MQTT configuration changes

[whmoorejr]

I'm working on two things that are both MQTT related with the recent change.

Short Question: 1) Where do I put the extra configuration lines for the own tracks-cards (listener 9001)

2) Can the 'listener 1883 127.0.0.1' be chaged to just 'listener 1883' for local (non ssl) access to the MQTT broker?

Long version of question 1) Cards: I used the online tool to create a card https://avanc.github.io/owntracks-cards/. Since I'm really new to MQTT, I tried publishing the card via MQTT Explorer https://apps.apple.com/us/app/mqtt-explorer/id1455214828?mt=12

In that application, I used: topic owntracks/indigo/myphone/info copy/paste the json from the saved file created with the online tool. Click "Publish"

On the owntracks web interface... "Device Table"... it worked. The icon is there, and name is now "Indigo Server" instead of "IS". However, on the other devices, the card didn't populate? From my device "bill/myphone" I still see "IS" and just the circle with an "IS" in the middle. So it kida worked.

Next I decided to add the card page thing to my raspberry pi. https://github.com/avanc/owntracks-cards

Where I'm stuck.... where to put the extra configuration lines? Since mosquitto now uses owntracks.conf, I considered adding it to the end of that file (spoiler: don't do that) crashed mosquitto, removed the extra lines, restart rPi a couple times, now I'm back to square 1.

# -- 1883 ----- Plain (loopback only)
listener 1883 127.0.0.1

# -- 8883 ----- TLS
listener 8883
# cafile /etc/mosquitto/certs/.lego/certificates/isl.mynetgear.com.issuer.crt
cafile /usr/local/owntracks/tls/cert.crt
certfile /usr/local/owntracks/tls/cert.crt
keyfile /usr/local/owntracks/tls/cert.key
# -- ends

# -- 9001 ----- Cards
listener 9001
protocol websockets
http_dir /home/williammoore/owntracks-cards

Long version of question 2) I'm having a booger of a time connecting my home automation system (on the same LAN network) to the MQTT broker. IPaddress/User/password is right. Tried DNS instead of IPaddress. Selected SSL/TLS. Tried adding the .cert file to my indigo server from /usr/local/owntracks/tls/cert.crt Every thing I have tried so far has yielded zero. But it is a local connection, so I'm not too concerned about the security of it and I closed port forwarding on 1883 when the MQTT changed to 8883. Can the 1883 config line be changed to:

# -- 1883 ----- Plain 
listener 1883
# -- 1883 ------ loopback
listener 1883 127.0.0.1

or something similar?

[ckrey]

When you publish the new card with MQTT explorer, make sure you set the Retain flag to true and use QoS = 1 or 2. Otherwise the info message will only be delivered to the other devices which are connected at the moment.

When establishing a TLS connection, you should not use the MQTT brokers's cert file on the client side, but the cafile which includes the root certificates of lets encrypt.

On linux you can use /etc/ssl/certs/ca-certificates.crt or obtain the lets encrypt root certificate (isrgrootxx1.pem) here: https://letsencrypt.org/certificates/

The you can access your broker via DNS from the "outside":

mosquitto_sub --cafile /etc/ssl/certs/ca-certificates.crt -h yourhost.yourdomain -p 8883 -u user -P password -t '#' -v
or
mosquitto_sub --cafile isrgrootx1.pem -h yourhost.yourdomain -p 8883 -u user -P password -t '#' -v

Please do not change the /etc/mosquitto/conf.d/owntracks.conf file because it will be overwritten by the next run of ./bootstrap.sh. If you need to, create a separate /etc/mosquitto/conf.d/local.conf file as root. But with the TLS as explained above you should not need to use additional ports or use unencrypted communication.

For security reasons, we block all ports except 22(ssh), 80(HTTP), 443(HTTPS), and 8883(MQTTS) via firewall during the setup process.

[ckrey]

Your attempt to use port 9001 with mosquitto for websockets does not work because the standard version of mosquitto cannot be used for websockets.

[jpmens]

@whmoorejr let us know why you need that specific "card" Web-based app you've been using. As @ckrey said, we cannot make that work with the standard Mosquitto broker versions in Debian/Ubuntu.

[jpmens]

Further to the comment regarding the use of the --cafile option in mosquitto_[ps]ub, you might actually not need it: if the Linux system on which you're working is correctly set up, something like this should suffice:

mosquitto_sub -h bill.example -p 8883 -u user ....

Mosquitto clients find the installed root CA certificates from the CA bundle of the system.

[whmoorejr]

When you publish the new card with MQTT explorer, make sure you set the Retain flag to true and use QoS = 1 or 2. Otherwise the info message will only be delivered to the other devices which are connected at the moment.

It worked like a charm. From start to finish it now takes me about 30 seconds to create a OwnTracks card and publish it out to all the devices via the MQTT Explorer app. Thank you.

@whmoorejr let us know why you need that specific "card" Web-based app you've been using. As @ckrey said, we cannot make that work with the standard Mosquitto broker versions in Debian/Ubuntu.

That web-based app works fine with generating and saving a card. Ideally, it would be nice if there was a 4th tab on the main interface for settings.... update a card for any device, publish a waypoint/region to all devices, edit the .yaml file.... basically idiot proof it so once it's running, no more need to SSH in or whatnot. It would be nice to be at a point where I could put a running version on a raspberry pi at a friend's house and let them manage it... even if they dont know what "terminal" is... let alone SSH.

As for the other connection thing... EDIT Also resolved. I don't know why. Same settings, didn't change anything on either end... just started working on the home automation side. I'm now communicating with him to see if it is a bug in the plugin or just a fluke. But all is good here and I, once again, thank you guys for your hard work on this.

[whmoorejr]

All Items resolved :-)

[jpmens]

Very glad all's well for you.

it would be nice if there was a 4th tab on the main interface for settings.... update a card for any device

I assume you mean a tab within the iOS OwnTracks app? It actually is possible with newer versions to create and publish a card (for myself) directly from the app. Navigate to Settings where you'll see a Create Card entry. Click on that; you can select an image from the iPhone or take a photo directly, set a name, and hit Save.

[whmoorejr]

I assume you mean a tab within the iOS OwnTracks app? Actually, I was thinking about on the owntracks web interface. So there would be 4 main tabs or bullets ( Frontend Device table Live map Settings) A settings page could include things that otherwise would require knowledge of SSH, sudo nano .yaml, etc. Add a friend, remove a friend, create / update a card, create a "region" for all devices. One change with that... at least one of the users should probably be designated as an admin in case you don't want every user to have a settings option on their screen.

It actually is possible with newer versions to create and publish a card (for myself) directly from the app. Navigate to Settings where you'll see a Create Card entry. Click on that; you can select an image from the iPhone or take a photo directly, set a name, and hit Save.

Yes, and when I first found that I was very happy. When I initially started using owntracks, it looked kida like an old miltary platform I use to use with the tid letters on the map. Then I found the contact card part under settings and was pretty impressed with how easy that was and how quickly it updated every other device. In my particular case, I'm dragging 3 older phones along for the ride.

I also like the option for central managment for the kid factor. Example: I used a shared appleID for family contacts on everyone's phone in the house. Right away, my teenager started renaming contacts with goofy pet names. Like me = Bill... became Daddy-O. And changing contact pictures for people in the house. This, in turn, updated the names and photos for contacts on everyone's device. I have since removed that from all their phones so they can't update or mess up my stuff.

Random side note: The iOS app will run on a newer mac. I'm not sure if this helps in anyway or opens any options