MQTTS is actually abbreviation for MQTT + SSL, encrypted MQTT connection.
Once more, be sure to configure your Nginx with the real domain and obtain Let’s Encrypt SSL certificate, as described in the first step.
In order to use SSL we have to tell Mosquitto where Let’s Encrypt certificates are stored. We will edit our Mosquitto configuration once more:
sudo vi /etc/mosquitto/conf.d/default.conf
Add the following content just below your previous configuration and leave a trailing newline at the end of the file. Also, be sure to use your domain here, as we will use iotaap.cloud domain:
listener 1883 localhost
Port 1883 is the standard, unencrypted MQTT port, and this port is not exposed to the internet by default. Port 8883 is encrypted port that will be exposed to the internet.
sudo systemctl restart mosquitto
Now we have to allow connections to port 8883, also if you are using firewall on your server (AWS, DigitalOcean or similar) be sure to enable connections to this port, command below will allow connections in Ubuntu system:
sudo ufw allow 8883
Now, we can test our configuration using mosquitto_pub command, but with the following options:
to subscribe to our topic (use your domain here):
mosquitto_sub -h iotaap.cloud -t topic/test -u "worker1" -P "password" -p 8883 --capath /etc/ssl/certs/
This will subscribe you to the “topic/test”, next we will publish some data to the topic:
mosquitto_pub -h iotaap.cloud -t topic/test -m "Hi encrypted user :)" -p 8883 --capath /etc/ssl/certs/ -u "worker1" -P "password"
Open your first terminal and you should see the message “Hi encrypted user :)”. Congrats now you have your own Secured MQTT broker!
–capath /etc/ssl/certs/ enables SSL and tells to the mosquitto_pub to look for root certificates, Root certificates are installed by operating system, and the path is different for different OS.