Brief followup - found a fellow on YouTube who appears to have the secret decoder ring for setting up secure mosquitto with self-signed certs.
- Video at https://www.youtube.com/watch?v=-bKEWqcyEBY - Transcript at https://shawnhymel.com/3085/how-to-use-the-mosquitto-mqtt-broker-with-ssl-tls/ Ignore the beyond ridiculous cringeworthy influencer picture of the dude (yeccccch). The video is long but actually pretty good. It does explain things as well as how to test in docker which wasn't bad either. A cut/paste of the steps from the transcript 'did' work for me on a debian13 vagrant vm. Cool. In hindsight, I can see that'll I need to get the locally-generated ca.crt trusted by the browser(s) on whatever box(es) that might want to view the weewx+belchertown output on, but I can test end-to-end on one Linux laptop I have here to try to do an end-to-end test. On Saturday, February 14, 2026 at 1:05:25 PM UTC-8 Vince Skahan wrote: > I have little idea what you are saying, but to answer: > > - mosquitto, weewx mqtt publish, belchertown websockets work > unencrypted using 1883 and 9001 > - so I'm trying to take the next step and get the MQTT working on 8883 > > Re: setup > > - this is a LAN-only setup with weewx and mosquitto on the same > computer, and browsers on different computers on the LAN > - for the CN - I'm using the ip address of the weewx+mosquitto > computer for now, and that is in weewx.conf in all the appropriate places > > Leaving tweaking weewx.conf for later, I can't get mosquitto to use > self-signed certs successfully. > > If you have complete+repeatable steps for generating my own certs/keys, > copying into place, setting permissions, and updating the mosquitto .conf > files, I'm all ears. I sure can't find those steps anywhere online. > > Google keeps pointing me back to all kinds of ancient/invalid stuff like a > horrible "steves-internet-guide" thing that doesn't work and various Stack > Overflow questions+answers that also don't work ( > https://stackoverflow.com/questions/70110392/mqtt-tls-certificate-verify-failed-self-signed-certificate) > > or are incomplete. > > FWIW - I just found https://forums.raspberrypi.com/viewtopic.php?t=287326 > which I'll have to try step by step. I'll already have their Steps1+2 > working, so I'd need to try their Step3 next. Fodder for tomorrow. > > > On Saturday, February 14, 2026 at 11:11:41 AM UTC-8 Greg Troxel wrote: > >> Vince Skahan <[email protected]> writes: >> >> > I have not been able to get self-signed certs for a LAN only setup to >> work. >> > While I can create the CA and broker files and they pass muster with >> > openssl (can verify the broker cert is signed by the local CA) >> > unfortunately Belchertown doesn’t connect and logs show either SSL >> version, >> > protocol, or tls version issues. More unfortunately Belchertown >> provides >> > zero logging saying ‘why’ it failed to connect. All I see is an >> immediate >> > close by the client reported in the mosquitto logs, sometimes. I >> usually >> > don’t even see the connect attempt. >> >> Not sure exactly what your setup is, but what are you using for a name >> with your self-signed CA? Is it a real FQDN, that when it is resolved >> via DNS, requesters get the (LAN) IP address (dns RPZ?)? Or is it >> "broker.local"? >> >> When connecting via TLS, the normal path is to do pkix validation. This >> has two parts. One is checking that the name used to start the TLS >> connection matches the cert, where (more or less) match means it's one >> of the subject alternative names. The second is that the certificate >> presented together with the set of configured trust anchors needs to >> pass validation. >> >> So assuming you are running mosquitto, the first thing would be to see >> if mosquitto_sub and mosquitto_pub work from the host you are trying to >> use for weewx, and from the browser host. >> >> You didn't say what browser, and you didn't say how you configured the >> browser to add the local CA as a trust anchor. Usually, browsers have >> their own trust anchor config instead of using the system config. Also >> some browsers are getting extra strict trying to protect users from >> themselves. They may be fussier about websockets than https. >> >> >> You could also use a global domain name, get a LE cert, and then use dns >> response policy zone to get the right addr to the client. >> >> -- You received this message because you are subscribed to the Google Groups "weewx-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/weewx-user/7ea584c4-4296-45a8-a422-5c67808bcacen%40googlegroups.com.
