MQTT Broker: SSL/TLS


#1

There are no real guides on loraserver.io on how to secure the MQTT broker by establishing SSL/TLS. At least not for the lesser experienced developers. I hope that we can get some answers on this thread, and maybe it will also help others in the future, who will end up with same questions as I have now.

For the kerlink ifemtocell gateway this is the only description, which I could find on loraserver.io:

For me this is no help at all. Of course it helps me to figure out where the configuration file is, but what difference does that make, if I have no idea on what to configure on the configuration file.

I have been reading up on what to do, and found this guide: http://www.steves-internet-guide.com/mosquitto-tls/, which guides you to create certificate and key:

  • ca.crt
  • ca.key
  • server.crt
  • server.key

And we have these 4 fields which are all connected to a MQTT Broker on the server:

  • Loraserver
  • Lora-App-Server
  • Lora-Gateway-Bridge
  • Gateway

DIAGRAM TO ILLUSTRATE THE COMMUNICATION

This means that in plain text the toml files will look like this:

  • Gateway:

    • server=“ssl://hostname:8883”
    • ca_cert="/user/keys/ca.crt"
  • Loraserver:

    • server=“ssl://localhost:8883”
    • ca_cert="/etc/mosquitto/certs/server.crt"
  • Lora-app-server:

    • server=“ssl://localhost:8883”
    • ca_cert="/etc/mosquitto/certs/server.crt"
  • Lora-gateway-bridge

    • server=“ssl://127.0.0.1:8883”
    • ca_cert="/etc/mosquitto/certs/server.crt"

Question: Is the above the correct way to encrypt the communication between the MQTT broker?


#2

You could also consider terminating TLS in front of MQTT. We prefer doing it via an Amazon ELB or Nginx (Kubernetes).


#3

Thanks for the response @bconway. Wont it be sufficient just to do as I am asking?