I road-tested the Harting MICA Complete IIoT Starter Kit.
In this follow up blog, I validate their Alpine Linux container as a host for a safe(r) MQTT broker.
As usual, I follow someone else's instructions. This time Mosquitto SSL Configuration -MQTT TLS Security
The Alpine Linux Container
It's one of the three Linux general purpose flavours. The fourth one is a Linux container specifically targeted as a development sandbox.
I have never used Alpine before and this first experience was good. The only 2 differences from Debian for this exercise were that I had to:
- use a different package manager. apk instead op apt.
- use a different daemon manager. rc instead of service.
- Nothing to be scared of.
To install the container, download it from Harting's container page and install via the Mica management console.
I had to enable IPv4 in the container's settings. Else it couldn't connect to the network. I don't know if that's because of my local situation or generic.
Once installed, log in via SSH (e.g.: PuTTY) and change root password
Then upgrade the distro:
apk update apk upgrade
If you like to use nano (this step is not necessary):
apk add nano
That's part 1 of the exercise.
Install Mosquitto MQTT Broker
Update December 6 2020: version 2.5 of the MQTT container can be configured for secure access.
The blog is still useful because it shows how to set up a lightweight Linux container. but the MICA team has now provided a better container for MQTT use that allows you to set up server certificates from the management console.
Next step is to install a plain MQTT server and test it.
apk add mosquitto
Enable on-boot startup
rc-update add mosquitto boot
Start the service for the first time
rc-service mosquitto start rc-service mosquitto status
You can use MQTT.fx, the mica Node Red container or your favourite MQTT client to test the connection:
Paho client users, attention. The test without certificates will work for you.
The next step, where we secure the connection with a self signed certificate, is not supported (or at least: I don't know how it works) by Paho.
If you want to use Paho as a client with a secure MQTT broker, you'll need to get certificates issued by a certificate authority or fiddle out how to configure it for self signed keychains.
Securing MQTT Part 1: Generate Keys and Certificates
apk add openssl
Then navigate to a temp directory (/tmp) and blindly follow these steps. Better, read Mosquitto SSL Configuration -MQTT TLS Security . Steve explains each of the steps.
When you are prompted for common name, enter your domain name of the server if you have it, or the mica or mica container name. Or something else - as long as you use the same one consistently.
openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -days 1826 -key ca.key -out ca.crt openssl genrsa -out server.key 2048 openssl req -new -out server.csr -key server.key openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
You should now have these 6 files.
Create 2 folders under your mosquitto installation directory:
mkdir /etc/mosquitto/ca_certificates mkdir /etc/mosquitto/certs
Copy the required files to these 2 folders:
cp /tmp/ca.crt /etc/mosquitto/ca_certificates cp /tmp/server.crt /etc/mosquitto/certs cp /tmp/server.key /etc/mosquitto/certs
Also download ca.crt. You need it in the MQTT client application to connect.
Now back up all generated files to a safe and secure location before doing the next step.
Delete all generated files from the /tmp folder.
Before doing that, click below checkbox to confirm that you backed up the files:
rm /tmp/server.key rm /tmp/server.csr rm /tmp/server.crt rm /tmp/ca.srl rm /tmp/ca.key rm /tmp/ca.crt
Securing MQTT Part 2: Configure Mosquitto
Open the config file in the editor of your choice.
Look for these entries and edit them to be exact the same as below:
# Port to use for the default listener. port 8883 cafile /etc/mosquitto/ca_certificates/ca.crt #capath # Path to the PEM encoded server certificate. certfile /etc/mosquitto/certs/server.crt # Path to the PEM encoded keyfile. keyfile /etc/mosquitto/certs/server.key user mosquitto
The mosquitto user account is created by the installer. This user will be used to run the daemon, not root.
Test. stop and start the service
rc-service mosquitto restart
I used MQTT.fx again. I adapted the existing configuration.
You'll need to have ca.crt stored on the computer you are testing from.
I also tested with the Mica Node Red container: