Question

WebUI allows setting up MQTT bridge with remote TLS without CA certificate, client certificate or client key. However this generates an invalid mosquitto.conf. mosquitto is cable of using OS CA certificate and connect to TLS enabled broker. I have created several patches that will modify the firmware to make sure mosquitto.conf generated is valid and works as expected. 

Affected devices devices/firmware:

• RUT240 (Firmware version ?)
• TRB145 (Firmware version TRB1_R_00.02.05.2)

I suggest that if no CA certificate is not provided use bridge_cafile /etc/cacert.pem. If no client certificate is provided, exclude bridge_certfile. If no client key is not provided, exclude bridge_keyfile.

Here are the patches:

• RUT240

  • MQTT broker bridge, make client certificate and key optional

  • MQTT broker, make CA certificate optional

• TRB145
  • MQTT broker bridge, make client certificate and key optional
  • MQTT bridge CA file optional
  • MQTT broker CA file optional

I would appreciate feedback about the patches. If they are good, I hope they will be applied before the next firmware release.

Comments

This feature is needed by anyone using standard public CA infrastructure (like getting certificates from Lets Encrypt) for their SSL in front of their MQTT broker - which is often recommended practice now.

The patch above would largely work, but is now blocked in 07.xx firmware in the UI itself - it won't let you enable the MQTT bridge with TLS unless there is a CA certificate provided.

My current workaround is to to create a new CA certificate in "System>Administration>Certificates", making sure to name it "ca" and enable the option to sign it. This creates a new certificate in "/etc/certificates/ca.cert.pem" that is selectable as an option in the MQTT broker bridge settings.

Because I actually need this certificate to be the default system CA bundle, I then symlink the bundle to the new custom CA cert location with "ln -fs /etc/cacert.pem /etc/certificates/ca.cert.pem", either via SSH or by adding it into the startup script in "System>Custom Scripts".

With this now selected in the MQTT broker bridge settings, it allows me to enable it, and the CA bundle is successfully used to connect to my public MQTT broker.

---

I imagine the simplest way to implement this properly as a feature in future firmware would be to allow the use of the default system ca bundle at "/etc/cacert.pem" as a supplied CA certificate in the certificate manager page (rather than having to do the little dance with the symlink above). The MQTT bridge system already allows the user to select one of the certificates provided on the device here, so it would show up as an option.

Answer 1

Hi,

These are great and reasonable changes you've made! I will take them to RnD and ask what do they think and if this is good to implement in our next firmware versions.

Thank you very much for your feedback and we will make sure to provide you with one too.

EB.