Access with MQTT client from remote site (tcp:1883)

Setup and configuration
1

On v3 i could connect with my mqtt-client “MQTT-Explorer” from remote. Now on v4 that won’t work.
Does it need TLS or other encryption? Even if i don’t wont it for now??

2

I don’t know of any required changes to MQTT servers with regards to ChirpStack v3 vs. v4. None of the configurations/deployments that I use required any updating.

Mosquitto, specifically, did have a notable change not too long ago with their jump to v2 and disallowing anonymous connections, but I believe that was before ChirpStack v4 was released.

3

Hmm,

after activating TLS as described here:
https://www.chirpstack.io/docs/guides/mosquitto-tls-configuration.html
mosquitto does not start because of error. Only when i remove the listeners.conf from /etc/mosquitto/conf.d/ it will start.

Unfortunately, mosqitto doesn’t want to reveal exactly what his problem is…

EDIT:

After some changes on the file, it works without TLS… :wink: Ok for the tests…

per_listener_settings true

listener 1883 127.0.0.1
allow_anonymous true

listener 8883 0.0.0.0
#cafile /etc/mosquitto/certs/ca.pem
#certfile /etc/mosquitto/certs/mqtt-server.pem
#keyfile /etc/mosquitto/certs/mqtt-server-key.pem
allow_anonymous true
#was false
require_certificate false
#was true
#use_identity_as_username true
#acl_file /etc/mosquitto/acl

4

Nevertheless, there is still the error that you cannot create a cert in the integration

Bildschirmfoto_2022-12-16_08-53-55
Bildschirmfoto_2022-12-16_08-53-551623×601 51.5 KB

The files are owned by root…? Could that be the problem??

Yes, after changed the cert files to 666 (yes, not secure…) the webgui shows the keys…

5

Please note that this is completely independent from the MQTT broker configuration. Please see this config section:

    # Configuration for MQTT clients.
    [integration.mqtt.client]

      # CA certificate and key file (optional).
      #
      # If setting the CA certificate and key file options, ChirpStack 
      # will generate client certificates which can be used by the MQTT clients for
      # authentication and authorization. The Common Name of the certificate will
      # be set to the ID of the application.
      ca_key=""
      ca_cert=""

      # Certificate lifetime.
      #
      # This defines how long (after generating) the certificate remains valid.
      client_cert_lifetime="12months"
6

Yes, thanks.

Honestly i have to say, that I have not yet fully understood the function of MQTT in CS. At first I thought it was only used internally. Also because you cannot set individual integrations for the applications, as is the case with Influx. Seems i have to learn more about that.