MQTT服務-Mosquitto簡單安裝及TLS雙向認證配置

一. 安裝配置Mosquitto

1. yum安裝Mosquitto

yum install epel-release -y
yum search mosquitto
yum install mosquitto-devel  mosquitto -y

2. 配置 Mosquitto

egrep -v '^#|^$' /etc/mosquitto/mosquitto.conf
pid_file /var/run/mosquitto.pid
port 1883 #默認連接端口
persistence true #持久化
persistence_location /var/lib/mosquitto/ #創建對應目錄
log_dest  file /var/log/mosquitto/mosquitto.log #創建對應目錄
log_type all #打印所有日志，便於排錯

3. 啟動 Mosquitto

systemctl start mosquitto
systemctl enable mosquitto
systemctl status mosquitto

4、安裝MQTT客戶端測試工具mqttfx

 下載地址：http://mqttfx.bceapp.com/

下載安裝完成，打開軟件進行測試

 

 

 出現以上現象說明配置成功！

二. 配置Mosquitto的TLS雙向認證

1. 生成證書文件

采用Openssl作為TLS的實現

mkdir /etc/mosquitto/Myca && cd /etc/mosquitto/Myca

1.1 產生CA的key和證書文件

1） 生成ca的密鑰文件

[root@prepare Myca]# openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
..........................+++
.........................................................................+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
說明：這里需要輸入密碼，該命令將為CA產生一個名字為“ca.key”的key文件。

 2） 生成ca證書

[root@prepare Myca]# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:0.0.0.0
Email Address []:test@163.com
說明：ca.crt就是CA自己給自己簽名的證書文件。該命令中選項“-x509”表示該條命令將產生自簽名的證書，一般都是測試的時候采用。 

1.2  生成server端證書
1）生成server的私鑰

[root@prepare Myca]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...........................+++
.................+++
e is 65537 (0x10001)
說明：該命令將產生一個不加密的RSA私鑰，其中參數“2048”表示私鑰的長度，這里產生的私鑰文件“server.key”將在下一步使用，同時在mosquitto程序的配置文件中也需要使用。

       如果需要為產生的RSA私鑰加密，則需加上選項“-des3”，對私鑰文件加密之后，后續使用該密鑰的時候都要求輸入密碼。產生加密RSA私鑰文件的命令如下：

       openssl genrsa -des3 -out server.key 2048

       如果為RSA私鑰文件加密了，則一定要記好密碼，后面產生csr文件時以及后續使用該私鑰文件都會用到該密碼。

2）生成server端請求文件（.csr)

[root@prepare Myca]# openssl req -new -out server.csr -key server.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:192.168.1.162
Email Address []:test@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
說明：該命令將使用上一步產生的“server.key”文件為server產生一個簽發證書所需要的請求文件：server.csr，使用該文件向CA發送請求才會得到CA簽發的證書。這里沒有設置密碼。
坑點：這里Common Name為服務器ip地址

3）生成服務端的證書

[root@prepare Myca]# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650
Signature ok
subject=/C=cn/ST=bj/L=bj/O=test/OU=test/CN=192.168.1.162/emailAddress=test@qq.com
Getting CA Private Key
Enter pass phrase for ca.key:
說明：該命令將使用CA的密鑰文件ca.key，CA的證書文件ca.crt和上一步為mosquitto server產生證書請求文件server.csr文件這三個文件向CA請求產生一個證書文件，證書文件的名字為：server.crt。
該命令中的36500可以修改為自己定義的時間值。這里需要輸入創建ca.key時設置的密碼。

1.3 生成client端證書

過程和生成server端證書類似，這里就不一一說明了

1）生成client的私鑰

[root@prepare Myca]# openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus
........................................................................................+++
.............+++
e is 65537 (0x10001)

2）生成client端請求文件（.csr)

[root@prepare Myca]# openssl req -new -out client.csr -key client.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:192.168.1.162      
Email Address []:test@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
說明Common Name 為服務器ip

3）生成client端的證書

[root@prepare Myca]# openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650
Signature ok
subject=/C=cn/ST=bj/L=bj/O=test/OU=test/CN=192.168.1.162/emailAddress=test@qq.com
Getting CA Private Key
Enter pass phrase for ca.key:

總結避坑：Common Name 項可填寫 主機名，域名或IP 三選一；自簽名的CA證書的Common Name要與server證書和client證書的Common Name不同；server和client的Common Name依然是服務器本身的IP：192.168.1.162。

2. 修改mosquitto配置文件

2.1 修改后配置文件

[root@prepare ~]# egrep -v '^#|^$' /etc/mosquitto/mosquitto.conf 
pid_file /var/run/mosquitto.pid
port 1883
persistence true
persistence_location /var/lib/mosquitto/
log_dest  file /var/log/mosquitto/mosquitto.log
log_type all
include_dir /etc/mosquitto/conf.d
listener  8883  #tls端口
cafile /etc/mosquitto/Myca/ca.crt
certfile /etc/mosquitto/Myca/server.crt
keyfile /etc/mosquitto/Myca/server.key
allow_anonymous false    #不允許匿名用戶
require_certificate true #必須提供證書以保證數據安全性
use_identity_as_username true  # 若require_certificate值為true，use_identity_as_username也必須為true

2.2 重啟mosquitto

systemctl restart mosquitto

3. 雙向認證測試

3.1 生成mosquitto連接用戶名和密碼

創建admin用戶名和密碼命令如下：　　
mosquitto_passwd -c /etc/mosquitto/pwfile.example admin
提示連續兩次輸入密碼、創建成功。命令解釋： -c 創建一個用戶、/etc/mosquitto/pwfile.example 是將用戶創建到 pwfile.example  文件中、admin 是用戶名。

創建mosquitto用戶,命令如下：
mosquitto_passwd /etc/mosquitto/pwfile.example mosquitto
同樣連續會提示連續輸入兩次密碼。注意第二次創建用戶時不用加 -c 如果加 -c 會把第一次創建的用戶覆蓋。
至此兩個用戶創建成功，此時如果查看 pwfile.example 文件會發現其中多了兩個用戶。

3.2 linux命令行測試

sub端命令：
[root@prepare ~]# mosquitto_sub  -t 'room02/sensors' -h 192.168.1.162 -p 8883 -u admin -P 123456 --tls-version tlsv1.2 --cafile /etc/mosquitto/Myca/ca.crt --cert /etc/mosquitto/Myca/client.crt --key /etc/mosquitto/Myca/client.key

 

pub端命令：
[root@prepare ~]# mosquitto_pub  -t 'room02/sensors' -m '我的消息' --cafile /etc/mosquitto/Myca/ca.crt --cert /etc/mosquitto/Myca/client.crt --key /etc/mosquitto/Myca/client.key -h 192.168.1.162 -p 8883 -u admin -P 123456 --tls-version tlsv1.2

 

結果：

出現以上結果說明配只成功！

也可以用工具MQTTFX或者python代碼demo來對TLS雙向認證進行驗證！