DEV Community

Cover image for Migrating Secure MQTT (mosquitto) server with same SSL key on Ubuntu 22.04 between cloud platforms.
Avijit Sahoo
Avijit Sahoo

Posted on

Migrating Secure MQTT (mosquitto) server with same SSL key on Ubuntu 22.04 between cloud platforms.

To successfully migrate to an MQTT cloud, it is imperative that all certificate keys are migrated and the DNS is updated to the new server. Thereafter, execute the commands mentioned below to ensure a smooth transition.

  • First, create a Linux virtual machine.
  • After logging into the new virtual machine.
  • Install Mqtt command :
sudo apt update
sudo apt-get install mosquitto mosquitto-clients
Enter fullscreen mode Exit fullscreen mode
  • Check whether the Mqtt service is running or not using this command
sudo systemctl status mosquitto
# command1
Enter fullscreen mode Exit fullscreen mode
Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled; vendor preset: enabled)
Active: active (running) since *******–**–** **:**:** UTC; **h ago
Docs: man:mosquitto.conf(5)
man:mosquitto(8)
…….. …….. ……..
…… ……
Enter fullscreen mode Exit fullscreen mode

If your terminal appears like this, then you're all set!
Also, you can check using this command

mosquitto_sub -h localhost -t test  # command1
# terminal1
Enter fullscreen mode Exit fullscreen mode

Open another terminal and paste this command

mosquitto_pub -h localhost -t "test" -m "hello world"  # command2
# terminal2
Enter fullscreen mode Exit fullscreen mode
# Output in terminal1
mosquitto_sub -h localhost -t test # command1
hello world 
Enter fullscreen mode Exit fullscreen mode

Now you can configure the domain name

  • Go to your domain hosting service and update the domain 'mqtt.yourdomainname.com' or whatever format you have.
  • To complete the process, you need to add the 'A' record along with the public IP address of your new virtual machine.

After setting up the DNS, wait for the TTL seconds that you have specified before. This is because your computer may cache the domain's DNS.
Now you run the command.

mosquitto_pub -h mqtt.yourdomainname.com -t "test" -m "hello world from mylocalhost" # command3
# run on local terminal this command
# Output in terminal1
Enter fullscreen mode Exit fullscreen mode
mosquitto_sub -h localhost -t test # command1
hello world
# after run command3
hello world from mylocalhost
Enter fullscreen mode Exit fullscreen mode

Set username password for Mqtt login

sudo mosquitto_passwd -c /etc/mosquitto/passwd username # used own username > write password > rewrite password > enter
Enter fullscreen mode Exit fullscreen mode

Add into "/etc/mosquitto/mosquitto.conf"

sudo nano /etc/mosquitto/mosquitto.conf
Enter fullscreen mode Exit fullscreen mode

And paste this into this file

.... ....
........ 

listener 1883

allow_anonymous false
password_file /etc/mosquitto/passwd
Enter fullscreen mode Exit fullscreen mode

Now try these commands

mosquitto_sub -h localhost -t test -u "username" -P "password"
# terminal4

# Open another terminal and paste this command
mosquitto_pub -h localhost -t "test" -m "hello world with password" -u "username" -P "password"
# terminal5
Enter fullscreen mode Exit fullscreen mode
# Output in terminal4
mosquitto_sub -h localhost -t test -u "username" -P "password"
hello world with password
Enter fullscreen mode Exit fullscreen mode

Now try from the local machine

# open local machine terminal
mosquitto_pub -h mqtt.yourdomainname.com -t "test" -m "hello world with password from localmachine" -u "username" -P "password"
# terminal6
Enter fullscreen mode Exit fullscreen mode
# Output in terminal4
mosquitto_sub -h localhost -t test -u "username" -P "password"
hello world with password
hello world with password from localmachine
Enter fullscreen mode Exit fullscreen mode

If any error occurs reinstall and redo the process. If not, continue…

After that, We open the old VM and copy all encryption keys.

cd path/to/encription/key #replace path/to/encription/key your ssl encription key path
# like ex-> ' /etc/ssl/certs/'
ls
# output look like ca.crt  ca.csr  ca.key  ca.srl  server.crt  server.csr  server.key 
# Copy all file and save in local machine 
cat ca.crt
-----BEGIN CERTIFICATE-----
....................................
.....................................
..................................
-----END CERTIFICATE-----

cat ca.csr 
-----BEGIN CERTIFICATE-----
..................................
...........................

............
......................

...........................
........

# like that copy all the file one by one in local machine
Enter fullscreen mode Exit fullscreen mode

Now you can log in to the new VM and run these commands

cd /etc/mosquitto/
mkdir key
cd key

# start creating file
sudo nano ca.crt # after run paste file content from local machine. crtl + x > Y > enter

sudo nano ca.csr # after run paste file content from local machine. crtl + x > Y > enter

sudo nano ca.key # after run paste file content from local machine. crtl + x > Y > enter

sudo nano ca.srl # after run paste file content from local machine. crtl + x > Y > enter

sudo nano server.crt # after run paste file content from local machine. crtl + x > Y > enter

sudo nano server.csr # after run paste file content from local machine. crtl + x > Y > enter

sudo nano server.key # after run paste file content from local machine. crtl + x > Y > enter
Enter fullscreen mode Exit fullscreen mode

Now run command

chmod 644 . # set all file rw-rw-r--
chmod 600 ca.key # set this file rw-------
chmod 600 server.key # set this file rw-------


sudo chown mosquitto:mosquitto /etc/mosquitto/key/server.key 
# it's here for, server.key only use by mosquitto service. 
# so I did that. If you have anthore configuration use other chmod command.
Enter fullscreen mode Exit fullscreen mode

After that open "/etc/mosquitto/mosquitto.conf"

sudo nano /etc/mosquitto/mosquitto.conf
Enter fullscreen mode Exit fullscreen mode

And paste this into this file

.... ....
........ 

listener 8883

allow_anonymous false
password_file /etc/mosquitto/passwd

cafile /etc/mosquitto/key/ca.crt
certfile /etc/mosquitto/key/server.crt
keyfile /etc/mosquitto/key/server.key
tls_version tlsv1.2 # and write other version of ssl you want add.
# now save it. crtl + x > Y > enter
Enter fullscreen mode Exit fullscreen mode
sudo systemctl restart mosquitto
Enter fullscreen mode Exit fullscreen mode

If your Mosquitto service runs successfully then well done.
Now run these commands on the local machine

cd /path/to/ # write file path for local machine's ca.crt file
mosquitto_sub -h mqtt.yourdomainname.com -p 8883  --cafile "ca.crt" -t test  -u "username" -P "password"

# open another terminal on local machine
cd /path/to/ # write file path for local machine's ca.crt file
mosquitto_pub -h mqtt.yourdomainname.com -p 8883  --cafile "ca.crt" -t test -m "Hello from local to another local" -u "username" -P "password"

# if the command run successfully! Then the server is production ready.
Enter fullscreen mode Exit fullscreen mode

If you get any errors. Open /var/log/mosquitto/mosquitto.log, It gives error details.

Top comments (0)