mqttmosquittowatson-iot

Secure bridge between a local mosquito and Watson-iot


I need your help on the MQTT bridging. Currently I can successfully bridge the local MQTT to the Watson IOT messaging, but only in inscure mode, ie. 1883 port. So I got the server certificate by this command

openssl s_client -connect myorg.messaging.internetofthings.ibmcloud.com:8883 -showcerts > server.crt

and removed two lines from the top and two lines from the bottom. When I try to connect this in a secure mode, I get the socket error as below. Could anyone help me on this?

mosquitto.conf

connection bridge-to-watsoniot
bridge_insecure false
bridge_certfile /home/pi/server.crt
address myorg.messaging.internetofthings.ibmcloud.com:8883
cleansession false
try_private false
bridge_attempt_unsubscribe false
notifications true
notification_topic iot-2/type/Raspberry/id/my_mqtt_gateway/evt/status/fmt/raw
remote_username use-token-auth
remote_password ***************
remote_clientid g:myorg:Raspberry:my_mqtt_gateway
topic iot-2/type/+/id/+/cmd/+/fmt/+ in iot-2/type/+/id/+/cmd/+/fmt/+
topic iot-2/type/+/id/+/evt/+/fmt/+ out iot-2/type/+/id/+/evt/+/fmt/+
connection_messages true

mosqutto.log

1487240737: mosquitto version 1.4.10 (build date Thu, 25 Aug 2016 10:12:09 +0100) starting
1487240737: Config loaded from mosquitto.conf.
1487240737: Opening ipv4 listen socket on port 1883.
1487240737: Opening ipv6 listen socket on port 1883.
1487240737: Connecting bridge bridge-to-watsoniot (myorg.messaging.internetofthings.ibmcloud.com:8883)
1487240738: New connection from 127.0.0.1 on port 1883.
1487240738: New client connected from 127.0.0.1 as mqttjs_93a3961c (c1, k10, u'foo').
1487240738: New connection from 127.0.0.1 on port 1883.
1487240738: New client connected from 127.0.0.1 as mqttjs_618c88ab (c1, k10).
1487240739: Socket error on client local.g:myorg:Raspberry:my_mqtt_gateway, disconnecting.
1487240747: New connection from 192.168.82.130 on port 1883.

Solution

  • The bridge_certfile directive is for a client side certificate for the local broker to use to authenticate it's self with the remote broker. You should not need to this to connect to Watson IoT.

    You should be using the bridge_cafile or bridge_capath to point to a the CA certificate that signed the Watson IoT certificate so the local broker can verify that the remote end is who they say they are.