CodeForWar

Path to being a Software Craftsman

Mosquitto Broker Setup on Arch

July 22, 2025 | Categories: embedded devops

Setting up Mosquitto Broker on Arch Linux

When setting up an IoT environment, you'll want to consider using MQTT as the Transport protocol for messaging.

Here are the basic instructions of setting up Mosquitto as a Broker service on an Arch linux install in Linode.

Mosquitto Installation

pacman -S mosquitto

Setting up Authentication

Basic Authentication

Lets generate a password file with a Username added to it and a salted password when it prompts to enter a password:

sudo mosquitto_passwd -c /etc/mosquitto/passwd <username>

Certificate Based Authentication (SSL/TLS)

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout ca.key -out ca.crt
openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout server.key -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout client.key -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365

The certificates should be placed in a specified directory.

/etc/mosquitto/ca_certificates/
/etc/mosquitto/certs/

CA certificate files ca.crt, ca.key, ca.csr should be placed under ca_certificates/

Server and client certificate files server.crt, server.key, server.csr, client.crt, client.key, client.csr can be placed under certs/.

The Following 3 files need to be copied over to the client: - ca.crt - client.crt - client.key

Mosquitto Configurations

A few basic configuration options need to be set for Mosquitto with Auth.

The conf is located at /etc/mosquitto/mosquitto.conf.

allow_anonymous false
passwd_file /etc/mosquitto/passwd

For Cert based Auth:

allow_anonymous false
certfile /etc/mosquitto/ca_certificates/server.crt
keyfile /etc/mosquitto/ca_certificates/server.key
require_certificate true
use_identity_as_username true
cafile /etc/mosquitto/ca_certificates/ca.crt

You'll also want to set the Listening Port in the config file:

/etc/mosquitto/mosquitto.conf

# Basic Auth
listener 1883

# SSL/TLS - Cert based auth
listener 8883

Systemd Commands:

sudo systemctl restart mosquitto
sudo systemctl stop/start mosquitto
sudo journelctl -xce mosquitto

Testing with Mosquitto Client

Basic Auth scenario

mosquitto_sub -h <broker_ip> -t <topic> -u <username> -P <password>

# Msg Publish
mosquitto_pub -h <broker_ip> -t <topic> -u <username> -P <password> -m <message>



Leave a comment:

Comments: