Installing Mosquitto on a Raspberry Pi

I was talking to a friend, extolling the features and future of @OwnTracks, a project I talked about not so long ago. Said friend asked about where to place the MQTT broker, and I said "for example, on your home-server". He doesn't have one. Come to think of it, not many of my friends do, so here comes a small post on setting up an MQTT broker, specifically Mosquitto, on a Raspberry Pi, which most people can easily set up.

The hardest bit is installing an OS, say, Raspbian Wheezy, onto an SD card, but there are many tutorials on how to do that. (Here's an example using Mac OS X.) A basic install will suffice, and after logging in with Raspbian's default username and password, we'll get started from there.

Roger Light, Mosquitto's creator has thankfully (!) set up a Mosquitto Debian repository we can use to obtain the latest and greatest version, so we'll do just that. We first perform the required steps to add and activate the repository. The last step in particular can take a few moments.

curl -O http://repo.mosquitto.org/debian/mosquitto-repo.gpg.key
sudo apt-key add mosquitto-repo.gpg.key
rm mosquitto-repo.gpg.key
cd /etc/apt/sources.list.d/
sudo curl -O http://repo.mosquitto.org/debian/mosquitto-repo.list
sudo apt-get update

Now we can go ahead and install Mosquitto proper. There are three packages:

• mosquitto is the MQTT broker (i.e. server)
• mosquitto-clients are the command-line clients, which I recommend you install
• python-mosquitto are the Python bindings, which I also think you should install

all three packages together require about 665Kb of space, which we can easily afford even on the tiny Pi.

sudo apt-get install mosquitto mosquitto-clients python-mosquitto

Regrettably, as with most Debian packages, the broker is immediately started; stop it.

sudo /etc/init.d/mosquitto stop

That concludes the installation of the Mosquitto MQTT broker, and we'll now proceed to its configuration. This section is geared towards a configuration of Mosquitto which will work well with@OwnTracks. In particular we want the following features enabled by default:

• Connections to the broker must be TLS protected. This requires a TLS certificate and key which will be configured automatically.
• ACLs will restrict who may access what.

Over at the OwnTracks repository, I'm working on some utilities which are going to automate this. It's a work-in-progress (of course), but this is what sudo ./mosquitto-setup.sh looks like at the moment:

Saving previous configuration as mosquitto.conf-20130901-133525
Generating a 2048 bit RSA private key
.................................................................................................+++
...............................+++
writing new private key to '/etc/mosquitto/ca.key'
-----
Created CA certificate in /etc/mosquitto/ca.crt
subject=
    commonName                = An MQTT broker
    organizationName          = MQTTitude.org
    emailAddress              = nobody@example.net
--- Creating server key and signing request
Generating RSA private key, 2048 bit long modulus
............+++
..............+++
e is 65537 (0x10001)
--- Creating and signing server certificate
Signature ok
subject=/CN=raspberrypi/O=MQTTitude.org/emailAddress=nobody@example.net
Getting CA Private Key

A CA is created together with a server key-pair with a whole bunch of subjAltName settings:

X509v3 Subject Alternative Name:
        IP Address:192.168.1.189, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, DNS:broker.example.com, DNS:foo.example.de, DNS:localhost

Will it work? Let's start the broker manually to see what it says:

sudo /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
1378042632: mosquitto version 1.2 (build date 2013-08-09 21:49:03+0100) starting
1378042632: Config loaded from /etc/mosquitto/mosquitto.conf.
1378042632: Opening ipv4 listen socket on port 1883.
1378042632: Opening ipv4 listen socket on port 8883.
1378042632: Opening ipv6 listen socket on port 8883.
1378042632: Warning: Address family not supported by protocol
...^C
1378042634: mosquitto version 1.2 terminating
1378042634: Saving in-memory database to /tmp/mosquitto.db.

The Mosquitto clients need to have access to a copy of the CA certificate (ca.crt) and you can transport that insecurely to your clients (it's a public certificate).

mosquitto_pub  --cafile ca.crt -h 127.0.0.1 -p 8883  ...

Newer Mosquitto 1.2 clients use TLSv1.2 per default, and to force them to use TLSv1 (which we need on the OwnTracks broker because of the apps -- it's a long story) you add the appropriate option:

mosquitto_pub  --cafile ca.crt -h 127.0.0.1 -p 8883 --tls-version tlsv1 ...

That's it for the moment.

As for ACLs, we'll be using auth-plug because it's so versatile. I'll update this post as soon as we're ready to automate setting that up as well.