Mosquitto using letsencrypt

Recently I’ve been playing with MQTT (mosquitto) and also with letsencrypt. Putting this together isn’t hard, but there are a few challenges.

Setup Let’s Encrypt

I currently use nginx to serve files. Since I already have a webserver running, I found it much easier to use letsencrypt with the webroot authenticator. Below is basically the config file I have for

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
email = youremail

# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
renew-by-default = True

authenticator = webroot

webroot-path = /usr/share/nginx/yourdomain

domains = yourdomain, www.yourdomain

Then I use this config to generate the letsencrypt certs.

letsencrypt certonly -c /etc/letsencrypt/

Configure Mosquitto

Now we can use the same cert for mosquitto with one small addition. We need to create the keyfile bundle for mosquitto to use.

cat /etc/letsencrypt/live/yourdomain/{privkey,fullchain}.pem > /etc/letsencrypt/live/yourdomain/keyfile.pem

Then we can use all this in our mosquitto config.

listener 1883
max_connections -1
cafile /etc/letsencrypt/live/yourdomain/chain.pem
certfile /etc/letsencrypt/live/yourdomain/cert.pem
keyfile /etc/letsencrypt/live/yourdomain/keyfile.pem


This is where I ran into most of my problems. mosquitto_sub doesn’t actually use ssl unless you pass use the --cafile or -capath options. I found the --cafile options to be better. On Arch I was able to use /etc/ssl/cert.pem. If you are on a system that doens’t have letsencrypt cert in its store, you can download the DST Root CA X3 cert or get it from me.

mosquitto_sub -v -h -p 4886 -t '#' --cafile /etc/ssl/cert.pem  # CA from your system


mosquitto_sub -v -h -p 4886 -t '#' --cafile letsencrypt_root_ca.pem.txt # CA from letsencrypt

Hello World

Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.

Quick Start

Create a new post

$ hexo new "My New Post"

More info: Writing

Run server

$ hexo server

More info: Server

Generate static files

$ hexo generate

More info: Generating

Deploy to remote sites

$ hexo deploy

More info: Deployment