Closed joost01 closed 3 years ago
Hi, in the current code_base there has not been support for TLS yet. Secure MQTT uses a different port. I saw this article: https://stackoverflow.com/questions/51942821/how-to-use-ssl-tls-in-paho-mqtt-using-python-i-got-certificate-verify-failed
Using a client certifcate is a valid use case as well. It does not seem to difficult to implement, but it will need some testing, and perhaps some additional configuration settings.
A good site to test with: http://test.mosquitto.org/
If you want you can use a free cloud mqtt platform to test the solution, for instance hivemq. The advantage of this platform is it uses a valid certificate, though I can imagine most home users will use self signed certificates in their home setup.
However, a nice solution would be a optional "valid certificate" check, as it is used more often in home assistant solutions. I assume it is an enhancement of the mqtt.py script?
I assume it is an enhancement of the mqtt.py script?
Well yeah, it is an output plugin. In fact it is not so difficult to update it. https://github.com/jbouwh/omnikdatalogger/blob/main/apps/omnikdatalogger/omnik/plugin_output/mqtt.py#L25-L66
Feel free to start a pull request
Working on it, see:
https://github.com/jbouwh/omnikdatalogger/tree/mqtt-tls-support
Got mqtt output working with tls and even client certs or a different CA. Docks need an update.
New settings (example): ca_certs: ./.omnik/ca/mosquitto.org.crt client_cert: ./.omnik/client.crt client_key: ./.omnik/client.key
The mqtt_proxy client needs an update as well, will do that later.
I will push the 1.8.0 release next week. If have made a beta pre-release in advance, you can find it at https://github.com/jbouwh/omnikdatalogger/releases Feel free to give some feedback!
However, a nice solution would be a optional "valid certificate" check
You can supply an alternative ca file now (can be self signed/maintained) Tested with all sorts of scenario from http://test.mosquitto.org/ including client certificates and a alternate CA file.
I tested the pre-release. I think it will work for users with a complete secured local mqtt infrastructure, with self signed and / or public certificates. I havent used the device certs yet, but I might set it up for my local environment.
In my case I needed to connect to a secured mqtt cloud server (with valid certificate) on port 8883. This worked with a few changes in the code, like:
self.tls = self.config.getboolean("output.mqtt", "tls", fallback=True)
and
self.mqtt_client.tls_set(tls_version=mqttclient.ssl.PROTOCOL_TLS)
I know this is a quick and dirty workaround, but i couldn't find the parameters in the settings file so quickly. For now I cant test the complete message (no sunshine at night...), but I am sure this works
You should set ca_certs
and fill the file with the cert that was used issue the server cert. That can be the same if the certificate was self signed. I have tested with an untrusted set-up.
For now I will close this issue, I think the supplied options should be enough for now.
Thank you, i'll test your last solution! For now it works great!
I try to make a mqqt connection to a cloud based mqtt broker. I use this for a remote omnik installation. For some reason I only get "MQTT disconnected" messages in the log, but nothing has been published to the mqtt broker. The messages are like these:
"INFO:omnik.datalogger:I 2021-10-26T14:07:45.747265 MQTT disconnected"
Actually this is more a question, is there support for mqtt using secure protocols (TLS, using port 8883)?