Purpose of this article is to get you started with a basic MQTT Environment to allow you to quickly play and fine tune your own setup.
Without many further words, log in as root and get going!
yum -y install epel-release # install EPEL repository
yum -y install mosquitto # Install Mosquitto
sed -i 's;#pid_file;pid_file /var/run/mosquitto.pid;g' /etc/mosquitto/mosquitto.conf # enable process file for running as a service
sed -i 's;#include_dir;include_dir /etc/mosquitto/conf.d;g' /etc/mosquitto/mosquitto.conf # add a directory for individual settings
# Password file authentication
mosquitto_passwd -c /etc/mosquitto/passwd user1 # create new password file with password for user1
mosquitto_passwd /etc/mosquitto/passwd user2 # add a password for user2 to the existing password file
systemctl start mosquitto # Start the Mosquitto service
systemctl enable mosquitto # Enable the service to start on reboot
firewall-cmd --permanent --add-port=1883/tcp
firewall-cmd --reload
# This next section configures secure communication using a Let's Encrypt certificate. You do need to adapt these instructions for your own certificate choice. Note that the below steps remove access to the default unencrypted port 1883. Follow the next section to re-enable it again.
export SERVER_NAME=mqtt.example.com
yum -y install certbot # Install the let's encrpyt client
firewall-cmd --permanent --add-service=http # open the firewall port 80 to allow the let's encrpyt client communication
firewall-cmd --permanent --add-port=8883/tcp # open the firewall port 8883 for the MQTT secure communication port
firewall-cmd --permanent --remove-port=1883/tcp # Remove port 1883 from firewall as we don't need it anymore
firewall-cmd --reload # Reload the above http rule
certbot certonly --standalone --preferred-challenges http -d mqtt.example.com # Create the certificate
echo 'certbot renew --noninteractive --post-hook "systemctl restart mosquitto"' > /etc/cron.weekly/certbot-update.sh # Automatically refresh the certificate every week.
chmod a+x /etc/cron.weekly/certbot-update.sh
# Next few lines add the certificates to the mosquitto configuration (by defining listener, it removes the default port 1883)
cat > /etc/mosquitto/conf.d/ssl.conf << EOF
listener 8883
certfile /etc/letsencrypt/live/${SERVER_NAME}/cert.pem
cafile /etc/letsencrypt/live/${SERVER_NAME}/chain.pem
keyfile /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem
EOF
systemctl restart mosquitto
# If you also want your unencrypted access to port 1883 back, follow these lines
echo "port 1883" > /etc/mosquitto/conf.d/defaultport.conf
firewall-cmd --permanent --add-port=1883/tcp
firewall-cmd --reload
systemctl restart mosquitto
#Client (random choice to get you started)
wget https://github.com/thomasnordquist/MQTT-Explorer/releases/download/v0.3.5/MQTT-Explorer-0.3.5.AppImage
chmod a+x MQTT-Explorer-0.3.5.AppImage
./MQTT-Explorer-0.3.5.AppImage
# Next activities:
User integration with AD/LDAP
Websocket configuration.
If you are interested in a different article, check out this one: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-centos-7 It contains a lot more explanation and a slightly different approach to configuration. Thank you Brian Boucheron for your work on this.