Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
wiki:user:nelgin [2020/04/05 02:11] – nelgin | wiki:user:nelgin [2024/09/03 11:22] (current) – [Mosquitto, Synchronet and TLS With Self-Signed Certs] nelgin | ||
---|---|---|---|
Line 7: | Line 7: | ||
He plays keyboards, guitar, and drums for fun. | He plays keyboards, guitar, and drums for fun. | ||
- | His aim is to visit all 50 states. He's visited | + | His aim is to visit all 50 states. He's visited |
End Of The Line BBS is run by Nelgin | End Of The Line BBS is run by Nelgin | ||
Line 15: | Line 15: | ||
telnet:// | telnet:// | ||
+ | ssh:// | ||
+ | |||
+ | rlogin:// | ||
+ | |||
+ | Point a viewdata emulator at endofthelinebbs.com port 6502 to try the experimental interface. | ||
{{: | {{: | ||
+ | |||
+ | |||
+ | ===== Mosquitto, Synchronet and TLS With Self-Signed Certs ===== | ||
+ | |||
+ | This works for me. It might not work for you. It's easier to do all this as root and then chown/chmod files as necessary to secure them. This works on Ubuntu. | ||
+ | |||
+ | First I created a dns entry mqtt.endofthelinebbs.com to point to my server IP address. You could probably use your regular dns name or something else, I'm not sure. I just know this works for me. | ||
+ | Obviously, don't use endofthelinebbs.com but your own domain name throughout. Your certs are not going to work on my mqtt server! | ||
+ | |||
+ | Next, I decided to create a password for my bbs user for extra security. | ||
+ | |||
+ | In / | ||
+ | |||
+ | bbs: | ||
+ | | ||
+ | Now, convert the file | ||
+ | mosquitto_passwd -U pwfile | ||
+ | | ||
+ | This will upgrade the file and hash the plain text password. Never run -U on an already hashed password file or it'll rehash the hashed password! | ||
+ | |||
+ | In your / | ||
+ | |||
+ | Create your CA | ||
+ | |||
+ | openssl genrsa -des3 -out ca.key 2048 | ||
+ | Enter a passphrase you'll remember. You'll need this to sign your certs. | ||
+ | |||
+ | Now create your ca.crt | ||
+ | |||
+ | openssl req -new -x509 -days 36500 -key ca.key -out ca.crt | ||
+ | | ||
+ | For Common Name, I just entered the domain, endofthelinebbs.com | ||
+ | |||
+ | | ||
+ | Create a server.key | ||
+ | |||
+ | openssl genrsa -out server.key 2048 | ||
+ | Now the csr | ||
+ | |||
+ | openssl req -new -out server.csr -key server.key | ||
+ | Here I use mqtt.endofthelinebbs.com as the Common Name. This is what we'll use to connect to the mqtt service. | ||
+ | |||
+ | Now create the crt | ||
+ | openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 36500 | ||
+ | Create / | ||
+ | |||
+ | allow_anonymous false | ||
+ | password_file / | ||
+ | log_type debug | ||
+ | # mqtt protocol standard port | ||
+ | listener 1883 | ||
+ | # mqtt protocol ssl port | ||
+ | listener 8883 | ||
+ | tls_version tlsv1.2 | ||
+ | cafile / | ||
+ | certfile / | ||
+ | keyfile / | ||
+ | require_certificate true | ||
+ | use_identity_as_username false | ||
+ | # websocket protocol standard port | ||
+ | listener 1884 | ||
+ | protocol websockets | ||
+ | socket_domain ipv4 | ||
+ | # websocket protocol ssl port | ||
+ | listener 8884 | ||
+ | protocol websockets | ||
+ | socket_domain ipv4 | ||
+ | cafile / | ||
+ | certfile / | ||
+ | keyfile / | ||
+ | require_certificate true | ||
+ | use_identity_as_username false | ||
+ | | ||
+ | chown mosquitto. / | ||
+ | chmod 640 / | ||
+ | | ||
+ | Now start or restart your mosquitto service | ||
+ | |||
+ | systemctl restart mosquitto | ||
+ | or | ||
+ | systemctl start mosquitto | ||
+ | | ||
+ | Check / | ||
+ | |||
+ | 1702534680: mosquitto version 2.0.11 starting | ||
+ | 1702534680: Config loaded from / | ||
+ | 1702534680: Opening ipv4 listen socket on port 1883. | ||
+ | 1702534680: Opening ipv6 listen socket on port 1883. | ||
+ | 1702534680: Opening ipv4 listen socket on port 8883. | ||
+ | 1702534680: Opening ipv6 listen socket on port 8883. | ||
+ | 1702534680: Opening websockets listen socket on port 1884. | ||
+ | 1702534680: Opening websockets listen socket on port 8884. | ||
+ | 1702534680: mosquitto version 2.0.11 running | ||
+ | | ||
+ | If all is good you can now make your sbbs certs. | ||
+ | |||
+ | |||
+ | Create your key | ||
+ | cd / | ||
+ | openssl genrsa -out sbbs_mqtt.key 2048 | ||
+ | Create your csr | ||
+ | openssl req -new -out sbbs_mqtt.csr -key sbbs_mqtt.key | ||
+ | For Common Name, I use the BBS hostname, bbs.endofthelinebbs.com | ||
+ | Create your crt | ||
+ | openssl x509 -req -in sbbs_mqtt.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out sbbs_mqtt.crt | ||
+ | | ||
+ | copy the / | ||
+ | |||
+ | cp / | ||
+ | mv / | ||
+ | cd /sbbs/ctrl | ||
+ | chown bbsuser: | ||
+ | Replacing bbsuser and bbsgroup with the username/ | ||
+ | |||
+ | use scfg to configure your MTQQ accordingly, | ||
+ | |||
+ | < | ||
+ | [MQTT] | ||
+ | Enabled=true | ||
+ | Verbose=true | ||
+ | Broker_addr=mqtt.endofthelinebbs.com | ||
+ | Broker_port=8883 | ||
+ | Protocol_version=5 | ||
+ | Keepalive=11 | ||
+ | Publish_QOS=0 | ||
+ | Subscribe_QOS=2 | ||
+ | Username=bbs | ||
+ | Password=xxxxxxxxx | ||
+ | LogLevel=Debugging | ||
+ | TLS_mode=1 | ||
+ | TLS_cafile=/ | ||
+ | TLS_certfile=/ | ||
+ | TLS_keyfile=/ | ||
+ | TLS_keypass= | ||
+ | TLS_psk= | ||
+ | TLS_identity= | ||
+ | </ | ||
+ | | ||
+ | |||
+ | You'll need to restart sbbs. I found that if it's already connected to port 1883 then it won't establish a new connection. | ||
+ | |||
+ | If you're lucky, your logfile will show sbbs connected: | ||
+ | |||
+ | 1702583738: New client connected from 192.138.210.158: | ||
+ | |||
+ | |||
+ | This is a very rough draft of what worked for me on my Ubuntu 22.04.3 with the latest build of Synchronet. |