Synchronet v3.19b-Win32 (install) has been released (Jan-2022).

You can donate to the Synchronet project using PayPal.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:user:nelgin [2021/01/24 20:07] nelginwiki:user:nelgin [2024/09/03 11:22] (current) – [Mosquitto, Synchronet and TLS With Self-Signed Certs] nelgin
Line 7: Line 7:
 He plays keyboards, guitar, and drums for fun. He plays keyboards, guitar, and drums for fun.
  
-His aim is to visit all 50 states. He's visited 33 so far.+His aim is to visit all 50 states. He's visited 36 so far.
  
 End Of The Line BBS is run by Nelgin End Of The Line BBS is run by Nelgin
Line 22: Line 22:
  
 {{:person:guitar.png}} {{:person:guitar.png}}
 +
 +
 +===== Mosquitto, Synchronet and TLS With Self-Signed Certs =====
 +
 +This works for me. It might not work for you. It's easier to do all this as root and then chown/chmod files as necessary to secure them. This works on Ubuntu.
 +
 +First I created a dns entry mqtt.endofthelinebbs.com to point to my server IP address. You could probably use your regular dns name or something else, I'm not sure. I just know this works for me.
 +Obviously, don't use endofthelinebbs.com but your own domain name throughout. Your certs are not going to work on my mqtt server!
 +
 +Next, I decided to create a password for my bbs user for extra security.
 +
 +In /etc/mosquitto create a pwfile file with a username:password line
 +
 +    bbs:mypasswd
 +    
 +Now, convert the file
 +    mosquitto_passwd -U pwfile
 +    
 +This will upgrade the file and hash the plain text password. Never run -U on an already hashed password file or it'll rehash the hashed password!
 +
 +In your /etc/mosquitto/certs directory:
 +
 +Create your CA
 +
 +    openssl genrsa -des3 -out ca.key 2048
 +Enter a passphrase you'll remember. You'll need this to sign your certs.
 +
 +Now create your ca.crt
 +
 +    openssl req -new -x509 -days 36500  -key ca.key -out ca.crt
 +    
 +For Common Name, I just entered the domain, endofthelinebbs.com
 +
 +  
 +Create a server.key
 +
 +    openssl genrsa -out server.key 2048
 +Now the csr
 +
 +    openssl req -new -out server.csr -key server.key
 +Here I use mqtt.endofthelinebbs.com as the Common Name. This is what we'll use to connect to the mqtt service.
 +
 +Now create the crt
 +    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 36500   
 +Create /etc/mosquitto/conf.d/sbbs.conf
 +
 +    allow_anonymous false
 +    password_file /etc/mosquitto/pwfile
 +    log_type debug
 +    # mqtt protocol standard port
 +    listener 1883
 +    # mqtt protocol ssl port
 +    listener 8883
 +    tls_version tlsv1.2
 +    cafile /etc/mosquitto/certs/ca.crt
 +    certfile /etc/mosquitto/certs/server.crt
 +    keyfile /etc/mosquitto/certs/server.key
 +    require_certificate true
 +    use_identity_as_username false
 +    # websocket protocol standard port
 +    listener 1884
 +    protocol websockets
 +    socket_domain ipv4
 +    # websocket protocol ssl port
 +    listener 8884
 +    protocol websockets
 +    socket_domain ipv4
 +    cafile /etc/mosquitto/certs/ca.crt
 +    certfile /etc/mosquitto/certs/server.crt
 +    keyfile /etc/mosquitto/certs/server.key
 +    require_certificate true
 +    use_identity_as_username false
 +    
 +chown mosquitto. /etc/mosquitto/certs/* /etc/mosquitto/conf.d/sbbs.conf /etc/mosquitto/pwfile
 +chmod 640 /sbbs/mosquitto/certs/* /etc/mosquitto/pwfile
 +    
 +Now start or restart your mosquitto service
 +
 +    systemctl restart mosquitto
 +    or
 +    systemctl start mosquitto
 +    
 +Check /var/log/mosquitto/mosquitto.log to see if its running
 +
 +    1702534680: mosquitto version 2.0.11 starting
 +    1702534680: Config loaded from /etc/mosquitto/mosquitto.conf.
 +    1702534680: Opening ipv4 listen socket on port 1883.
 +    1702534680: Opening ipv6 listen socket on port 1883.
 +    1702534680: Opening ipv4 listen socket on port 8883.
 +    1702534680: Opening ipv6 listen socket on port 8883.
 +    1702534680: Opening websockets listen socket on port 1884.
 +    1702534680: Opening websockets listen socket on port 8884.
 +    1702534680: mosquitto version 2.0.11 running
 +    
 +If all is good you can now make your sbbs certs.
 +
 +
 +Create your key
 +    cd /etc/mosquitto/certs
 +    openssl genrsa -out  sbbs_mqtt.key 2048
 +Create your csr
 +    openssl req -new -out sbbs_mqtt.csr -key  sbbs_mqtt.key
 +For Common Name, I use the BBS hostname, bbs.endofthelinebbs.com
 +Create your crt
 +    openssl x509 -req -in sbbs_mqtt.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out  sbbs_mqtt.crt  -days 36500
 +    
 +copy the /etc/mosquitto/certs/ca.crt file and move the sbbs_mqtt files to /sbbs/ctrl
 +
 +    cp /etc/mosquitto/certs/ca.crt /sbbs/ctrl
 +    mv /etc/mosquitto/certs/sbbs_mqtt.* /sbbs/ctrl
 +    cd /sbbs/ctrl
 +    chown bbsuser:bbsgroup ca.crt sbbs_mqtt.*
 +Replacing bbsuser and bbsgroup with the username/group of your bbs user.
 +
 +use scfg to configure your MTQQ accordingly, use port 8883, hostname is mqtt.endofthelinebbs.com and select TLS.
 +
 +<code>
 +[MQTT]
 +Enabled=true
 +Verbose=true
 +Broker_addr=mqtt.endofthelinebbs.com
 +Broker_port=8883
 +Protocol_version=5
 +Keepalive=11
 +Publish_QOS=0
 +Subscribe_QOS=2
 +Username=bbs
 +Password=xxxxxxxxx
 +LogLevel=Debugging
 +TLS_mode=1
 +TLS_cafile=/sbbs/ctrl/ca.crt
 +TLS_certfile=/sbbs/ctrl/sbbs_mqtt.crt
 +TLS_keyfile=/sbbs/ctrl/sbbs_mqtt.key
 +TLS_keypass=
 +TLS_psk=
 +TLS_identity=
 +</code>
 +    
 +
 +You'll need to restart sbbs. I found that if it's already connected to port 1883 then it won't establish a new connection.
 +
 +If you're lucky, your logfile will show sbbs connected:
 +
 +    1702583738: New client connected from 192.138.210.158:59382 as sbbs-EOTLBBS-bbs.endofthelinebbs.com-web (p5, c1, k11, u'bbs').
 +
 +
 +This is a very rough draft of what worked for me on my Ubuntu 22.04.3 with the latest build of Synchronet.

Trace: