><\/p><\/blockquote>\n\/etc\/mosquitto\/conf.d\/local.conf<\/code>:<\/p>\nport 1883<\/p>\n
\ncapath \/etc\/ssl\/certs
\ncertfile \/etc\/ssl\/private\/server_4096_2016.crt
\nkeyfile \/etc\/mosquitto\/certs\/mqtt.pem
\nrequire_certificate true
\nuse_identity_as_username true<\/code><\/p><\/blockquote>\n1479358332: Error: Unable to load server key file \"\/etc\/mosquitto\/certs\/mqtt.pem\". Check keyfile.<\/code><\/p><\/blockquote>\nport 1883<\/p>\n
\ntls_version tlsv1.2
\ncapath \/etc\/ssl\/certs
\ncertfile \/etc\/mosquitto\/certs\/server_4096_2016.crt
\nkeyfile \/etc\/mosquitto\/certs\/server_4096.pem
\nrequire_certificate true
\nuse_identity_as_username true<\/code><\/p><\/blockquote>\nportecle<\/code>, I created a new BKS keystore, generated a key pair, then generated a certification request for that key.<\/p>\nopenssl req -new -x509 -days portecle<\/code>) with my newly-created CA key:<\/p>\nopenssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days portecle<\/code>, I imported the trusted certificate. It gave me some grief because my self-created CA isn’t trusted, but it gives you the option of manually trusting it anyway.<\/p>\nmosquitto<\/code> to trust my CA key as well. I’ll try adding it as a cafile<\/code>…hopefully mosquitto<\/code> will support having both a capath<\/code> and a cafile<\/code> at the same time. (Note: it does.)<\/p>\nmosquitto<\/code> doesn’t barf, but the app won’t connect…I get this:<\/p>\n
\n1479444878: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
\n1479444878: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
\n1479444878: Socket error on client > mosquitto_pub -h home.mblythe.net -p 8883 --cert ~\/Downloads\/mqtt.crt --key ~\/Downloads\/mqtt.pem --capath \/etc\/ssl\/certs --cafile ~\/Downloads\/mblythe_ca.crt -t \"inTopic\" -m 1 -d
\nEnter PEM pass phrase:
\nClient mosqpub\/23189-bruce sending CONNECT
\nError: A TLS error occurred.<\/code><\/p><\/blockquote>\n1479450665: New connection from 192.168.1.1 on port 8883.
\n1479450672: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca<\/code><\/p><\/blockquote>\n
\n> cd mqtt_key_stuff\/
\n> openssl genrsa -des3 -out mqtt2.key 2048
\n> openssl req -out mqtt2.csr -key mqtt2.key -new
\n> sudo openssl x509 -req -in mqtt2.csr -CA mblythe_ca.crt -CAkey \/etc\/ssl\/private\/ca.key -CAcreateserial -out mqtt2.crt -days 90
\n> mosquitto_pub -h home.mblythe.net -p 8883 --cert ~\/mqtt_key_stuff\/mqtt2.crt --key ~\/mqtt_key_stuff\/mqtt2.key --capath \/etc\/ssl\/certs --cafile ~\/mqtt_key_stuff\/mblythe_ca.crt -t \"inTopic\" -m 1 -d
\n> mosquitto_pub -h home.mblythe.net -p 8883 --cert ~\/mqtt_key_stuff\/mqtt2.crt --key ~\/mqtt_key_stuff\/mqtt2.key --capath \/etc\/ssl\/certs --cafile ~\/mqtt_key_stuff\/mblythe_ca.crt -t \"inTopic\" -m 0 -d
\n<\/code><\/p><\/blockquote>\n\/etc\/mosquitto\/conf.d\/local.conf<\/code> and make sure it fails (i.e. we’re actually authenticating the client cert).<\/p>\ncafile \/etc\/mosquitto\/certs\/mblythe_ca.crt<\/code><\/p><\/blockquote>\n> mosquitto_pub -h home.mblythe.net -p 8883 --cert ~\/Downloads\/mqtt2.crt --key ~\/Downloads\/mqtt2.key --capath \/etc\/ssl\/certs --cafile ~\/Downloads\/mblythe_ca.crt -t \"inTopic\" -m 0 -d
\nEnter PEM pass phrase:
\nClient mosqpub\/7388-bruce sending CONNECT
\nError: A TLS error occurred.
\n<\/code><\/p><\/blockquote>\nportecle<\/code> again and add this key & cert to a BKS keystore. Looks like it won’t import the key…it’s looking for a PKCS12 file type. Conversion command from here<\/a>.<\/p>\n> openssl pkcs12 -export -inkey mqtt2.key -in mqtt2.key -out mqtt2.p12
\nEnter pass phrase for mqtt2.key:
\nunable to load certificates
\n<\/code><\/p><\/blockquote>\n-in<\/code> option should be the certificate, not the key again<\/p>\n> openssl pkcs12 -export -inkey mqtt2.key -in mqtt2.crt -out mqtt2.p12
\nEnter pass phrase for mqtt2.key:
\nEnter Export Password:
\nVerifying - Enter Export Password:<\/code><\/p><\/blockquote>\nunlimited_policy<\/code> directory anymore. This<\/a> lead me to this<\/a> which lead me to this<\/a>, which describes the change.<\/p>\n