Comprehensive Step-By-Step Document To Guide You Through Setting Up An

Environment For Hosting A Mosquitto MQTT Broker With SSL/TLS Encryption Using
Docker, Nginx, Certbot (Let's Encrypt), And Configuring The Necessary Domain And SSL
Certificates:

Complete Setup for Mosquitto with SSL/TLS using Docker, Nginx, and Certbot

Overview

This guide covers the process of setting up an environment with:

1. Nginx to serve the application securely.

2. Certbot for obtaining and renewing SSL certificates from Let's Encrypt.

3. Docker to run the Mosquitto MQTT broker.

4. Let's Encrypt certificates for SSL/TLS encryption.

By following these steps, you will configure a secure environment for your Mosquitto
MQTT broker using SSL certificates and make sure everything is properly integrated.

Prerequisites

• Ubuntu Server (or any system with Ubuntu as the base OS).

• Domain name (e.g., [Link]) for your application.

• Docker installed on the server.

• Nginx and Certbot installed for SSL support.

• Basic knowledge of Docker and Nginx.

Step 1: Update Package Lists

Command:

sudo apt update

This command updates the local package database to ensure you have the latest
available package versions for installation.

Step 2: Install Docker

Command:

sudo apt install [Link] -y

This command installs Docker, a platform used to run applications in containers.

Docker allows us to isolate the Mosquitto broker in a container for easier management.

Step 3: Start Docker Service

Command:

sudo systemctl start docker

This starts the Docker service, which will allow Docker containers to run on your
system.

Step 4: Enable Docker to Start on Boot

Command:

sudo systemctl enable docker

This ensures Docker starts automatically every time your system boots.

Step 5: Install Certbot

Command:

sudo apt install certbot

Installs Certbot, a tool for obtaining and renewing SSL certificates from Let's Encrypt.

Step 6: Install Nginx

Command:

sudo apt install nginx -y

This installs Nginx, which will serve your application and manage incoming web traffic.

Step 7: Start Nginx Service

Command:

sudo systemctl start nginx

This starts the Nginx web server to begin handling incoming web requests.

Step 8: Enable Nginx to Start on Boot

Command:

sudo systemctl enable nginx

This ensures Nginx will automatically start whenever your system boots.

Step 9: Install Certbot with Nginx Plugin

Command:

sudo apt install certbot python3-certbot-nginx -y

Installs Certbot along with the Nginx plugin, which helps in obtaining SSL certificates
and automatically configuring Nginx.

Step 10: Edit Nginx Site Configuration

Command:

code /etc/nginx/sites-available/[Link]

This command opens the Nginx site configuration file for your domain
([Link]). You'll use this file to configure your Nginx server for SSL.

Step 11: Obtain SSL Certificate for Domain

Command:

sudo certbot certonly --nginx -d [Link]

This command tells Certbot to use the Nginx plugin to obtain an SSL certificate for your
domain ([Link]).

Step 12: Automate SSL Installation for Nginx

Command:

sudo certbot --nginx -d [Link]

This command obtains and automatically configures the SSL certificate for Nginx,
ensuring that all traffic is encrypted.

Step 13: Edit Cron Jobs for Auto Renewal

Command:

crontab -e

This opens the cron job configuration to set up automatic renewal for the SSL
certificate. Let's Encrypt certificates are valid for 90 days, and Certbot can be set to
auto-renew.

Step 14: Verify Nginx Configuration

Command:

sudo nginx -t

This tests the Nginx configuration for syntax errors before restarting Nginx to apply the
changes.

Step 15: Restart Nginx

Command:

sudo systemctl restart nginx

This restarts the Nginx service to apply the changes made to the configuration file.
Step 16: Set Up Mosquitto MQTT Broker with SSL/TLS in Docker

Now, we'll configure the Mosquitto MQTT broker to use the SSL certificates you obtained
from Let's Encrypt.

Directory Structure

After completing the setup, your directory structure should look like this:

/root/mosquitto/

├── certs/

│ ├── [Link]

│ └── [Link]

├── config/

│ └── [Link]

├── data/

└── log/

1. Ensure You Have Let's Encrypt Certificates

The required certificate files are:

• [Link]: Full certificate chain.

• [Link]: Private key for your domain.

These are stored in the /etc/letsencrypt/live/[Link]/ directory.

2. Prepare Directories on Host

Create a directory on the host system where the certificates will be stored for mounting
into the Docker container:

Command:

mkdir -p /root/mosquitto/certs

3. Copy Certificates to Host

Copy the SSL certificates from /etc/letsencrypt to the newly created directory:

Command:

cp /etc/letsencrypt/live/[Link]/[Link] /root/mosquitto/certs/
cp /etc/letsencrypt/live/[Link]/[Link] /root/mosquitto/certs/

4. Docker Run Command for Mosquitto

Run the Mosquitto container with SSL/TLS encryption using Docker. This command
mounts the certificates and config directories:

Command:

docker run -d \

--name mosquitto \

-p 1883:1883 \ # MQTT port

-p 8080:8080 \ # WebSocket port

-p 8081:8081 \ # Secure WebSocket port

-v /root/mosquitto/certs:/mosquitto/certs \ # Mount the certs directory

-v /root/mosquitto/config:/mosquitto/config \ # Mount the config directory

-v /root/mosquitto/data:/mosquitto/data \ # Mount the data directory

-v /root/mosquitto/log:/mosquitto/log \ # Mount the log directory

eclipse-mosquitto

This command runs Mosquitto in detached mode with SSL/TLS enabled.

5. Configure Mosquitto for SSL/TLS

Edit the Mosquitto configuration file ([Link]) to specify SSL settings. Add the
following configuration:

# Default MQTT listener (1883)

listener 1883

protocol mqtt

allow_anonymous true

# WebSocket listener (8080)

listener 8080

protocol websockets

allow_anonymous true
# Secure WebSocket listener (8081)

listener 8081

protocol websockets

cafile /mosquitto/certs/[Link]

certfile /mosquitto/certs/[Link]

keyfile /mosquitto/certs/[Link]

allow_anonymous true

6. Restart Mosquitto

Restart the Mosquitto container to apply the SSL configuration:

Command:

docker restart mosquitto

Step 17: Verify SSL/TLS Configuration

To verify that the Mosquitto broker is using SSL/TLS, use an SSL-enabled MQTT client
(like [Link] or mosquitto_pub) and connect to the broker on port 8883.

Conclusion

1. Nginx is configured to handle web traffic securely using SSL certificates from
Let's Encrypt.

2. Certbot automates SSL certificate installation and renewal.

3. Docker is used to run the Mosquitto MQTT broker in a container, with SSL/TLS
encryption.

4. The Mosquitto broker is securely set up, ensuring encrypted communication.

This setup provides a secure environment for your Mosquitto MQTT broker, enabling
encrypted communication via SSL/TLS while automating certificate management.