The Alpine Linux Container

It's one of the three Linux general purpose flavours. The fourth one is a Linux container specifically targeted as a development sandbox.

I have never used Alpine before and this first experience was good. The only 2 differences from Debian for this exercise were that I had to:

• use a different package manager. apk instead op apt.
• use a different daemon manager. rc instead of service.
• Nothing to be scared of.

To install the container, download it from Harting's container page and install via the Mica management console.

I had to enable IPv4 in the container's settings. Else it couldn't connect to the network. I don't know if that's because of my local situation or generic.

Once installed, log in via SSH (e.g.: PuTTY) and change root password

passwd

Then upgrade the distro:

apk update
apk upgrade

If you like to use nano (this step is not necessary):

apk add nano

That's part 1 of the exercise.

Install Mosquitto MQTT Broker

Next step is to install a plain MQTT server and test it.

apk add mosquitto

Enable on-boot startup

rc-update add mosquitto boot

Start the service for the first time

rc-service mosquitto start
rc-service mosquitto status

You can use MQTT.fx, the mica Node Red container or your favourite MQTT client to test the connection:

Paho client users, attention. The test without certificates will work for you.

The next step, where we secure the connection with a self signed certificate, is not supported (or at least: I don't know how it works) by Paho.

If you want to use Paho as a client with a secure MQTT broker, you'll need to get certificates issued by a certificate authority or fiddle out how to configure it for self signed keychains.

Securing MQTT Part 1: Generate Keys and Certificates

Install openSSL:

apk add openssl

Then navigate to a temp directory (/tmp) and blindly follow these steps. Better, read Mosquitto SSL Configuration -MQTT TLS Security . Steve explains each of the steps.

When you are prompted for common name, enter your domain name of the server if you have it, or the mica or mica container name.  Or something else - as long as you use the same one consistently.

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

You should now have these 6 files.

Create 2 folders under your mosquitto installation directory:

mkdir /etc/mosquitto/ca_certificates
mkdir /etc/mosquitto/certs

Copy the required files to these 2 folders:

cp /tmp/ca.crt /etc/mosquitto/ca_certificates
cp /tmp/server.crt /etc/mosquitto/certs
cp /tmp/server.key /etc/mosquitto/certs

Also download ca.crt. You need it in the MQTT client application to connect.

Now back up all generated files to a safe and secure location before doing the next step.

Delete all generated files from the /tmp folder.

Before doing that, click below checkbox to confirm that you backed up the files:

Now execute:

rm /tmp/server.key
rm /tmp/server.csr
rm /tmp/server.crt
rm /tmp/ca.srl
rm /tmp/ca.key
rm /tmp/ca.crt

Securing MQTT Part 2: Configure Mosquitto

Open the config file in the editor of your choice.

nano /etc/mosquitto/mosquitto.conf

Look for these entries and edit them to be exact the same as below:

# Port to use for the default listener.
port 8883

cafile /etc/mosquitto/ca_certificates/ca.crt
#capath

# Path to the PEM encoded server certificate.
certfile /etc/mosquitto/certs/server.crt

# Path to the PEM encoded keyfile.
keyfile /etc/mosquitto/certs/server.key

user mosquitto

The mosquitto user account is created by the installer. This user will be used to run the daemon, not root.

Test. stop and start the service

rc-service mosquitto restart

I used MQTT.fx again. I adapted the existing configuration.

You'll need to have ca.crt stored on the computer you are testing from.

Test!

I also tested with the Mica Node Red container: