Does anyone know how to set the MQTT Broker built into Victron with usernames/passwords? Normally you would create a password file and run it through an encrypter tool. But cannot see how to do this on the Victron MQTT Broker
asked
Victron MQTT Broker - How to set Password?
I was searching for the same thing and found nothing other than this tread.
Just to keep things clear: I'm not responsible, if you break anything.
To setup an authentication for MQTT you need to have root ssh access to Venus OS.
- Write a username and a password somewhere, so that we can use this later. I will reference it as YOURUSERNAME and YOURPASSWORD
- Connect to Venus OS via SSH (https://www.victronenergy.com/live/ccgx:root_access#root_access)
- Change the dbus-mqtt run service-template file, else the changes get lost on every reboot
nano /opt/victronenergy/service-templates/dbus-mqtt/run
and changeexec softlimit -d 100000000 -s 1000000 -a 100000000 /opt/victronenergy/dbus-mqtt/dbus_mqtt.py --init-broker
toexec softlimit -d 100000000 -s 1000000 -a 100000000 /opt/victronenergy/dbus-mqtt/dbus_mqtt.py --init-broker --mqtt-user YOURUSERNAME --mqtt-password YOURPASSWORD
- Create a users file that contains the username and password. One combination per line
nano /etc/mosquitto/users
add the username and password. If you don't need multiple users only insert the first line.YOURUSERNAME:YOURPASSWORD user2:password2 user3:password3
- Crypt the password file by running
mosquitto_passwd -U /etc/mosquitto/users
- Change the mosquitto.conf to use the password file and disallow anonymous users
nano /etc/mosquitto/mosquitto.conf
addallow_anonymous false password_file /etc/mosquitto/users
underport 1883
- Reboot and you are done.
For a better security I also reccomend to disable "MQTT on LAN (Plaintext)" in the Venus OS GUI -> Settings -> Services.
If something don't work anymore after this modifications you can change
allow_anonymous true
to allow access without username and password again. After you have to restart the mosquitto service
svc -t /service/mosquitto
This changes are not persistant after an update. I'm writing a script to simplify the setup and make change persistant after an update. I will post the link here once finished.
EDIT: I will not write a script, since Venus OS will use FlashMQ in a future release that includes password protection.
exactly what i was looking for. many thanks.
I was looking for this too, thanks for your guide. Do anyone knows whether it is possible to modify/write or change any settings on Victron over MQTT? I am a little bit scared that if I enable MQTT, anyone on the LAN would be able to publish topics to Victron and modify it.
Do I understand correctly, that when the MQTT on Victron is not password-protected, anyone can modify it?
with password set i see in logs an connecting trying from local that fails.
New connection from ::1 on port 1883. 2023-07-08 14:44:51.698032500 1688827491: New client connected from ::1 as VenusRPC_48xxxxxxxx17_cf089xxxxxxxx45d (p2, c1, k60, u'ccgxapikey_48xxxxxxxx17')
The attempt to establish a connection starts when you click on a VRM installation with the VictonConnect app. is there a possibility to store the credentials here?
... found a solution worked for me.
https://de.wikibooks.org/wiki/MQTT-Broker_einrichten/_Multiple_Listener
it make sense for allow anonymous connection on port 1883 but not on port 8883.
in cerbo gx setting MQTT on LAN (Plaintext) switched OFF, so only local process still be able to connect to port 1883
MQTT on LAN (SSL) switched ON
The configuration of mosquitto looks like:
/etc/mosquitto/mosquitto.conf
include_dir /etc/mosquitto/conf.d include_dir /run/mosquitto
/etc/mosquitto/conf.d/global.conf
per_listener_settings true user mosquitto
/etc/mosquitto/conf.d/plain.conf
listener 1883 allow_anonymous true
/etc/mosquitto/conf.d/websockets.conf
listener 9001 protocol websockets
/etc/mosquitto/conf.d/wit-ssl.conf
listener 8883 password_file /etc/mosquitto/users capath /etc/ssl/certs certfile /data/keys/mosquitto.crt keyfile /data/keys/mosquitto.key
on listener 8883 is per default allow_anonymous false
Hello guys, has anyone tried to make this work on current Venus OS (3.30 or higher)? Venus OS already switched to FlashMQ, so I assume the configuration of authentication changed.
Any report welcome - I still want to read my Victron values securely in local network, I don't want to expose any anonymous MQTT...
UPDATE: (Hello Oleg Gurevich :-), I've found the github thread (https://github.com/victronenergy/venus/issues/1098) where you asked the same, so it seems native password protection is coming.. that would finally resolve our issue.. It seems there is very little of people who are concerned about security in this area.
