[Question] Which certificate can be used for MQTTs connection at TBMQ

IhorYednak commented 4 days ago

Hello @dmytro-landiak

Can you advise on how to proper use the SSL certificate at TBMQ. I was able to get to the etc/ssl/certs in the docker tbmq image. However when I ran ls command I was flashed with a lot of files. Would you be able to help me to clarify what certificate should I use for SSL and how to proper define it in the docker-compose.yml file?

Attached is the screenshot of what I see here

Also here is the copy of docker-compose.yml

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and imitations under the License.

version: "3.0" services: postgres: restart: always image: "postgres:15" ports:

"5432" environment: POSTGRES_DB: thingsboard_mqtt_broker POSTGRES_PASSWORD: postgres volumes:
tbmq-postgres-data:/var/lib/postgresql/data kafka: restart: always image: "bitnami/kafka:3.5.1" ports:
"9092" environment: KAFKA_CFG_NODE_ID: 0 KAFKA_CFG_PROCESS_ROLES: controller,broker KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: 0@kafka:9093 KAFKA_CFG_LISTENERS: PLAINTEXT://:9092,CONTROLLER://:9093 KAFKA_CFG_ADVERTISED_LISTENERS: PLAINTEXT://:9092 KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT KAFKA_CFG_CONTROLLER_LISTENER_NAMES: CONTROLLER KAFKA_CFG_INTER_BROKER_LISTENER_NAME: PLAINTEXT volumes:
tbmq-kafka-data:/bitnami/kafka tbmq: restart: always image: "thingsboard/tbmq:1.4.0" depends_on:
postgres
kafka ports:
"8083:8083"
"1883:1883"
"8084:8084" environment: TB_SERVICE_ID: tbmq SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/thingsboard_mqtt_broker SPRING_DATASOURCE_USERNAME: postgres SPRING_DATASOURCE_PASSWORD: postgres TB_KAFKA_SERVERS: kafka:9092 SECURITY_MQTT_BASIC_ENABLED: "true"
JAVA_OPTS: "-Xmx2048M -Xms2048M -Xss384k -XX:+AlwaysPreTouch"

volumes:
tbmq-logs:/var/log/thingsboard-mqtt-broker
tbmq-data:/data

volumes: tbmq-postgres-data: external: true tbmq-kafka-data: external: true tbmq-logs: external: true tbmq-data: external: true`

Will appreciate any kind of help Thank you in advance!

dmytro-landiak commented 1 day ago

hey @IhorYednak!

Thank you for reaching out! To resolve the issue, you can generate a self-signed certificate and mount it into the Docker container using bind mounts from a directory on the host machine. Once the certificate is available inside the container, you need to configure the appropriate environment variables to point to the certificate and private key. These steps will enable TBMQ to use the self-signed certificate for TLS.

For more details: https://thingsboard.io/docs/mqtt-broker/security/ https://docs.docker.com/engine/storage/bind-mounts/ https://thingsboard.io/docs/user-guide/mqtt-over-ssl/#self-signed-certificates-generation

Let us know if you need further assistance!

IhorYednak commented 1 day ago

Thank you for your reply @dmytro-landiak In case I already have a certificate, if I move it into the directory with the config files for tbmq, and configure the passwords and path to it in tbmq.conf file, will it work?

dmytro-landiak commented 1 day ago

You can try that but this is not recommended.

Better use the below approach (note, the example here uses server.pem and server_key.pem with no password):

...
  tbmq:
    restart: always
    image: "thingsboard/tbmq:2.0.0"
...
    environment:
      TB_SERVICE_ID: tbmq
...
      LISTENER_SSL_ENABLED: true
      LISTENER_SSL_PEM_CERT: /ssl/server.pem
      LISTENER_SSL_PEM_KEY: /ssl/server_key.pem
      #JAVA_OPTS: "-Xmx2048M -Xms2048M -Xss384k -XX:+AlwaysPreTouch"
    volumes:
      - tbmq-logs:/var/log/thingsboard-mqtt-broker
      - tbmq-data:/data
      - PUT_THE_PASS_TO_CERTIFICATE_HERE_ON_HOST_MACHINE:/ssl
...

IhorYednak commented 1 day ago

So you mean to use the docker-compose.yml instead of conf, correct?

dmytro-landiak commented 1 day ago

yes, you understood this correctly

IhorYednak commented 1 day ago

And about the path, does it specify here the path inside a container where tbmq running, or the path inside a VM?

{616C931D-5156-4DE8-8028-0DB63F42F09D}

dmytro-landiak commented 1 day ago

It is the path inside the container. So, the path from the end of the next line + the name of the files

volumes:
      - PUT_THE_PASS_TO_CERTIFICATE_HERE_ON_HOST_MACHINE:**/ssl**

IhorYednak commented 1 day ago

This is how I made it:

{DA24368F-4348-4BFE-B004-F47956915E1B}

But still I can't see variable TLS Listener is Enabled {F05D09A7-65FF-4E81-81B7-D5774F489A8B}

Steps I did: openssl ecparam -out server_key.pem -name secp256r1 -genkey openssl req -new -key server_key.pem -x509 -nodes -days 365 -out server.pem copied server.pem and server_key.pem to etc/ssl/certs at VM Provided access to files chmod 644 /path/to/certificates/* for all files inside a certs folder No clue what else could do the trick :(

dmytro-landiak commented 16 hours ago

Please, add SECURITY_MQTT_SSL_ENABLED env to the docker-compose file with the value true. Please, read the next doc: https://thingsboard.io/docs/mqtt-broker/security/#tls-listener

In addition, you have wrongly set LISTENER_SSL_PEM_CERT and so on. In your case, it should be

LISTENER_SSL_PEM_CERT: /etc/ssl/certs/server.pem

But I recommend using another folder.

thingsboard / tbmq

[Question] Which certificate can be used for MQTTs connection at TBMQ #179

JAVA_OPTS: "-Xmx2048M -Xms2048M -Xss384k -XX:+AlwaysPreTouch"