mosquitto配置用户名密码及tls加密双向认证访问

需求背景

需要在linux环境中安装配置mqtt broker,并配置用户名、密码访问及tls加密传输认证;

准备资料

1、centos 6.5 64bit
2、mosquitto1.4.4版本

安装mqtt broker服务

1、解压源码包tar xvf mosquitto-1.4.14.tar.gz
2、进入源码目录,编辑config.mk文件:
分别修改
WITH_SRV:=no —->WITH_SRV:=yes
WITH_UUID:=no —->WITH_UUID:=yes
3、安装必要依赖包
yum install gcc gcc-c++ openssl-devel
4、make && make install 安装即可;
5、启动服务
5.1、默认路径
mqtt broker服务默认安装在/usr/local/bin
配置文件默认在/etc/mosquitto
5.2、添加基本配置
cd /etc/mosquitto/进入配置文件目录;
cp mosquitto.conf.example mosquitto.conf,拷贝基本配置文件;
执行mosquitto -c /etc/mosquitto/mosquitto.conf -v启动服务;
会报错,如下:
1600225060: mosquitto version 1.4.14 (build date 2020-09-16 10:51:44+0800) starting
1600225060: Config loaded from /etc/mosquitto/mosquitto.conf.
1600225060: Opening ipv4 listen socket on port 1883.
1600225060: Opening ipv6 listen socket on port 1883.
1600225060: Error: Invalid user ‘mosquitto’.
默认是用mosquitto帐号启动,添加帐号即可;
useradd mosquitto,然后再启动
看到如下信息,说明broker已经启动成功;
1600225144: mosquitto version 1.4.14 (build date 2020-09-16 10:51:44+0800) starting
1600225144: Config loaded from /etc/mosquitto/mosquitto.conf.
1600225144: Opening ipv4 listen socket on port 1883.
1600225144: Opening ipv6 listen socket on port 1883.
6、验证订阅、发布功能是否正常
6.1、订阅
执行命令:mosquitto_sub -h 127.0.0.1 -p 1883 -t ‘/mqttbroker/test’
mosquitto_sub: error while loading shared libraries: libmosquitto.so.1: cannot open shared object file: No such file or directory
报错了,是libmosquitto.so.1库找不到问题,只需要添加到加载搜索的环境变量即可;
默认安装时,libmosquitto.so安装到了/usr/local/lib路径,所以只需要将这个路径添加到ldconfig搜索的路径就行;
echo ‘/usr/local/lib’ > /etc/ld.so.conf.d/local-lib.conf,然后再ldconfig -v | grep mosquitto,看到如下信息,则说明加载成功,再次执行订阅命令;
libmosquitto.so.1 -> libmosquitto.so.1
libmosquittopp.so.1 -> libmosquittopp.so.1
6.2、发布消息
执行命令:mosquitto_pub -h 127.0.0.1 -p 1883 -t ‘/mqttbroker/test’ -m ‘hello mqtt’,如果上面的订阅能够收到消息,则说明没问题;如果不成功,则
根据broker终端打印的消息进一步定位问题;

配置用户名密码访问

1、修改allow_anonymous参数
编辑/etc/mosquitto/mosquitto.conf文件,找到allow_anonymous参数
修改前:#allow_anonymous true
修改后:allow_anonymous false
2、修改password_file参数
编辑/etc/mosquitto/mosquitto.conf文件,找到password_file参数
修改前:#password_file
修改后:password_file /etc/mosquitto/pwfile
3、创建帐号、密码
mosquitto_passwd -c /etc/mosquitto/pwfile test-mqtt-passwd1
Password: 123456
Reenter password:123456
创建测试帐号:test-mqtt-passwd1,密码123456
cat /etc/mosquitto/pwfile查看刚刚创建的帐号
test-mqtt-passwd1:$6$tkJEQ7rGxhb9OH3j$Nvbc7lru78BvWris7Eas6n4fsLya/c6OS+0Au7IklNrrTjbfZd6yNBGT6PrM92BkFjl5b37o+ZvXiOP2nUIUGg==
4、验证
4.1、订阅
mosquitto_sub -h 127.0.0.1 -p 1883 -t ‘/mqttbroker/test’ -u ‘test-mqtt-passwd1’ -P ‘123456’
4.2、发布
mosquitto_pub -h 127.0.0.1 -p 1883 -t ‘/mqttbroker/test’ -m ‘hello mqtt passwd’ -u ‘test-mqtt-passwd1’ -P ‘123456’
订阅端可以正常收到的话,则说明用户名密码配置成功;如果不用用户名密码或填写错误,则会报如下错误提示
Connection Refused: not authorised.
Error: The connection was refused.

配置tls加密双向认证

1、生成CA的key和证书文件
1.1、生成ca的密钥文件
openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
……..+++
………………………………………+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:123456789
Verifying – Enter pass phrase for ca.key:123456789
1.2、生成ca证书
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
Enter pass phrase for ca.key:8AN1Y9m)>|pF2GC.8)2SU.kNHBr(LyI
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:test-pn
Locality Name (eg, city) [Default City]:test-ln
Organization Name (eg, company) [Default Company Ltd]:test-on
Organizational Unit Name (eg, section) []:test-oun
Common Name (eg, your name or your server’s hostname) []:0.0.0.0
Email Address []:testemail@test.com
2、生成server端证书
2.1、生成server私钥
openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
…………………………………………………..+++
…………………………………………………………..+++
e is 65537 (0x10001)

2.2、生成server端请求文件(.csr)
openssl req -new -out server.csr -key server.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:test-pn
Locality Name (eg, city) [Default City]:test-ln
Organization Name (eg, company) [Default Company Ltd]:test-on
Organizational Unit Name (eg, section) []:test-oun
Common Name (eg, your name or your server’s hostname) []:服务端的域名或IP
Email Address []:testemail@test.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:1234567890AABBCC
An optional company name []:test-cn

2.3、生成服务端的证书
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650
Signature ok
subject=/C=CN/ST=fj/L=xm/O=wtbl/OU=wtbl/CN=服务端的域名或IP/emailAddress=testemail@test.com
Getting CA Private Key
Enter pass phrase for ca.key:123456789

3、生成client端证书
3.1、生成client的私钥
openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus
………………………..+++
……….+++
e is 65537 (0x10001)

3.2、生成client端请求文件(.csr)
openssl req -new -out client.csr -key client.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:test-pn
Locality Name (eg, city) [Default City]:test-ln
Organization Name (eg, company) [Default Company Ltd]:test-on
Organizational Unit Name (eg, section) []:test-oun
Common Name (eg, your name or your server’s hostname) []:服务端的域名或IP
Email Address []:testemail@test.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:1234567890CCBBAA
An optional company name []:test-cn

3.3、生成client端的证书
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650
Signature ok
subject=/C=CN/ST=fj/L=xm/O=wtbl/OU=wtbl/CN=服务端的域名或IP/emailAddress=testemail@test.com
Getting CA Private Key
Enter pass phrase for ca.key:123456789

最后生成的文件如下
ca.crt ca.key ca.srl client.crt client.csr client.key server.crt server.csr server.key

4、修改mosquitto配置文件
4.1、添加tls认证访问的端口
编辑/etc/mosquitto/mosquitto.conf文件,找到# Certificate based SSL/TLS support
添加listener 2883
2、修改cafile参数
编辑/etc/mosquitto/mosquitto.conf文件,在上面添加的listener参数下方添加
cafile /usr/local/etc/mosquitto/tls/ca.crt
3、修改certfile参数
编辑/etc/mosquitto/mosquitto.conf文件,在上面添加的cafile参数下方添加
certfile /usr/local/etc/mosquitto/tls/server.crt
4、修改keyfile参数
编辑/etc/mosquitto/mosquitto.conf文件,在上面添加的certfile参数下方添加
keyfile /usr/local/etc/mosquitto/tls/server.key
5、修改require_certificate参数
编辑/etc/mosquitto/mosquitto.conf文件,找到require_certificate参数
修改前:#require_certificate false
修改后:require_certificate true
6、修改use_identity_as_username参数
编辑/etc/mosquitto/mosquitto.conf文件,找到use_identity_as_username参数
修改前:#use_identity_as_username false
修改后:use_identity_as_username false
5、加载证书进行订阅、发布验证
5.1、服务端使用的IP或域名
mqtt broker运行的服务端最好使用域名,如果没有域名,IP要对应好,因为生成的证书中的域名如果跟实际访问不匹配,会认证失败,虽然添加–insecure参数可以忽略;
这里实验环境使用的是192.168.100.200
5.2、通过tls证书订阅
mosquitto_sub -h 192.168.100.200 -p 2883 -t ‘/mqttbroker/test’ -u ‘test-mqtt-passwd1’ -P ‘123456’ -i 123456 –cafile /etc/mosquitto/tls/ca.crt –cert /etc/mosquitto/tls/client.crt –key /etc/mosquitto/tls/client.key
5.3、通过tls证书发布
mosquitto_pub -h 192.168.100.200 -p 2883 -t ‘/mqttbroker/test’ -u ‘test-mqtt-passwd1’ -P ‘123456’ -i 123457 –cafile /etc/mosquitto/tls/ca.crt –cert /etc/mosquitto/tls/client.crt –key /etc/mosquitto/tls/client.key -m ‘hello mqtt passwd tls’
订阅方可以正常访问,则说明配置都正常了,done;

附件下载

 

评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值