Mosquitto with Self Signed Certificates: A Smooth Setup Guide

General
1

Hey everyone, I wanted to share my recent experience setting up Mosquitto with self-signed certificates. I’ve been trying to secure my MQTT communication between my ESP8266 controllers and Home Assistant, and it was a bit of a journey, but I got it sorted out!

The Goal: Encrypt my MQTT traffic to ensure secure communication between my devices and Home Assistant. I’ve been using Mosquitto for a while now, but adding TLS encryption was something I wanted to tackle.

The Process: I started by generating my own CA certificate and server certificate. I followed a few guides online, but honestly, it was a bit overwhelming at first. I kept getting authentication errors, and I wasn’t sure what I was doing wrong. After some trial and error, I realized I needed to ensure that both my Mosquitto broker and Home Assistant were using the correct certificates and that the paths were set up properly.

Here’s what I learned:

  1. Certificate Generation: I used OpenSSL to generate my CA and server certificates. It’s important to note that the Common Name (CN) in your certificates must match your domain or IP address to avoid SSL issues.

  2. Mosquitto Configuration: I added the following lines to my mosquitto.conf file:

cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key

Make sure these paths are correct and that the certificates have the right permissions.

  1. Home Assistant Setup: In my configuration.yaml, I configured the MQTT broker to use TLS:
    mqtt:
    broker: localhost
    port: 8883
    tls:
    ca_certs: /etc/mosquitto/certs/ca.crt
    client_cert: /etc/mosquitto/certs/client.crt
    client_key: /etc/mosquitto/certs/client.key

  2. Testing: After setting everything up, I tested the connection using mosquitto_sub and mosquitto_pub with TLS enabled. It worked like a charm!

Tips for Others:

  • Double-check your certificate paths and permissions.
  • Make sure your certificates are correctly signed and valid.
  • Use tools like openssl s_client to test your TLS connection before integrating everything.

I’m really happy with how this turned out. It’s a great feeling to have a secure MQTT setup without relying on third-party certificates. If anyone has questions or needs help with similar setups, feel free to reach out!

Cheers,
[Your Name]