Encrypting Mosquitto using Certbot

11/28/2020
Maxime Moreillon
SecurityMQTTTutorials

Encrypting Mosquitto using Certbot

The Mosquitto server must be configured using the /etc/mosquitto/conf.d/main.conf file, inside which the path to SSL certificates must be specified. A good topic on the matter can be found here.

Certificates can be retrieved using Certbot, but for configurations where a microk8s instance is running with the NGINX Ingress controller, A special access for Certbot to fulfill its challenges is required.

To do so, one can create a endpoint with a port on which certbot will listen, alongside a service and Ingress for it:

kind: Endpoints
apiVersion: v1
metadata:
 name: mosquitto-certbot
subsets:
 - addresses:
     - ip: 172.105.193.217
   ports:
     - port: 1888
---
kind: Service
apiVersion: v1
metadata:
 name: mosquitto-certbot
spec:
 type: ClusterIP
 ports:
 - port: 1888
   targetPort: 1888
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: mosquitto-certbot
  annotations:
    # Specifiy the Ingress controller
    kubernetes.io/ingress.class: "nginx"
spec:

  rules:
  - host: mqtt.maximemoreillon.com
    http:
      paths:
      - path: /
        backend:
          serviceName: mosquitto-certbot
          servicePort: 1888

Certbot can then be used as so:

sudo certbot certonly --standalone --preferred-challenges http --http-01-port 1888 -d mqtt.maximemoreillon.com