Search code examples
mqttmosquitto

Secure Mosquitto Websockets

I have Mosquitto 1.4.9 installed an running.

I can pub and sub on 1883 I can also pub and sub on 8883. 8883 is secure using certs. I can also sub and pub on 8083 but only using ws. Wss will not connect.

When I start up Mosquitto here is what appears in the log:

1521831919: mosquitto version 1.4.9 (build date 2017-12-15 11:14:08-0500) starting
1521831919: Config loaded from /etc/mosquitto/mosquitto.conf
1521831919: Opening ipv4 listen socket on port 1883.
1521831919: Opening ipv6 listen socket on port 1883.
1521831919: Opening ipv4 listen socket on port 8883.
1521831919: Opening ipv6 listen socket on port 8883.
1521831919: Opening websockets listen socket on port 8083.
1521831919: libuv support not compiled in
1521831919: Creating Vhost 'default' port 8083, 3 protocols, IPv6 off

When I attempt to connect using a web interface (http://hobbyquaker.github.io/mqtt-admin) I get a message that says Disconnected trying to connect to wss://home.fqdn.com. And in the log the only entry I see is this:

1521834600: forbidding on uri sanitation
1521834601: lws_read: Unhandled state 76

When I try connecting to 8083 from the command line with:
mosquitto_pub -h home.fqdn.com -t test -m "hello again 2" -p 8083 --capath /etc/ssl/certs/ -u "userID" -P "passWD"

I get this message
Error: A TLS error occurred.
Which I assume is because it's from the CLI and not over WSS as I have no issues when I use -p 8883 instead of -p 8083.

Here is my config file:

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
log_dest file /var/log/mosquitto/mosquitto.log
log_type all
websockets_log_level 1023
connection_messages true
log_timestamp true
password_file /etc/mosquitto/pwfile
acl_file /etc/mosquitto/aclfile.acl

#Internal Listener
listener 1883
allow_anonymous false

#External Listener
listener 8883
allow_anonymous false
certfile /etc/letsencrypt/live/home.fqdn.com/cert.pem
cafile /etc/letsencrypt/live/home.fqdn.com/chain.pem
keyfile /etc/letsencrypt/live/home.fqdn.com/privkey.pem

#Webhooks Listener
listener 8083
protocol websockets
http_dir /var/www/html
certfile /etc/letsencrypt/live/home.fqdn.com/cert.pem
cafile /etc/letsencrypt/live/home.fqdn.com/chain.pem
keyfile /etc/letsencrypt/live/home.fqdn.com/privkey.pem

I don't understand how I can connect with WS:// but not WSS://. The 8883 Listener will not allow an unsecured connection and it is using the same certs.

When I connect with WS:// I get this entry in the log:

1521834238: New client connected from 69.42.179.18 as mqtt-admin_48154a1b (c1, k60, u'userID').

Solution

  • Mosquitto version 1.4.9 did not work properly with changes made in libwebsockets.

    Uninstalled mosquitto and installed 1.4.15 from the dev repository and now WSS:// connections function properly.