02.08 β TLS Certificates (Letβs Encrypt + Cloudflare)
Since I want to use MQTT on my mesh, I needed a way to expose MQTT to the outside world, but in a secure way, so this is what I came up with. I'm sure there is a much more secure way to do this, but for now, its working. Something else I needed to do was move certs from one place to another so they could be used. I generated a hook script to copy the certs automagically for me.Β
Install Certbot
apt install certbot python3-certbot-dns-cloudflareCloudflare Credentials
/root/.secrets/cloudflare.ini
dns_cloudflare_api_token=TOKEN_HEREchmod 600 /root/.secrets/cloudflare.iniObtain Certificate
certbot certonly \
Β --dns-cloudflare \
Β --dns-cloudflare-credentials /root/.secrets/cloudflare.ini \
Β -d mqtt.example.netCert Copy Hook
/etc/letsencrypt/renewal-hooks/deploy/mosquitto-copy.sh
#!/bin/bash
cp /etc/letsencrypt/live/mqtt.example.net/fullchain.pem /etc/mosquitto/certs/server.crt
cp /etc/letsencrypt/live/mqtt.example.net/privkey.pem /etc/mosquitto/certs/server.key
chown mosquitto:mosquitto /etc/mosquitto/certs/*
chmod 640 /etc/mosquitto/certs/server.key
systemctl restart mosquittochmod +x /etc/letsencrypt/renewal-hooks/deploy/mosquitto-copy.shTest MQTT
mosquitto_pub -h mqtt.example.net -p 8883 \
Β --capath /etc/ssl/certs \
Β -u skynet2mqtt -P password \
Β -t test -m helloΒ