Hi, I want to know that every role that I assign is restarting the broker. so will there any problem of delay(broker restart) increase if the subscribing and publishing client will be more.
also, I want to know about its SSL connection. How can I configure SSL configuration on the broker side? does it by default support OpenSSL… can I use it with another certification?
Hi Pranav,
The management center should not be restarting the broker. I imagine what is happening is that the broker is kicking off the management center client.
When you make changes to a client, group, or role, any devices that are connected that are affected by those changes will be disconnected from the broker - when they reconnect they will have the correct authorisations applied.
For example, if you add a new ACL to a role, all of the clients using that role, either directly or through a group, will be kicked. If you add/remove a role from a client or group, add/remove a client from a group, or add/remove a role from a client or group the same is true.
I would recommend keeping a client/group specifically for administering the management centre clients, then you won’t be disturbed by your client being disconnected when you are making unrelated changes.
For configuring SSL you have to do that at the broker directly, it’s not yet possible through the management center. You should use a listener section like this:
listener 8883
certfile <path to your PEM encoded x509 certificate with intermediates>
keyfile <path to your PEM encoded private key>
I hope that helps.
Regards,
Roger
Thanks Roger.
I want to know more specific about this. because I do the same you have mentioned but it gives me error
Error: Unable to load CA certificates. Check cafile and certfile . EXIT CODE 1.
Am I missing Something??
Only the root user has access to certificates in /etc/letsencrypt, they need to be placed somewhere that the mosquitto user can access them. We have an example letsencrypt post renewal hook that does this for you: mosquitto/mosquitto-copy.sh at master · eclipse/mosquitto · GitHub
Use that script to copy the certificates, update your configuration file to match, and then you should be back up and running.
Regards,
Roger
I used that file just few minutes ago. and got some error. I’m confused do i need to provide anything there?? like my domain name in RENEWED_DOMAINS??
I understand from that file I can provide my path where i want to store that certificate.
Is that right??
mosquitto-copy.sh: 17: [: =: unexpected operator
or
./mosquitto-copy.sh: line 17: [: =: unary operator expected
this was the error I repeatedly found.
Sorry, I wasn’t clear at all there. This is a script that is used by the letsencrypt certbot client after it renews a certificate, you don’t run it yourself. To get it to trigger you’ll likely have to force a renewal with certbot --force-renewal.
Thanks Roger. for that.
can you please correct me if I’m wrong here to provide input to this file
if [ ${RENEWED_DOMAINS} = "mydomain.com" ]; then
# Copy new certificate to Mosquitto directory
cp ${RENEWED_LINEAGE}/fullchain.pem /etc/myfolder/certs/fullchain.pem
cp ${RENEWED_LINEAGE}/privkey.pem /etc/myfolder/certs/privkey.pem
# Set ownership to Mosquitto
chown mosquitto: /etc/myfolder/certs/privkey.pem /etc/myfolder/certs/fullchain.pem
> **what about this chown mosquitto?? Do I need to change?**
# Ensure permissions are restrictive
chmod 0600 /etc/myfolder/certs/fullchain.pem /etc/myfolder/certs/privkey.pem
# Tell Mosquitto to reload certificates and configuration
pkill -HUP -x mosquitto
fi
Is this correct configuration from my side?
Yes, you need to configure the location that the certificates will be copied.
I have updated the script to make it a bit more obvious what to edit, and that you only need to edit two places.
thank you roger for updating script. But I have one doubt where I’m using cedalo. so what will be this line here.
and here
do i need to change mosquitto?
The chown line needs to point to the same path as the rest of the paths used. If you’re using the docker container, then wherever you have mounted as volume for /mosquitto/data or /mosquitto/config would make sense.
The pkill line can remain unchanged.
for this new edit configuration I renew my cerificate
got error
Error output from deploy-hook command mosquitto-copy.sh:
/etc/letsencrypt/renewal-hooks/deploy/mosquitto-copy.sh: 20: [: mydomain.com: unexpected operator
Am I missing something?
I believe you also need to tell certbot which domain you want to renew. You should renew it in exactly the same way as you would do normally, but with --force-renewal included. This only needs to happen once, so do not change the normal way you would renew.
I’ve also updated the script so it doesn’t give an error in the case you try to renew without giving a domain.
As per renewing Now with certbot. It has limit set. I’ve already renew many time. so now on it is not updating. can i use another way today?? to get it to right place?
Certbot will not work.
I’m thinking one of your this reply .
also I’ve copy certificate from letsencrypt to to my directory. and i’m confused what to do after??
Could you please post how you are starting mosquitto, and your configuration file?
Sure.
this is my config file
and this is inside certi folder
Ok, so when you start everything up, the files in ~/cedalo_platform/mosquitto/config will appear in the docker instance on the path /mosquitto/config. The files in #/cedalo_platform/mosquitto/data will appear at /mosquitto/data.
I would suggest that you put your certificates at ~/cedalo_platform/mosquitto/config/certificates. The listener part of your config file would then be:
listener 8883
certfile /mosquitto/config/certificates/fullchain.pem
keyfile /mosquitto/config/certificates/privkey.pen
Does that help?
