WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

MQTT bridge with remote TLS without CA certificate, client certificate or client key

+3 votes
770 views 1 comments
by anonymous

WebUI allows setting up MQTT bridge with remote TLS without CA certificate, client certificate or client key. However this generates an invalid mosquitto.conf. mosquitto is cable of using OS CA certificate and connect to TLS enabled broker. I have created several patches that will modify the firmware to make sure mosquitto.conf generated is valid and works as expected. 

Affected devices devices/firmware:

  • RUT240 (Firmware version ?)
  • TRB145 (Firmware version TRB1_R_00.02.05.2)

I suggest that if no CA certificate is not provided use bridge_cafile /etc/cacert.pem. If no client certificate is provided, exclude bridge_certfile. If no client key is not provided, exclude bridge_keyfile.

Here are the patches:

I would appreciate feedback about the patches. If they are good, I hope they will be applied before the next firmware release.

by anonymous

This feature is needed by anyone using standard public CA infrastructure (like getting certificates from Lets Encrypt) for their SSL in front of their MQTT broker - which is often recommended practice now.

The patch above would largely work, but is now blocked in 07.xx firmware in the UI itself - it won't let you enable the MQTT bridge with TLS unless there is a CA certificate provided.

My current workaround is to to create a new CA certificate in "System>Administration>Certificates", making sure to name it "ca" and enable the option to sign it. This creates a new certificate in "/etc/certificates/ca.cert.pem" that is selectable as an option in the MQTT broker bridge settings.

Because I actually need this certificate to be the default system CA bundle, I then symlink the bundle to the new custom CA cert location with "ln -fs /etc/cacert.pem /etc/certificates/ca.cert.pem", either via SSH or by adding it into the startup script in "System>Custom Scripts".

With this now selected in the MQTT broker bridge settings, it allows me to enable it, and the CA bundle is successfully used to connect to my public MQTT broker.

I imagine the simplest way to implement this properly as a feature in future firmware would be to allow the use of the default system ca bundle at "/etc/cacert.pem" as a supplied CA certificate in the certificate manager page (rather than having to do the little dance with the symlink above). The MQTT bridge system already allows the user to select one of the certificates provided on the device here, so it would show up as an option.

1 Answer

0 votes
by anonymous
Hi,

These are great and reasonable changes you've made! I will take them to RnD and ask what do they think and if this is good to implement in our next firmware versions.

Thank you very much for your feedback and we will make sure to provide you with one too.

EB.