Recently I’ve been playing with MQTT (mosquitto) and also with letsencrypt. Putting this together isn’t hard, but there are a few challenges.

Setup Let’s Encrypt Link to heading

I currently use nginx to serve files. Since I already have a webserver running, I found it much easier to use letsencrypt with the webroot authenticator. Below is basically the config file I have for

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
email = youremail

# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
renew-by-default = True

authenticator = webroot

webroot-path = /usr/share/nginx/yourdomain

domains = yourdomain, www.yourdomain

Then I use this config to generate the letsencrypt certs.

letsencrypt certonly -c /etc/letsencrypt/

Configure Mosquitto Link to heading

Now we can use the same cert for mosquitto with one small addition. We need to create the keyfile bundle for mosquitto to use.

cat /etc/letsencrypt/live/yourdomain/{privkey,fullchain}.pem > /etc/letsencrypt/live/yourdomain/keyfile.pem

Then we can use all this in our mosquitto config.

listener 1883
max_connections -1
cafile /etc/letsencrypt/live/yourdomain/chain.pem
certfile /etc/letsencrypt/live/yourdomain/cert.pem
keyfile /etc/letsencrypt/live/yourdomain/keyfile.pem

Connecting Link to heading

This is where I ran into most of my problems. mosquitto_sub doesn’t actually use ssl unless you pass use the --cafile or -capath options. I found the --cafile options to be better. On Arch I was able to use /etc/ssl/cert.pem. If you are on a system that doens’t have letsencrypt cert in its store, you can download the DST Root CA X3 cert or get it from me.

mosquitto_sub -v -h -p 4886 -t '#' --cafile /etc/ssl/cert.pem  # CA from your system


mosquitto_sub -v -h -p 4886 -t '#' --cafile letsencrypt_root_ca.pem.txt # CA from letsencrypt