Guys - hope someone can help point me in the right direction.

I have been a long term user of Mosquitto onprem, and want to bridge to HiveMQ Cloud (free).

I have googled and spend several hours playing with mosquitto.conf settings but cannot get HiveMQ messages to bridge down to the onprem Mosquitto.

Mosquitto shows ““Bridge Mosquitto sending CONNECT”… closely followed by " Client local. Mosquitto closed its connection”.

All 56 local mqtt devices work perfectly with Mosquitto and I have three test devices in HiveMQ cloud working fine. I can brown with MQTT Explorer to both brokers and all is working as expected.

I can only assume its something to do with TLS and lack of cert on the local Mosquitto that si wrong but cannot find any means to get capfile for the connection.

Any ideas?

Many thanks for your time.

Hi @BestGear,

A typical pitfall, when trying to bridge mosquitto to HiveMQ is that you have to have the following setting in your mosquitto.conf

try_private false

HiveMQ does not support mosquitto’s proprietary bridging protocol and therefore you need to make sure that the mosquitto acts as a regular MQTT client.

In regards to the CA file:
You should not need a CA file, as the certificates for HiveMQ cloud are signed by a trusted CA.
It’s of course entirely possible that an older system might not have the CA included that we are using.
In this case you can simply created a CA file for yourself, using the openssl s_client

openssl s_client -connect <YOUR-URL>:8883 -showcerts < /dev/null 2> /dev/null | sed -n '/BEGIN/,/END/p' > server.pem

This will create a file called server.pem, which can be used as the CAfile for mosquitto.

Regards,
Florian from the HiveMQ Team.

Thank you Florian for the quick reply.

I have checked, and already had try_private false set.

Can I view logs somewhere on HiveMQ to see what errors it is seeing?

I have not ventured near certs based on what you said previously.

I have attached the only (recurring) mosquitto error that I am seeing…

image829×56 19.3 KB

Could this mean that the connection is actually ok, but the topic is set wrongly? (currently topic # in 0 in mosquitto.conf).

David

Hi

Still no joy here.

Can I just confirm that the free HiveMQ does support a bridge?

I have installed mosquitto now on RPi… (was on Windows) and still no joy.

I can connect to HiveMQ from the same device using MQTT explorer for example without error using the same credentials.

See attached error.

My gut feel is that either bridge_capath or bridge_cafile is required.

David

bridge877×66 3.85 KB

Hi

Added a cert using your openssl approach above… still no joy…

DOH!

Hi BestGear,
where di you install your mosquitto ? on a synology ? i may need the same …

Hi

Installed Mosquitto on Windows 10 as well as RPi… same error from both platforms.

I have been playing with certs and stuck with a “certificate verify fail” error.

See attached image below.

bridge2946×186 16.3 KB

My only remaining try is to rehash the cert - which I have read may be an issue - which is weird as the cert does verify correctly when using one of the many online cert validators.

Note that I have insecure mode set - which I understood told Mosquitto to ignore an invalid cert (ie the host name does not match the cert … and HiveMQ is a wildcard cert from what I see).

I have not been able to even verify if the free HiveMQ product supports bridges!

Next idea… install HiveMQ locally… see if that works.

David

Hello, David.
Are you done with your problem yet?
I’ve just found the solution and wanna share it with you.
Here’s is my config:

mosquitto.conf

connection hivemq
address broker.hivemq.com:1883
topic # both 1
bridge_protocol_version mqttv311
try_private false
notifications false
bridge_attempt_unsubscribe false

end

I hope it’ll be useful.
BR, Vladimir

Hello,

I faced the same problem as described in this thread.
I finally managed to get it working with non secure connection to hive. I works for me with the following configuration:

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

include_dir /etc/mosquitto/conf.d
allow_anonymous true

bind_address 0.0.0.0

connection hivemq
address broker.hivemq.com:1883

topic mytopic both 0
bridge_protocol_version mqttv311
try_private false
notifications false
bridge_attempt_unsubscribe false
bridge_insecure true

Messages published to my mosquitto local boker are published also to hivemq broker. When I publish to hivemq broker the client subscribing to my local broker gets the message. So, it works in both ways. Great!

However, my aim is to configure broker supporting ssl/tls.

I tried the following configuration (and some variations) but it does not work (showing only bridge section, everything before is not changed):

connection hivemq
address some_my_id_from_hive.s1.eu.hivemq.cloud:8883
remote_username myusername
remote_password mypassword
topic mytopic both 0
bridge_protocol_version mqttv311
try_private false
notifications false
bridge_attempt_unsubscribe false
bridge_insecure true

It does not connect at all. In log I have the following:
1636580374: Connecting bridge (step 1) hivemq (some_my_id_from_hive.s1.eu.hivemq.cloud:8883)
1636580374: Connecting bridge (step 2) hivemq (some_my_id_from_hive.s1.eu.hivemq.cloud:8883)
1636580374: Client local.bilbo.hivemq closed its connection.

‘bilbo’ is my local hostname.

It seems even not to try to open a connection to remote port 8883. Not binding to any socket locally?

My mosquitto is behind NAT and has non-routable IP.

Note that I can subscribe with mosquitto_sub without any issues. This works:
mosquitto_sub -h some_my_id_from_hive.s1.eu.hivemq.cloud -p 8883 -u myusername -P mypassword -t 'mytopic'

Does anybody has an idea of what I’m doing wrong?

Thanks in advance!

Rafal

Hi rstankie,

I’ve figured it out due to this post MQTT Broker Bridge to HiveMQ Cloud - #5 by naitsimp - Configuration - Home Assistant Community

I may be misunderstanding but it seems Hivemq has an expired certificate that fails validation. I noticed this connecting with MQTT-Explorer, I had to disable certificate validation for it to work.

The solution:

1. download the root certificate used to sign HiveMQs certificate here https://letsencrypt.org/certs/isrgrootx1.pem
2. In the bridge config set bridge_cafile to that certificate

Here is my bridge config that worked, some of it may be unnecessary.

# Bridge connection
connection cloud-01
address <cluster>.s2.eu.hivemq.cloud:8883
bridge_cafile <dir>/isrgrootx1.pem
topic # out 0
topic # in 0
remote_username <username>
remote_password <password>
bridge_protocol_version mqttv311
try_private false
notifications false
bridge_attempt_unsubscribe false
bridge_insecure true

Hopefully this helps!

My leftover question if anyone feels like helping me improve my understanding:
Is the HiveMQ cert really expired? Connecting with MQTT Explorer with validation on seems to confirm that it is.
Would downloading the expired certificate and putting it in the bridge_cafile solve this as well?
Is a bridge_cafile always required if the remote broker has ssl enabled?

Hi Ross,

Thank you for the information, the workaround suggested by you works!

The HiveMQ cloud certificate is valid, you can prove it. Get the certificate from the HiveMQ cloud:

openssl s_client -connect 4ad85b7fade04d07911be2ac1da2f5e4.s2.eu.hivemq.cloud:8883 -showcerts < /dev/null 2> /dev/null | sed -n '/BEGIN/,/END/p' > server.pem

Check certificate validity:

$openssl x509 -in server.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:cb:50:60:87:79:78:b1:89:8e:47:c8:d5:1b:18:f2:a1:f9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Jan 22 09:52:03 2022 GMT
            Not After : Apr 22 09:52:02 2022 GMT

The error message seems to be bound to the library that MQTT Exporer is using, there is an issue for this in the MQTT Explorer repo: Certificate Expired Error · Issue #596 · thomasnordquist/MQTT-Explorer · GitHub

Thanks,
Dasha from HiveMQ Team