Mosquitto, Synchronet and TLS With Self-Signed Certs

Synchronet v3.19b-Win32 (install) has been released (Jan-2022).

You can donate to the Synchronet project using PayPal.

This is an old revision of the document!

Nelgin was born in England and moved to the US in 1996. He's fluent in both English English and American English :)

His hobbies include visiting bars and trying different beers, socializing, traveling, music, and astronomy.

He owns an 8“ Newtownian telescope.

He plays keyboards, guitar, and drums for fun.

His aim is to visit all 50 states. He's visited 36 so far.

End Of The Line BBS is run by Nelgin

http://www.endofthelinebbs.com

telnet://endofthelinebbs.com

ssh:endofthelinebbs.com rlogin:endofthelinebbs.com

Point a viewdata emulator at endofthelinebbs.com port 6502 to try the experimental interface.

Mosquitto, Synchronet and TLS With Self-Signed Certs

This works for me. It might not work for you. It's easier to do all this as root and then chown/chmod files as necessary to secure them. This works on Ubuntu.

First I created a dns entry mqtt.endofthelinebbs.com to point to my server IP address. You could probably use your regular dns name or something else, I'm not sure. I just know this works for me. Obviously, don't use endofthelinebbs.com but your own domain name throughout. Your certs are not going to work on my mqtt server!

Next, I decided to create a password for my bbs user for extra security.

In /etc/mosquitto create a pwfile file with a username:password line

  bbs:mypasswd

Now, convert the file

  mosquitto_passwd -U pwfile

This will upgrade the file and hash the plain text password. Never run -U on an already hashed password file or it'll rehash the hashed password!

In your /etc/mosquitto/certs directory:

Create your CA

  openssl genrsa -des3 -out ca.key 2048

Enter a passphrase you'll remember. You'll need this to sign your certs.

Now create your ca.crt

  openssl req -new -x509 -days 36500  -key ca.key -out ca.crt

For Common Name, I just entered the domain, endofthelinebbs.com

Create a server.key

  openssl genrsa -out server.key 2048

Now the csr

  openssl req -new -out server.csr -key server.key

Here I use mqtt.endofthelinebbs.com as the Common Name. This is what we'll use to connect to the mqtt service.

Now create the crt

  openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 36500

Create /etc/mosquitto/conf.d/sbbs.conf

  allow_anonymous false
  password_file /etc/mosquitto/pwfile
  log_type debug
  # mqtt protocol standard port
  listener 1883
  # mqtt protocol ssl port
  listener 8883
  tls_version tlsv1.2
  cafile /etc/mosquitto/certs/ca.crt
  certfile /etc/mosquitto/certs/server.crt
  keyfile /etc/mosquitto/certs/server.key
  require_certificate true
  use_identity_as_username false
  # websocket protocol standard port
  listener 1884
  protocol websockets
  socket_domain ipv4
  # websocket protocol ssl port
  listener 8884
  protocol websockets
  socket_domain ipv4
  cafile /etc/mosquitto/certs/ca.crt
  certfile /etc/mosquitto/certs/server.crt
  keyfile /etc/mosquitto/certs/server.key
  require_certificate true
  use_identity_as_username false

chown mosquitto. /etc/mosquitto/certs/* /etc/mosquitto/conf.d/sbbs.conf /etc/mosquitto/pwfile chmod 640 /sbbs/mosquitto/certs/* /etc/mosquitto/pwfile

Now start or restart your mosquitto service

  systemctl restart mosquitto
  or
  systemctl start mosquitto

Check /var/log/mosquitto/mosquitto.log to see if its running

  1702534680: mosquitto version 2.0.11 starting
  1702534680: Config loaded from /etc/mosquitto/mosquitto.conf.
  1702534680: Opening ipv4 listen socket on port 1883.
  1702534680: Opening ipv6 listen socket on port 1883.
  1702534680: Opening ipv4 listen socket on port 8883.
  1702534680: Opening ipv6 listen socket on port 8883.
  1702534680: Opening websockets listen socket on port 1884.
  1702534680: Opening websockets listen socket on port 8884.
  1702534680: mosquitto version 2.0.11 running

If all is good you can now make your sbbs certs.

Create your key

  cd /etc/mosquitto/certs
  openssl genrsa -out  sbbs_mqtt.key 2048

Create your csr

  openssl req -new -out sbbs_mqtt.csr -key  sbbs_mqtt.key

For Common Name, I use the BBS hostname, bbs.endofthelinebbs.com Create your crt

  openssl x509 -req -in sbbs_mqtt.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out  sbbs_mqtt.crt  -days 36500

copy the /etc/mosquitto/certs/ca.crt file and sbbs_mqtt files to /sbbs/ctrl

  cp /etc/mosquitto/certs/ca.crt /sbbs/ctrl
  cp /etc/mosquitto/certs/sbbs_mqtt.* /sbbs/ctrl
  cd /sbbs/ctrl
  chown bbsuser:bbsgroup ca.crt sbbs_mqtt.*

Replacing bbsuser and bbsgroup with the username/group of your bbs user.

use scfg to configure your MTQQ accordingly, use port 8883, hostname is mqtt.endofthelinebbs.com and select TLS.

[MQTT]
Enabled=true
Verbose=true
Broker_addr=mqtt.endofthelinebbs.com
Broker_port=8883
Protocol_version=5
Keepalive=11
Publish_QOS=0
Subscribe_QOS=2
Username=bbs
Password=xxxxxxxxx
LogLevel=Debugging
TLS_mode=1
TLS_cafile=/sbbs/ctrl/ca.crt
TLS_certfile=/sbbs/ctrl/sbbs_mqtt.crt
TLS_keyfile=/sbbs/ctrl/sbbs_mqtt.key
TLS_keypass=
TLS_psk=
TLS_identity=

You'll need to restart sbbs. I found that if it's already connected to port 1883 then it won't establish a new connection.

If you're lucky, your logfile will show sbbs connected:

  1702583738: New client connected from 192.138.210.158:59382 as sbbs-EOTLBBS-bbs.endofthelinebbs.com-web (p5, c1, k11, u'bbs').

This is a very rough draft of what worked for me on my Ubuntu 22.04.3 with the latest build of Synchronet.

Trace: • Mosquitto, Synchronet and TLS With Self-Signed Certs

Mosquitto, Synchronet and TLS With Self-Signed Certs

Navigation

Search

Toolbox