http://lukse.lt/uzrasai/2015-02-internet-of-things-messaging-mqtt-1-installing-mosquitto-server/
Install some libraries and tools
apt-get update
apt-get install pkg-config cmake openssl libc-ares-dev libssl-dev python-mosquitto
Then install mosquitto from sources (please double check that you will be installing latest version). Of course you can install it on other operating systems and platforms (OSX, Windows, Openwrt, Various Linux, Raspberry) using prepared setup files.
wget http://mosquitto.org/files/source/mosquitto-1.3.5.tar.gz
tar xzf mosquitto-1.3.5.tar.gz
cd mosquitto-1.3.5
cmake .
make install
Pretty easy. Mosquitto is installed and should be ready to serve. Interesting part comes next – if secure messaging using SSL or TLS is need, you will need to generate certificates.
Edit configuration file
Make some adjustments to configuration file, there are more settings to adjust, but I provide only basic set
mkdir /etc/mosquitto/conf.d/certs
nano /etc/mosquitto/conf.d/mosquitto.conf
Here is how my configuration looks like
allow_anonymous false
autosave_interval 1800
connection_messages true
log_dest stderr
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
log_type all
log_type debug
log_timestamp true
password_file /etc/mosquitto/conf.d/jp.pw
acl_file /etc/mosquitto/conf.d/jp.acl
persistence true
persistence_location /tmp/
persistence_file mosquitto.db
persistent_client_expiration 1m
retained_persistence true
listener 1883 127.0.0.1
listener 8883
tls_version tlsv1
cafile /etc/mosquitto/conf.d/certs2/ca.crt
certfile /etc/mosquitto/conf.d/certs2/server.crt
keyfile /etc/mosquitto/conf.d/certs2/server.key
require_certificate false
allow_anonymous false
SSL key generation
Go to certificated directory, I have prepared earlier and run few commands. You will be asked to enter some data. There are few tricky parts:
- If your certificate will be used on local machine without valid hostname (i.e. only IP address), you must use special settings in your program to make it a bit less secure (don’t check hostname). Though connection still be encrypted.
- Don’t set -days xxxx to big – certificate will be invalid and you might get strange errors.
cd /etc/mosquitto/conf.d/certs/
openssl req -new -x509 -days 1000 -extensions v3_ca -keyout ca.key -out ca.crt
> Generating a 2048 bit RSA private key
> .....................................................................................+++
> ..+++
> writing new private key to 'ca.key'
> Enter PEM pass phrase:123
> Verifying - Enter PEM pass phrase:123
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:LT
> State or Province Name (full name) [Some-State]:
> Locality Name (eg, city) []:Vilnius
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:lukse.lt
> Organizational Unit Name (eg, section) []:
> Common Name (e.g. server FQDN or YOUR name) []:lukse.lt
> Email Address []:e@mail.com
openssl genrsa -des3 -out server.key 2048
> Generating RSA private key, 2048 bit long modulus
> ............................................................................................................+++
> ..............+++
> e is 65537 (0x10001)
> Enter pass phrase for server.key:123
> Verifying - Enter pass phrase for server.key:123
openssl genrsa -out server.key 2048
> Generating RSA private key, 2048 bit long modulus
> ....................................................................+++
> ................................................+++
> e is 65537 (0x10001
openssl req -out server.csr -key server.key -new
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:LT
> State or Province Name (full name) [Some-State]:
> Locality Name (eg, city) []:Vilnius
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:lukse.lt
> Organizational Unit Name (eg, section) []:
> Common Name (e.g. server FQDN or YOUR name) []:lukse.lt
> Email Address []:e@mail.com
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:123
> An optional company name []:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000
> Signature ok
> subject=/C=LT/ST=Some-State/L=Vilnius/O=lukse.lt/CN=lukse.lt/emailAddress=e@mail.com
> Getting CA Private Key
> Enter pass phrase for ca.key:123
This is it. We can run secured mosquitto now. Just to test I will run it in verbose mode.
service mosquitto stop
/usr/sbin/mosquitto -v -c /etc/mosquitto/mosquitto.conf
If you see output like this, everyting is good and you are ready to dig deeper.
root@397063:/home/mqtt/remote_shell# /usr/sbin/mosquitto -v -c /etc/mosquitto/mosquitto.conf
1424034500: mosquitto version 1.3.5 (build date 2014-10-18 00:28:57+0000) starting
1424034500: Config loaded from /etc/mosquitto/mosquitto.conf.
1424034500: Opening ipv4 listen socket on port 1883.
1424034500: Opening ipv4 listen socket on port 8883.
1424034500: Opening ipv6 listen socket on port 8883.
User managing
Mosquitto has built in features to manage users. It uses two config files: jp.pw – for managing passwords and jp.acl – for access level configuration.
Passwords
To create new user
mosquitto_passwd /etc/mosquitto/conf.d/jp.pw test
> Password: secret
> Reenter password: secret
To delete user
mosquitto_passwd -D /etc/mosquitto/conf.d/jp.pw test
Password file looks like
root@397063:/etc/mosquitto/conf.d# cat /etc/mosquitto/conf.d/jp.pw
test1:$6$GWjNhmdRHTBKTwx0gIAWwerH0epp4Wb6q4sam7AhUAwboIdDVUhI9NiV32sY9rzhS7DlrznhOkUF/2pb4GOg5O4dhcCB2tAwlb/hmoQ==
test2:$6$v61hb9FpQ53KS0jZ$m94VacLuKntD/Fhqi9Sw9gBWPMDVQo76ZnznIvm0C3G0XVNfysĖhNFEVlIWByJt9Bq41reBHrx4yYbxmu5aNjLXEVw==
Access level
This file jp.acl must be eddited by hand, and sample file looks like
root@397063:/etc/mosquitto/conf.d# cat jp.acl
# anonymus access
topic read $SYS/#
topic test/#
user test1
topic write zz/#
topic read zz/#
Enable and start service
After installing mosquitto server, creating SSL keys, configuring users you are ready to start MQTT server with these commands
service mosquitto enable
service mosquitto start