5.4 KiB
ESP32 MQTT SSL Temperature Node
MQTT Mosquito Broker
Mosquitto broker can be easily deployed using Docker compose file shown below. In the example below, MQTT broker listens to the ports 1883 (unecrypted) and 8883 (encrypted SSL).
Note
Compose file below declares two volumes (config and data) to persistantly store Mosquitto configuration and data.
version: "3.8"
services:
mosquitto-esp32:
image: eclipse-mosquitto:latest
volumes:
- /srv/dev-disk-by-label/docker/volumes/mosquitto/config:/mosquitto/config
- /srv/dev-disk-by-label/docker/volumes/mosquitto/data:/mosquitto/data
networks:
- IoT
ports:
- 1883:1883
- 8883:8883
- 9001:9001
restart: unless-stopped
networks:
IoT:
external: true
/mosquitto/mosquitto.conf
Warning
If you are using IP addresses, then issue certificates and keys to the corresponding IP address of MQTT brocker
## List ports listen to
listener 1883
listener 8883
cafile /mosquitto/config/certs/esp32_ca.crt
certfile /mosquitto/config/certs/esp32.crt
keyfile /mosquitto/config/certs/esp32.key
allow_anonymous true
persistence true
persistence_location /srv/dev-disk-by-label/docker/columes/mosquitto/data/
ESP32 MQTT Client
The two lines of code shown below are the most crucial as they are responsible for connecting ESP32 to the MQTT broker.
Note
A set of SSL certificates and key used by ESP32 MQTT client must correspond to ones used by MQTT brocker. Otherwise, secure connection won't be established.
espClientSSL.setCACert(NODE_CERT_CA);
espClientSSL.setCertificate(NODE_CERT_CRT);
espClientSSL.setPrivateKey(NODE_CERT_PRIVATE);
connection.setServer(mqtt_server, 8883); // mqtt_server -> 192.168.50.16
secrets.h
Tip
Create file called secrets.h to store configuration information about Wi-Fi, and encryption keys. Add entry to .gitignore file to exclude secrets.h from being pushed to GitHub
const char* WIFI_SSID = "IoT_bots";
const char* WIFI_PASSWORD = "212212212";
const char* mqtt_server = "192.168.50.16";
// MQTT Broker Root CA
static const char NODE_CERT_CA[] PROGMEM = R"EOF(
-----BEGIN CERTIFICATE-----
< Cut&Paste content of CA certificate over here >
-----END CERTIFICATE-----
)EOF";
// MQTT Client Certificate
static const char NODE_CERT_CRT [] PROGMEM = R"EOF(
-----BEGIN CERTIFICATE-----
< Cut&Paste content of client certificate over here >
-----END CERTIFICATE-----
)EOF";
// MQTT Client Key
static const char NODE_CERT_PRIVATE [] PROGMEM = R"EOF(
-----BEGIN CERTIFICATE-----
< Cut&Paste content of client key over here >
-----END CERTIFICATE-----
)EOF";
Issuing Self-Generated SSL Certificates & Keys
It is easier to generate SSL Certificates and Keys on Linux since it already comes with neccessary tools.
Certificate generator for TLS encryption
openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt -passout pass:1234 -subj '/CN=TrustedCA.net'
Note
If you generating self-signed certificates the CN can be anything.
openssl genrsa -out mosquitto.key 2048
openssl req -out mosquitto.csr -key mosquitto.key -new -subj '/CN=Mosquitto_borker_adress'
openssl x509 -req -in mosquitto.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mosquitto.crt -days 365 -passin pass:1234
Important
Mostly, the client verifies the adress of the mosquitto server, so its necessary to set the CN to the correct adress (eg. yourserver.com)!!!
These certificates are only needed if the mosquitto broker requires a certificate for client autentithication (require_certificate is set to true in mosquitto config)
openssl genrsa -out esp.key 2048
openssl req -out esp.csr -key esp.key -new -subj '/CN=localhost'
openssl x509 -req -in esp.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out esp.crt -days 365 -passin pass:1234
Note
If MQTT Broker identifies the clients based on CN key, its necessary to set it to the correct value, or else it can be blank. See official Mosquitto config.
openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt -passout pass:1234 -subj '/CN=myserver.dynamic-dns.net'
openssl genrsa -out mosquitto.key 2048
openssl req -out mosquitto.csr -key mosquitto.key -new -subj '/CN=localhost'
openssl x509 -req -in mosquitto.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mosquitto.crt -days 365 -passin pass:1234
openssl genrsa -out esp.key 2048
openssl req -out esp.csr -key esp.key -new -subj '/CN=localhost'
openssl x509 -req -in esp.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out esp.crt -days 365 -passin pass:1234
openssl genrsa -out esp32.key 2048
openssl req -new -x509 -days 365 -extensions v3_ca -keyout esp32_ca.key -out esp32_ca.crt -passout pass:1234 -subj '/CN=192.168.50.16'
openssl req -out esp32.csr -key esp32.key -new -subj '/CN=192.168.50.16'
openssl genrsa -out esp_node.key 2048
openssl req -out esp_node.csr -key esp_node.key -new -subj '/CN=localhost'
openssl x509 -req -in esp32.csr -CA esp32_ca.crt -CAkey esp32_ca.key -CAcreateserial -out esp_node.crt -days 365 -passin pass:1234