I have little idea what you are saying, but to answer: - mosquitto, weewx mqtt publish, belchertown websockets work unencrypted using 1883 and 9001 - so I'm trying to take the next step and get the MQTT working on 8883
Re: setup - this is a LAN-only setup with weewx and mosquitto on the same computer, and browsers on different computers on the LAN - for the CN - I'm using the ip address of the weewx+mosquitto computer for now, and that is in weewx.conf in all the appropriate places Leaving tweaking weewx.conf for later, I can't get mosquitto to use self-signed certs successfully. If you have complete+repeatable steps for generating my own certs/keys, copying into place, setting permissions, and updating the mosquitto .conf files, I'm all ears. I sure can't find those steps anywhere online. Google keeps pointing me back to all kinds of ancient/invalid stuff like a horrible "steves-internet-guide" thing that doesn't work and various Stack Overflow questions+answers that also don't work (https://stackoverflow.com/questions/70110392/mqtt-tls-certificate-verify-failed-self-signed-certificate) or are incomplete. FWIW - I just found https://forums.raspberrypi.com/viewtopic.php?t=287326 which I'll have to try step by step. I'll already have their Steps1+2 working, so I'd need to try their Step3 next. Fodder for tomorrow. On Saturday, February 14, 2026 at 11:11:41 AM UTC-8 Greg Troxel wrote: > Vince Skahan <[email protected]> writes: > > > I have not been able to get self-signed certs for a LAN only setup to > work. > > While I can create the CA and broker files and they pass muster with > > openssl (can verify the broker cert is signed by the local CA) > > unfortunately Belchertown doesn’t connect and logs show either SSL > version, > > protocol, or tls version issues. More unfortunately Belchertown provides > > zero logging saying ‘why’ it failed to connect. All I see is an > immediate > > close by the client reported in the mosquitto logs, sometimes. I usually > > don’t even see the connect attempt. > > Not sure exactly what your setup is, but what are you using for a name > with your self-signed CA? Is it a real FQDN, that when it is resolved > via DNS, requesters get the (LAN) IP address (dns RPZ?)? Or is it > "broker.local"? > > When connecting via TLS, the normal path is to do pkix validation. This > has two parts. One is checking that the name used to start the TLS > connection matches the cert, where (more or less) match means it's one > of the subject alternative names. The second is that the certificate > presented together with the set of configured trust anchors needs to > pass validation. > > So assuming you are running mosquitto, the first thing would be to see > if mosquitto_sub and mosquitto_pub work from the host you are trying to > use for weewx, and from the browser host. > > You didn't say what browser, and you didn't say how you configured the > browser to add the local CA as a trust anchor. Usually, browsers have > their own trust anchor config instead of using the system config. Also > some browsers are getting extra strict trying to protect users from > themselves. They may be fussier about websockets than https. > > > You could also use a global domain name, get a LE cert, and then use dns > response policy zone to get the right addr to the client. > > -- You received this message because you are subscribed to the Google Groups "weewx-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/weewx-user/fcf665ad-7254-48e2-9fba-e38c20f52e9bn%40googlegroups.com.
