[Apache | Emqx] emqx problem

Hello, I am Eduardo from Argentina, I don't speak english very well.

I have apache listening in port 80 and works fine.
I run certbot certonly --apache -d node.net.ar -d www.node.net.ar -d smaug.node.net.ar
Then I configured manually vhost for:
node.net.ar with alias www.node.net.ar /var/www/html/node
smaug.node.net.ar /var/www/html/smaug

My domain is: node.net.ar (www.node.net.ar and smaug.node.net.ar)
My web server is: apache 2
The operating system my web server runs on is: debian 10
I can login to a root shell on my machine: yes
The version of my client is: 1.9.0
Everything works fine.

Then I have emqx 4.2.1, emqx dashboard listen http in 18083 port and https could be enable in port 18084.
I tried to follow this guide: https://medium.com/@emqtt/using-lets-encrypt-certificates-in-emq-b11e0e57efa6
with another domain: grid.net.ar (iot.grid.net.ar and mqtt.grid.net.ar)

First I tried certbot certonly --standalone -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar and I get an error about binding port 80 and I think is because apache is using 80.
Then I tried certbot certonly --webroot -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar and it ask me for a webroot, I didn't know what to do and I enter c to cancel.
Then I tried certbot certonly --apache -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar because I have apache. Certificates where installed, I enabled https in dashboard configuration and tried https://grid.net.ar:18084 and didn't work.
Then I did cerbot delete and deleted grid.net.ar certificates.
Then I tried again certbot certonly --webroot -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar
to add a webroot and it didn't ask me for a webroot, ran ok and certificate was installed.
At this point https://grid.net.ar:18084 didn't work yet.
cerbot certificates shows me both domains with respective subdomains, paths to /etc/letsencipt/live, etc

Any advice how to solve this scenario? The medium.com guide doesn't have apache.
My idea is to use grid.net.ar to access dashboard and then use iot or mqtt subdomain to allow devices to connect to mqtt broker by tcp ssl or websocket ssl.

Thank you!!
Regards,
Eduardo.-

What configuration did you use for emq_dashboard.conf ?

Is the emq dashboard running right now? I can't connect on 18083 (connection refused).

Hi _az
Dashboard is working in http://grid.net.ar:18083/
node.net.ar is captured by apache.

Config:

dashboard.listener.https = 18084
dashboard.listener.https.access.1 = allow all
dashboard.listener.https.acceptors = 2
dashboard.listener.https.max_clients = 512
dashboard.listener.https.access.1 = allow all
dashboard.listener.https.keyfile = /etc/letsencrypt/live/grid.net.ar/privkey.pem
dashboard.listener.https.certfile = /etc/letsencrypt/live/grid.net.ar/fullchain.pem

I tried with and without dashboard.listener.https.access.1 = allow all because emqx4 doesn't have that line by default.

Please show:
sudo apachectl -S

apachectl -S

VirtualHost configuration:
*:80 is a NameVirtualHost
default server vps-x.dattaweb.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost vps-x.dattaweb.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost node.net.ar (/etc/apache2/sites-enabled/node.net.ar.conf:1)
alias www.node.net.ar
port 80 namevhost smaug.node.net.ar (/etc/apache2/sites-enabled/smaug.node.net.ar.conf:1)
*:443 is a NameVirtualHost
default server node.net.ar (/etc/apache2/sites-enabled/node.net.ar.conf:11)
port 443 namevhost node.net.ar (/etc/apache2/sites-enabled/node.net.ar.conf:11)
alias www.node.net.ar
port 443 namevhost smaug.node.net.ar (/etc/apache2/sites-enabled/smaug.node.net.ar.conf:10)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Apache works right, the problem is the dashboard, is served by emqx and I want to assign the domain grid.net.ar to that dashboard.

Please show:
certbot certificates

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: grid.net.ar
    Serial Number: 30dfe4318f13b454f878041f9fafd7cc7f5
    Domains: grid.net.ar iot.grid.net.ar mqtt.grid.net.ar
    Expiry Date: 2021-01-26 23:56:53+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/grid.net.ar/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/grid.net.ar/privkey.pem
  Certificate Name: node.net.ar
    Serial Number: 4fc78d79a21486da1ffa4f7950f97c1dc2f
    Domains: node.net.ar smaug.node.net.ar www.node.net.ar
    Expiry Date: 2021-01-26 22:24:18+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/node.net.ar/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/node.net.ar/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

OK
The good news is:

  • you have a valid cert for that domain
  • you have a web server that is capable of securing that connection.

The bad news is:

  • you will need to use a reverse proxy to secure emqx
    OR
  • you will need to configure emqx to use the cert itself

I know nothing about emqx, so I can't say if/how that would be possible.
I do, however, know enough about Apache/NGINX to say that it should be relatively easy to setup a reverse proxy to reach the emqx securely via either port 443 (using SNI), or 18084, or even via both ports (if there is a NAT firewall or port forwarding device inline).

READERS: Get involved and participate: If you read something you like, then click to like it :heart:

1 Like

Thank you, I'll read about reverse proxy!

1 Like

It's pretty straight-forward, in the simplest form:
https://grid.net.ar/ > ApacheProxy > http://internal.IP:18083/

I solved giving emqx permissions:

chmod 0755 /etc/letsencrypt/{live,archive}
chgrp emqx /etc/letsencrypt/live/grid.net.ar/privkey.pem
chgrp emqx /etc/letsencrypt/archive/grid.net.ar/privkey1.pem
chmod 0640 /etc/letsencrypt/live/grid.net.ar/privkey.pem
chmod 0640 /etc/letsencrypt/archive/grid.net.ar/privkey1.pem

Apache works with node.net.ar
Emqx works with grid.net.ar
certbot renew --dry-run succeeded.

Thank you for your time :smiley:

1 Like

I'm not sure that you should be changing anything in the archive folder.
I guess we will see if that is required when a new cert is issued; as it will then be xxxxx2.pem (and so on).

So you didn't use a reverse proxy?

No, I didn't use anything. I've read that emqx need permission to read the cert file.
It changed from root:root to root:emqx and works.
I will see what happens in 3 months.
:smiley:

1 Like