element14 Community
element14 Community
    Register Log In
  • Site
  • Search
  • Log In Register
  • Community Hub
    Community Hub
    • What's New on element14
    • Feedback and Support
    • Benefits of Membership
    • Personal Blogs
    • Members Area
    • Achievement Levels
  • Learn
    Learn
    • Ask an Expert
    • eBooks
    • element14 presents
    • Learning Center
    • Tech Spotlight
    • STEM Academy
    • Webinars, Training and Events
    • Learning Groups
  • Technologies
    Technologies
    • 3D Printing
    • FPGA
    • Industrial Automation
    • Internet of Things
    • Power & Energy
    • Sensors
    • Technology Groups
  • Challenges & Projects
    Challenges & Projects
    • Design Challenges
    • element14 presents Projects
    • Project14
    • Arduino Projects
    • Raspberry Pi Projects
    • Project Groups
  • Products
    Products
    • Arduino
    • Avnet Boards Community
    • Dev Tools
    • Manufacturers
    • Multicomp Pro
    • Product Groups
    • Raspberry Pi
    • RoadTests & Reviews
  • Store
    Store
    • Visit Your Store
    • Choose another store...
      • Europe
      •  Austria (German)
      •  Belgium (Dutch, French)
      •  Bulgaria (Bulgarian)
      •  Czech Republic (Czech)
      •  Denmark (Danish)
      •  Estonia (Estonian)
      •  Finland (Finnish)
      •  France (French)
      •  Germany (German)
      •  Hungary (Hungarian)
      •  Ireland
      •  Israel
      •  Italy (Italian)
      •  Latvia (Latvian)
      •  
      •  Lithuania (Lithuanian)
      •  Netherlands (Dutch)
      •  Norway (Norwegian)
      •  Poland (Polish)
      •  Portugal (Portuguese)
      •  Romania (Romanian)
      •  Russia (Russian)
      •  Slovakia (Slovak)
      •  Slovenia (Slovenian)
      •  Spain (Spanish)
      •  Sweden (Swedish)
      •  Switzerland(German, French)
      •  Turkey (Turkish)
      •  United Kingdom
      • Asia Pacific
      •  Australia
      •  China
      •  Hong Kong
      •  India
      •  Korea (Korean)
      •  Malaysia
      •  New Zealand
      •  Philippines
      •  Singapore
      •  Taiwan
      •  Thailand (Thai)
      • Americas
      •  Brazil (Portuguese)
      •  Canada
      •  Mexico (Spanish)
      •  United States
      Can't find the country/region you're looking for? Visit our export site or find a local distributor.
  • Translate
  • Profile
  • Settings
RoadTests & Reviews
  • Products
  • More
RoadTests & Reviews
Blog HARTING MICA: Alpine Linux and another MQTT Container with Certificate and TLS/SSL
  • Blog
  • RoadTest Forum
  • Documents
  • RoadTests
  • Reviews
  • Polls
  • Files
  • Members
  • Mentions
  • Sub-Groups
  • Tags
  • More
  • Cancel
  • New
Join RoadTests & Reviews to participate - click to join for free!
  • Share
  • More
  • Cancel
  • Author Author: Jan Cumps
  • Date Created: 12 Jun 2019 4:47 PM Date Created
  • Views 3250 views
  • Likes 3 likes
  • Comments 3 comments
Related
Recommended
  • iiot
  • mqtt
  • edge computing
  • mica
  • harting
  • iot
  • openssl
  • mqtts

HARTING MICA: Alpine Linux and another MQTT Container with Certificate and TLS/SSL

Jan Cumps
Jan Cumps
12 Jun 2019

I road-tested the Harting MICA Complete IIoT Starter Kit.

In this follow up blog, I validate their Alpine Linux container as a host for a safe(r) MQTT broker.

 

image

As usual, I follow someone else's instructions. This time Mosquitto SSL Configuration -MQTT TLS Security

 

The Alpine Linux Container

 

It's one of the three Linux general purpose flavours. The fourth one is a Linux container specifically targeted as a development sandbox.

 

image

I have never used Alpine before and this first experience was good. The only 2 differences from Debian for this exercise were that I had to:

  • use a different package manager. apk instead op apt.
  • use a different daemon manager. rc instead of service.
  • Nothing to be scared of.

 

To install the container, download it from Harting's container page and install via the Mica management console.

I had to enable IPv4 in the container's settings. Else it couldn't connect to the network. I don't know if that's because of my local situation or generic.

 

Once installed, log in via SSH (e.g.: PuTTY) and change root password

 

passwd

 

Then upgrade the distro:

 

apk update
apk upgrade

 

If you like to use nano (this step is not necessary):

 

apk add nano

 

That's part 1 of the exercise.

 

Install Mosquitto MQTT Broker

 

Update December 6 2020: version 2.5 of the MQTT container can be configured for secure access.

The blog is still useful because it shows how to set up  a lightweight Linux container. but the MICA team has now provided a better container for MQTT use that allows you to set up server certificates from the management console.

 

 

 

Next step is to install a plain MQTT server and test it.

 

apk add mosquitto

 

Enable on-boot startup

 

rc-update add mosquitto boot

 

Start the service for the first time

 

rc-service mosquitto start
rc-service mosquitto status

 

You can use MQTT.fx, the mica Node Red container or your favourite MQTT client to test the connection:

image

Paho client users, attention. The test without certificates will work for you.

The next step, where we secure the connection with a self signed certificate, is not supported (or at least: I don't know how it works) by Paho.

If you want to use Paho as a client with a secure MQTT broker, you'll need to get certificates issued by a certificate authority or fiddle out how to configure it for self signed keychains.

 

Securing MQTT Part 1: Generate Keys and Certificates

 

Install openSSL:

 

 

apk add openssl

 

 

Then navigate to a temp directory (/tmp) and blindly image follow these steps. Better, read Mosquitto SSL Configuration -MQTT TLS Security . Steve explains each of the steps.

When you are prompted for common name, enter your domain name of the server if you have it, or the mica or mica container name.  Or something else - as long as you use the same one consistently.

 

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

 

You should now have these 6 files.

image

 

Create 2 folders under your mosquitto installation directory:

 

mkdir /etc/mosquitto/ca_certificates
mkdir /etc/mosquitto/certs

 

Copy the required files to these 2 folders:

 

cp /tmp/ca.crt /etc/mosquitto/ca_certificates
cp /tmp/server.crt /etc/mosquitto/certs
cp /tmp/server.key /etc/mosquitto/certs

 

Also download ca.crt. You need it in the MQTT client application to connect.

 

Now back up all generated files to a safe and secure location before doing the next step.

 

Delete all generated files from the /tmp folder.

Before doing that, click below checkbox to confirm that you backed up the files:

image

 

Now execute:

 

rm /tmp/server.key
rm /tmp/server.csr
rm /tmp/server.crt
rm /tmp/ca.srl
rm /tmp/ca.key
rm /tmp/ca.crt

 

Securing MQTT Part 2: Configure Mosquitto

 

Open the config file in the editor of your choice.

 

nano /etc/mosquitto/mosquitto.conf

 

Look for these entries and edit them to be exact the same as below:

 

# Port to use for the default listener.
port 8883

cafile /etc/mosquitto/ca_certificates/ca.crt
#capath

# Path to the PEM encoded server certificate.
certfile /etc/mosquitto/certs/server.crt

# Path to the PEM encoded keyfile.
keyfile /etc/mosquitto/certs/server.key

user mosquitto

 

The mosquitto user account is created by the installer. This user will be used to run the daemon, not root.

 

Test. stop and start the service

 

rc-service mosquitto restart

 

I used MQTT.fx again. I adapted the existing configuration.

You'll need to have ca.crt stored on the computer you are testing from.

 

image

 

image

Test!

image

 

I also tested with the Mica Node Red container:

image

 

 

 

Related Blog
HARTING MICA: Develop and Debug a C GPIO Example in Eclipse - Part 1: User Experience
HARTING MICA: Develop and Debug a C GPIO Example in Eclipse - Part 2: MICA Debian Stretch Setup
HARTING MICA: Develop and Debug a C GPIO Example in Eclipse - Part 3: Eclipse Configuration on Windows
HARTING MICA: Develop and Debug a C GPIO Example in Eclipse - Part 4: Build and Debug the GPIO Example
HARTING MICA: Make a Safe(r) MQTT Container with Certificate and TLS/SSL
HARTING MICA: Manage Access to USB and other Devices
HARTING MICA: SD Card as Shared Storage
HARTING MICA: Alpine Linux and another MQTT Container with Certificate and TLS/SSL
HARTING MICA: Connect to Amazon Web Services
HARTING MICA: Install Java 8 VM in a Debian Stretch Container
HARTING MICA: Read BOSCH CISS Sensor with Java - part 1: USB Connect and Listen
  • Sign in to reply

Top Comments

  • Jan Cumps
    Jan Cumps over 6 years ago +1
    Follow up on running as non-root: The mosquitto install has created a user mosquitto - good start. So just edit the /etc/mosquitto/mosquitto.conf file, and uncomment : user mosquitto Once you restart the…
  • Jan Cumps
    Jan Cumps over 6 years ago +1
    Next exercise: How to Bridge Mosquitto MQTT Broker to AWS IoT .
  • DAB
    DAB over 4 years ago +1
    Good post Jan. DAB
  • DAB
    DAB over 4 years ago

    Good post Jan.

     

    DAB

    • Cancel
    • Vote Up +1 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • Jan Cumps
    Jan Cumps over 6 years ago

    Next exercise: How to Bridge Mosquitto MQTT Broker to AWS IoT.

    image

    • Cancel
    • Vote Up +1 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • Jan Cumps
    Jan Cumps over 6 years ago

    Follow up on running as non-root:

     

    The mosquitto install has created a user mosquitto - good start.

    So just edit the /etc/mosquitto/mosquitto.conf file, and uncomment :

     

    user mosquitto

     

    Once you restart the server, the service script drops the privilege from root to the mosquitto user when starting the daemon.

    image

     

    Voila

    • Cancel
    • Vote Up +1 Vote Down
    • Sign in to reply
    • More
    • Cancel
element14 Community

element14 is the first online community specifically for engineers. Connect with your peers and get expert answers to your questions.

  • Members
  • Learn
  • Technologies
  • Challenges & Projects
  • Products
  • Store
  • About Us
  • Feedback & Support
  • FAQs
  • Terms of Use
  • Privacy Policy
  • Legal and Copyright Notices
  • Sitemap
  • Cookies

An Avnet Company © 2025 Premier Farnell Limited. All Rights Reserved.

Premier Farnell Ltd, registered in England and Wales (no 00876412), registered office: Farnell House, Forge Lane, Leeds LS12 2NE.

ICP 备案号 10220084.

Follow element14

  • X
  • Facebook
  • linkedin
  • YouTube