|
I connected an Arduino MKR WAN 1310 to The Things Network (TTN). Then used Node-RED to connect to the TTN MQTT service and work with the data. Now I'm enabling safe TLS communication to the MQTT. This post is my log of the activity.
Read this post first: Arduino MKR WAN 1310 integration with Node-RED via The Things Network This posts starts at the point where Node-RED is working with plain TTN MQTT. |
What? Why TLS?
MQTT is secured by user name and password. When you use the standard MQTT protocol, this info - and the payload you exchange - is readable by bad human beings. MQTTS solves this, by allowing verified and encrypted data exchange.
- verify: server is who we think it is
- encrypt: data runs over TLS
This is an uneventful post. In the previous one, we were able to connect to TTN MQTT. In this post, we will be able to do the same. But safer.
What's required?
We need a downloadable certificate:
- the ROOT Trust certificate of letsencrypt.org (valid until 2035). Or a TTN MQTT server certificate (usually valid for a few months)
- (ideally also a client cert and private key, but I haven't found out yet how to generate or get one for this chain.)
TTN uses Let's Encrypt as authority. We can let Node-RED validate the server by giving it their trust certificate. Here is where you can retrieve it: https://letsencrypt.org/certs/isrgrootx1.pem. Save it.
For tighter validation, the TTN server certificate can be retrieved by surfing to your TTN console. In your browser, then click on the security/settings icon (a lock in some browser). In chrome, it looks like this:
Save as Base64 CER, next to the first one you downloaded.
Alternatively you can use a Node-RED flow to retrieve that certificate.
Tomato Tomato? The TTN provided certificate will match exactly that server, and for a shorter period. The letsencypt one will validate that the server has a certificate trusted by them...
Configure Node-RED MQTT connection for TLS
You have two MQTT connections on your Node-RED flow (if you followed Arduino MKR WAN 1310 integration with Node-RED via The Things Network ). We 'll change one to MQTTS. In the second one, we can then select that new setup.
Open the uplink connection:
In the Server setting, select Add new mqtt-broker, and name it ttnmqtts. Connection and Security tab settings are mostly the same as in the original config. Take them over.
Then make these changes:
Port: 8883
Check Use TLS, and Add new tls-config
In that config, upload the two certificates:
Confirm everything. Before deploying the flow, open a console to your Node-RED server and start the Node-RED log
node-red-log
Deploy the changes in Node-RED, and check the log:
If all is OK, you should see that one MQTTS/TLS connection is made to port 8883 (the new config we did for the uplink node. And the old node still uses plain MQTT over 1883.
All you have to do now, is select that new ttnmqtts serve configuration in the downlink node, and deploy again.
The log file now only shows one connection, to the 8883 port. Success.
You can now delete the old ttnmqtt server configuration and never look back.
-
DAB
-
Cancel
-
Vote Up
0
Vote Down
-
-
Sign in to reply
-
More
-
Cancel
-
Jan Cumps
in reply to DAB
-
Cancel
-
Vote Up
0
Vote Down
-
-
Sign in to reply
-
More
-
Cancel
Comment-
Jan Cumps
in reply to DAB
-
Cancel
-
Vote Up
0
Vote Down
-
-
Sign in to reply
-
More
-
Cancel
Children