Mosquitto

Mosquitto is Article description::an open source MQTT message broker provided by the Eclipse foundation.

Additional software
Libraries/ integration, e.g. Eclipse Paho.

Files

 * - Global (system wide) configuration file.
 * - per user defaults for command mosquitto_sub
 * - per user defaults for command mosquitto_pub

Listeners:
 * have at least a single listener so remote connections are possible
 * specify the network interface with bind_interface to if only one out of many is allowed
 * configure multiple listeners with enabled per-listener-configuration to separate contexts or shard traffic

Security:


 * memory_limit to avoid resource exhaustion
 * message_size_limit so the broker rejects payloads being too large
 * persistent_client_expiration to allow cleaning stale clients

Monitoring


 * log_dest, preferrably /var/log/mosquitto.log, in conjunction with log_type and optionally connection_messages

TLS (X509)
This section illustrates basic steps:


 * 1) create a private key
 * 2) create a certificate signing request (CSR) for the private key
 * 3) signing the CSR as your own CA to yield a server certificate

For other options and how to let the system trust your own CA see Certificates.

First create a directory tls under Mosquitto's configuration and create a broker key. Shown here an elliptic curve key with non-NIST algorithm:

Certificates have limited validity and need to be re-created. It is much easier to do this with a configuration file (no alternative names/ certificate for the MQTT broker only):

Create the CSR:

With your own root/ intermediate CA issue a certificate valid for 365 days:

Finally store broker-yourserver.crt in /etc/mosquitto/tls and configure mosquitto.conf accordingly:

Finally secure all files by revoking permissions/ limiting access to user mosquitto only:

Improvements:


 * broker key with password, requires unlocking upon start/ restart
 * monitoring of certificate expiration, e.g. Icinga2
 * use key management, e.g. an external device or partition that is only available when starting the service

Usage
The package provides the broker and tools to directly interact with it. The following command subscribes to a topic announce/info on a given host with port 8883 – assuming the broker was configured with a TLS listener (process runs until stopped):

To publish the message This broker is up and running to the same topic on the same host with a different user:

This message now shows up in the output of the first command.