New entry: Connect to an MQTT broker with TLS encryption #67
Conversation
There was a problem hiding this comment.
The image images/mqtt/tls-connect-1.png shows using an mqtts://-URL without selecting Enable secure (SSL/TLS) connection, which in the current version of Node-RED effectively disables validation of the server certificate (see node-red#2379).
There was a problem hiding this comment.
Maybe this article could be improved by separating three things:
-
How to set up Node-RED to connect to an MQTT broker using SSL/TLS: Using a server URL starting with mqtts:// (or tls://, see https://www.npmjs.com/package/mqtt#mqttconnecturl-options), enabling server certificate verification, optionally supplying CA certificate(s).
-
How to set up Mosquitto to allow for SSL/TLS connections, maybe showcasing it for a specific environment.
-
Additional information about using Let's Encrypt certificates.
|
Thanks for all the comments. PR now updated. |
| mqtts://broker.domain.tld:9999 | ||
| ``` | ||
|
|
||
| * You **do not** need to set the "Enable secure connection" flag unless you want to authenticate the Node-RED client to the broker (if you set the require_certificate to true for example). |
There was a problem hiding this comment.
I think this line is still misleading, or at least prominently advertising a configuration where the server certificate is not validated. In the context of this article about encrypted connections, the note that the "Enable secure connection" flag is only relevant for authenticating clients looks even wrong to me, in two regards:
(1) The flag and the TLS configuration it reveals are relevant for both, the TLS connection and the certificate based user authentication. The article explicitly mentions self-signed certificates, and to validate these, they must be configured here.
(2) The flag is not necessary for user authentication that is not certificate based.
|
|
||
| Notes | ||
|
|
||
| * You need to use the IP name rather than IP address in the server name if using Let's Encrypt (otherwise the certificate isn't valid). |
There was a problem hiding this comment.
IP name -> domain name?
More specific: If using a Let's Encrypt certificate, one needs to use the domain name the certificate was issued for.
| Notes | ||
|
|
||
| * You need to use the IP name rather than IP address in the server name if using Let's Encrypt (otherwise the certificate isn't valid). | ||
| * You need to change the server name to a url, prefixed with `mqtts://`. |
There was a problem hiding this comment.
In fact, this is not necessary when enabling the "Enable secure connection" flag, which needs to be enabled to have the server certificate verified.
| @@ -0,0 +1,128 @@ | |||
| --- | |||
| layout: default | |||
| title: Connect to an MQTT broker with TLS encryption | |||
There was a problem hiding this comment.
Reading this title in the Node-RED cookbook, I would expect more information about how to configure the mqtt-broker node for secure connections (e.g. clarification of the meanings of the fields in the TLS configuration dialog, usage of self signed certificates including validation) and not necessarily information about configuring the MQTT broker.
Maybe instead: "Set up the Mosquitto MQTT broker to accept encrypted connections and connect to it from Node-RED"? Or add more information about the configuration options in Node-RED?
|
|
||
| Create a valid set of certificates and keys for the broker to use. | ||
|
|
||
| Change the configuration of the broker to start a TLS encrypted port (`mqtts`) using the above. |
There was a problem hiding this comment.
Maybe "... to accept encrypted connections..." instead of "...to start a TLS encrypted port..."?
|
|
||
| **<code class="node">MQTT Config</code> node configuration** | ||
|
|
||
|  |
There was a problem hiding this comment.
This image shows a configuration where the certificate is not validated.
| * You need to use the IP name rather than IP address in the server name if using Let's Encrypt (otherwise the certificate isn't valid). | ||
| * You need to change the server name to a url, prefixed with `mqtts://`. | ||
|
|
||
| This disables the port field, I change that first to `8883` to remind me what the correct port will be. |
There was a problem hiding this comment.
Another advantage of ticking the "Enable secure connection" checkbox: Because there is no need to add the protocol to the Server field, the port field stays enabled.
As discussed in https://discourse.nodered.org/t/mqtt-tls-encryption-example/17691