I am running Mosquitto Broker on AWS Ubuntu 20.04.2 LTS server. I have 2 MQTT bridges, from my laptop to the broker on the server and from the server to AWS IoT.
My broker configuration on the server is as follows:
listener 1883
protocol mqtt
listener 9001
protocol websockets
allow_anonymous false
password_file /etc/mosquitto/conf.d/passwd.txt
connection awsiot
address xxxxxxxxxx-ats.iot.eu-north-1.amazonaws.com:8883
topic iotethernet/switch/count out 1
topic iotethernet/ledblock/states in 1
bridge_protocol_version mqttv311
bridge_insecure false
bridge_outgoing_retain false
cleansession true
clientid bridgeawsiot
start_type automatic
notifications true
log_type all
bridge_cafile /etc/mosquitto/certs/rootCA.pem
bridge_certfile /etc/mosquitto/certs/cert.crt
bridge_keyfile /etc/mosquitto/certs/private.key
The problem is that when I am running the server, the bridge client constantly connects and immediately disconnects without an error message.
I have made sure that the bridge doesn't work by testing with the AWS IoT -test feature.
The bridge from laptop to server works fine.
i got it working by setting notifications to false
Related
In MSK to communicate with brokers by using TLS(SSL) we have used 9094 port and able to communicate MSK cluster with the required keystore and truststore configurations.
And to communicate with brokers by using SASL_SCRAM we have used 9096 port and able to communicate MSK cluster with username and password configurations.
And now we want to configure both SASL_SSL to authenticate client while connecting to broker nodes as a mandatory configurations at client side.
NOTE: We are able to configure both SASL_SSL security protocol on 9096 port but the client configuration considered as the TLS configurations are optional because if we remove TLS properties, still it is able to connect broker nodes.
Im testing this connection with kafka console producer like below:
./bin/kafka-console-producer.sh --broker-list b-1.xxx:9096,b-2xx:9096 --producer.config ./bin/client_sasl_ssl.properties --topic TestTopicSASLSSL
File: client_sasl_ssl.properties
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512
#ssl.truststore.location=/path/to/kafka.client.truststore.jks
#ssl.keystore.location=/path/to/kafka.client.keystore.jks
#ssl.keystore.password=psswd
#ssl.key.password=psswd
Please note that im able to produce data with or without the above commented ssl properties, which seems optional.
Any option to mandate both SASL and TLS auth protocol to restrict client connection.
I'm trying to connect to AWS IoT Core using MQTT, WebSocket and HTTPS communication protocols.
Here I'm using Node-Red as an IoT Device simulator. While doing this I'm able to successfully connect using both MQTT and HTTPS protocol but WebSocket connection is not working.
MQTT EndPoint: xxxx..amazonaws.com:8883
HTTPS EndPoint: https://xxxx..amazonaws.com:8443/topics/iot%2Ftelemetry?qos=1
WebSocket EndPoint: wss://xxxx..amazonaws.com:443/mqtt
Error in Node-Red Console when I try to publish a message to AWS IoT Core using WebSocket protocol
"An error occurred while sending: Error: WebSocket is not open: readyState 3 (CLOSED)"
The above error clearly states that Node-Red is not able to establish the WebSocket connection due to incorrect configuration.
Can anyone who has connected to AWS IoT Core using WebSocket protocol share some pointers here?
I have a Java application configured with some self signed certificates that communicates with ActiveMQ version 5.13.0 over SSL/TLS version 1.2. The relevant self signed certificates reside in their respective keystores and truststores. This connection over TLS works just fine on my local Windows machine, clients without the proper certificates are unable to communicate with the broker and clients with the proper certificates can.
However, this does not work when the same code and keystores are used on an AWS EC2 instance. I have the same version of ActiveMQ installed there and am using the very same keystores and truststores on the broker and client side. Clients without any certificates configured are able to connect to the broker and communicate.
I would like to understand if SSL/TLS for ActiveMQ must be configured differently on a Linux machine or if there is something else that I am missing.
Snippets from the activemq.xml file that enable activemq to use SSL/TLS:
<managementContext>
<managementContext createConnector="false"/>
</managementContext>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/broker.ks"
keyStorePassword="changeit" trustStore="file:${activemq.base}/conf/broker.ts"
trustStorePassword="changeit"/>
</sslContext>
<transportConnectors>
<!-- DOS protection, limit concurrent connections to 1000 and frame size to 100MB -->
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&wireFormat.maxInactivityDuration=300000&wireFormat.maxFrameSize=104857600&jms.messagePrioritySupported=false"/>
<transportConnector name ="ssl" uri="ssl://0.0.0.0:61714?transport.enabledProtocols=TLSv1.2"/>
<transportConnector name="amqp" uri="amqp://0.0.0.0:5672?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="stomp" uri="stomp://0.0.0.0:61613?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="ws" uri="ws://0.0.0.0:61614?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
</transportConnectors>
Answering my own query.
I handle the Java client and that client connects to port 61714 that is designated for SSL.
The folks dealing with the IoT device side told me that these devices default to port 1883 for MQTT connections and port 8883 for secure MQTT connections.
This can be configured by adding the below line to the transport connectors :
<transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:8883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
The device has some constraints due to which it cannot connect to an SSL port and publish MQTT messages. The Java client on the other hand has no issues connecting to the SSL port and publishing and consuming MQTT messages, so adding the above line resolved this.
If needed, one could comment out the transport connector for port 1883 so that no clients without the needed certificates are able to connect to the MQTT broker.
I created EC2 instance in aws server and status is also showing fine, in which installed mosquitto broker and also configured security group with port 1883.
I was able to publish commands to the broker but suddenly when I try to publish commands to the broker with elastic ip address, I am getting connection was lost error from past 3 days.
Any suggestions?
I'm running into a really frustrating error with trying to bridge mosquitto to the AWS IoT MQTT system. I set it up following this guide:
https://aws.amazon.com/blogs/iot/how-to-bridge-mosquitto-mqtt-broker-to-aws-iot/
Which at first seemed to work. I was able to see messages in he AWS IoT console when I subscribed to it. Then I restarted mosquitto and I'm just getting this error over and over again:
1529722121: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
1529722121: Socket error on client local.bridgeawsiot, disconnecting.
1529722151: Bridge local.bridgeawsiot doing local SUBSCRIBE on topic localgateway_to_awsiot
1529722151: Bridge local.bridgeawsiot doing local SUBSCRIBE on topic both_directions
1529722151: Connecting bridge awsiot (a10cxxxxxxxxxx.iot.us-west-2.amazonaws.com:8883)
1529722182: Connecting bridge awsiot (a10cxxxxxxxxxx.iot.us-west-2.amazonaws.com:8883)
I've verified multiple times that the certificates that I'm using are the correct ones, I've also checked that the Thing has a policy attached to it and that the certificates are activated. I made sure that the rootCA.pem file is the one issued from Verisign. I'm at a loss as to why the broker is not working. The host OS is Ubuntu 18.04 running the bundled version of mosquitto. Any help would be appreciated.
I figured out what the issue was. I was using the CLI to retrieve my IoT endpoint and my default region was set to us-west-2. The certificates that I created are in us-east-1.