Closed skimpax closed 2 years ago
fmartinou
commented
2 years ago Hi,
I agree with your request; it will be a great improvement. And thank you for your effort to provide a rich context and a deep analysis in the request 👍 .
I'l try to implement it quickly.
fmartinou
commented
2 years ago Hi @skimpax ,
Can you give a try to the fmartinou/teleinfo2mqtt:feature__31_add_mqtt_mtls version, please?
You need to pass the following env vars to make it work:
MQTT_TLS_CLIENT_KEYMQTT_TLS_CLIENT_CERTMQTT_TLS_CA_CHAINMQTT_TLS_REJECT_UNAUTHORIZED (optional, only for dev purpose)Example
MQTT_URL=mqtts://my-mosquitto.acme.com:8883
MQTT_TLS_CLIENT_KEY=/certs/my-client-key.pem
MQTT_TLS_CLIENT_CERT=/certs/my-client-cert.pem
MQTT_TLS_CA_CHAIN=/certs/my-ca-chain
...
skimpax
commented
2 years ago Sorry for being so late...
It looks good :) Well done!
fmartinou
commented
2 years ago Great!
It's merged and available in the release 8.1.0
Currently, connection to MQTT broker can be done by user/password.
Feature requested: Add the ability to use TLS and Mutual Authentication to connect to the broker (mTLS). This is a classic pattern where 2 parties (client and broker) have their own cert signed by a CA (can be a self-signed CA). For the client, only 3 configurations parameters are required:
Advantages:
Impacts: By my understanding, these parameters have to be passed in options field, when creating client MQTT.js. It seems to be a small impact on your current source code.
For instance: A Mosquitto broker can be configured to use mutual auth by following params:
Example of mosquitto client:
mosquitto_pub --cafile ca_chain.crt --cert client.crt --key client.key -d -h <mosquitto_broker_ipaddr> -p 8883 -t test -m "hello there"If needed, I can provide a shell script to create self-signed CA certificate, broker certificate (signed by this CA) and client (teleinfo2mqtt) certificate (signed by this CA).