Support for hosted gBridge servers

[peterkappelt]

Discussion started in your pull request: https://github.com/kservices/gBridge/pull/15

You wrote about this command, that isn't working: mosquitto_sub --username gbridge-u* --pw my-pass --host mqtt.gbridge.kappelt.net --port 8883 --topic gBridge/u1/d1/onoff -d -v

I think the problem is, that mosquitto_sub is not trying to use TLS for this connection. If you specify the path, where your system stores trusted CA-certificates (e.g. with the parameter --capath /etc/ssl/certs/), it should work.

[giejay]

I added the certificates to my rpi and added the capath but unfortunately, now Im getting a certificate verify failed. Also when I download the certificate with openssl:

openssl s_client -showcerts -connect mqtt.gbridge.kappelt.net:8883 </dev/null

And then specify this file using cafile:

mosquitto_sub --username gbridge-u104 --pw password --host mqtt.gbridge.kappelt.net --port 8883 --cafile /usr/local/share/ca-certificates/gbridge.crt --topic gBridge/u104/d276/onoff -d -v
Client mosqsub/28244-raspberry sending CONNECT
OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Do these commands work for you?

[giejay]

And can you check your server logs for this connect id: Domoticz_1543515460 and the reason that the topics are not returned?

2018-11-29 19:17:40.253 (gBridge Remote) MQTT CONNECT ID: 'Domoticz_1543515460'
2018-11-29 19:17:40.304 (gBridge Remote) Message from base
2018-11-29 19:17:40.304 (gBridge Remote) Incoming message!{'Status': 0, 'Description': 'Connection Accepted', 'Verb': 'CONNACK'}
2018-11-29 19:17:40.304 (gBridge Remote) MqttClient::Subscribe
2018-11-29 19:17:40.357 (gBridge Remote) Message from base
2018-11-29 19:17:40.358 (gBridge Remote) Incoming message!{'Topics': [{'Status': 128, 'Description': 'Failure'}], 'PacketIdentifier': 1, 'Verb': 'SUBACK'}

[peterkappelt]

Well, not particularly useful:

Nov 29 19:17:40 helium mosquitto[863]: 1543515460: New client connected from XX.YY.ZZ.AA as Domoticz_1543515460 (c1, k60, u'gbridge-uZZZ').
Nov 29 19:17:40 helium mosquitto[863]: 1543515460: Socket error on client Domoticz_1543515460, disconnecting.

Which OS/ version is running on your RPi (Raspbian?) ?. Try https://about.gbridge.kappelt.net/static/LetsEncrypt-AllCAs.pem as the CA file, too, please.

[giejay]

Thats the first ca I tried and that gives the same result. It indeeds runs Raspbian.

I also tried it on my Macbook, also the same error.

Edit: Got a bit further on my Macbook (Think I didnt import the cert correctly): mosquitto_sub --username gbridge-104 --pw XXX --host mqtt.gbridge.kappelt.net --port 8883 --cafile LetsEncrypt-AllCAs.pem --topic gBridge/u104/# -d -v Client mosqsub|1187-MacBook-Pr sending CONNECT Client mosqsub|1187-MacBook-Pr received CONNACK (5) Connection Refused: not authorised. Client mosqsub|1187-MacBook-Pr sending DISCONNECT

Dont really know why Im getting an unauthorized, changed my password again to make sure I have the right one and still giving an unauthorized.

[peterkappelt]

Mhh, strange...

pi@hcpi01:~ $ mosquitto_sub --username gbridge-u11 --pw 'abcd' --host mqtt.gbridge.kappe-topic gBridge/u11/d18/onoff --cafile LetsEncrypt-AllCAs.pem -v -d
Client mosqsub/20527-hcpi01 sending CONNECT
Client mosqsub/20527-hcpi01 received CONNACK
Client mosqsub/20527-hcpi01 sending SUBSCRIBE (Mid: 1, Topic: gBridge/u11/d18/onoff, QoS: 0)
Client mosqsub/20527-hcpi01 received SUBACK
Subscribed (mid: 1): 0
Client mosqsub/20527-hcpi01 received PUBLISH (d0, q0, r0, m0, 'gBridge/u11/d18/onoff', ... (1 bytes))
gBridge/u11/d18/onoff 0

pi@hcpi01:~ $ mosquitto_sub --username gbridge-u11 --pw 'Bd4RqtqU$N3RaWqG' --capath /etc/ssl/certs/ --host mqtt.gbridge.kappelt.net --port 8883 --topic gBridge/u11/d18/onoff -v -d
Client mosqsub/20595-hcpi01 sending CONNECT
Client mosqsub/20595-hcpi01 received CONNACK
Client mosqsub/20595-hcpi01 sending SUBSCRIBE (Mid: 1, Topic: gBridge/u11/d18/onoff, QoS: 0)
Client mosqsub/20595-hcpi01 received SUBACK
Subscribed (mid: 1): 0
Client mosqsub/20595-hcpi01 received PUBLISH (d0, q0, r0, m0, 'gBridge/u11/d18/onoff', ... (1 bytes))
gBridge/u11/d18/onoff 1

What's the version of mosquitto_sub? Try appending -V mqttv31

[peterkappelt]

Are there any special characters in your password? Try enclosing it with apostrophes or quotes

[giejay]

Are there any special characters in your password? Try enclosing it with apostrophes or quotes

Thats it! Changed the password to not have the special chars and now I can connect from my Macbook.

Also changed the password, port to 1883 and removed the --ca option on my Raspbian, and now I can subscribe using the mosquitto_sub.

Could it be that the Python plugin is using the wrong MQTT protocol?

[peterkappelt]

Ahhhh, no! Using port 1883 is a really bad idea, since it is unencrypted MQTT.

Yes, MQTT version problems are a possibility. I've decided to stick to the "old" V3.1, for broader compatibility.

I'm planning to offer both versions on different domains in the future.

[giejay]

Yes I wont use 1883 in production, just want to check if I can connect from my raspberry.

Ive added username/password protection to my own mosquitto broker, and that works. This is the mosquitto broker Im using:

mosquitto version 1.4.4 (build date Thu, 17 Sep 2015 16:11:28 +0100)

mosquitto is an MQTT v3.1 broker.

Is that the same as the one you're using?

Could you perhaps share your mqtt config so I can test it myself?

[peterkappelt]

gBridge servers use Mosquitto 1.5.2. I've send you the config. However, I don't think it is really useful for you, since it uses a couple of extensions for dynamic authentication and user management.

I'm using 1.4.10 for mosquitto_sub on my client system for testing.

Have you tried all possibilities (with (not) defining --capath/ --cafile etc.) with the password without special characters?

Have a nice week!

[giejay]

When using the sub client, it now works. What I now need to figure out how I can provide certs to the Domoticz Connection class which is used for the interaction with mqtt. Unfortunately the documentation is very scarce. And I don't think the certs are the real problem, seeing as Im having the exact same behavior when using an unsecured connection:

Incoming message!{'Topics': [{'Status': 128, 'Description': 'Failure'}], 'PacketIdentifier': 1, 'Verb': 'SUBACK'}

According to the specs of mqtt this could be an issue with not having the correct access rights to the topic so I tried several ways of subscribing, gBridge/u104/Dinner_Light/brightness, gBridge/u104/#, # but nothing seems to work.

[giejay]

Going to close this one, seeing as its fixed. For historic purposes, the issue was the 1.5 version of mosquitto in combination with the mosquitto auth plugin regarding the read/write level: https://github.com/jpmens/mosquitto-auth-plug/issues/356