[Apache | Emqx] emqx problem

edufmass · October 29, 2020, 1:58am

Hello, I am Eduardo from Argentina, I don't speak english very well.

I have apache listening in port 80 and works fine.
I run certbot certonly --apache -d node.net.ar -d www.node.net.ar -d smaug.node.net.ar
Then I configured manually vhost for:
node.net.ar with alias www.node.net.ar /var/www/html/node
smaug.node.net.ar /var/www/html/smaug

My domain is: node.net.ar (www.node.net.ar and smaug.node.net.ar)
My web server is: apache 2
The operating system my web server runs on is: debian 10
I can login to a root shell on my machine: yes
The version of my client is: 1.9.0
Everything works fine.

Then I have emqx 4.2.1, emqx dashboard listen http in 18083 port and https could be enable in port 18084.
I tried to follow this guide: https://medium.com/@emqtt/using-lets-encrypt-certificates-in-emq-b11e0e57efa6
with another domain: grid.net.ar (iot.grid.net.ar and mqtt.grid.net.ar)

First I tried certbot certonly --standalone -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar and I get an error about binding port 80 and I think is because apache is using 80.
Then I tried certbot certonly --webroot -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar and it ask me for a webroot, I didn't know what to do and I enter c to cancel.
Then I tried certbot certonly --apache -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar because I have apache. Certificates where installed, I enabled https in dashboard configuration and tried https://grid.net.ar:18084 and didn't work.
Then I did cerbot delete and deleted grid.net.ar certificates.
Then I tried again certbot certonly --webroot -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar
to add a webroot and it didn't ask me for a webroot, ran ok and certificate was installed.
At this point https://grid.net.ar:18084 didn't work yet.
cerbot certificates shows me both domains with respective subdomains, paths to /etc/letsencipt/live, etc

Any advice how to solve this scenario? The medium.com guide doesn't have apache.
My idea is to use grid.net.ar to access dashboard and then use iot or mqtt subdomain to allow devices to connect to mqtt broker by tcp ssl or websocket ssl.

Thank you!!
Regards,
Eduardo.-

_az · October 29, 2020, 2:51am

What configuration did you use for emq_dashboard.conf ?

Is the emq dashboard running right now? I can't connect on 18083 (connection refused).

edufmass · October 29, 2020, 3:28am

Hi _az
Dashboard is working in http://grid.net.ar:18083/
node.net.ar is captured by apache.

Config:

dashboard.listener.https = 18084
dashboard.listener.https.access.1 = allow all
dashboard.listener.https.acceptors = 2
dashboard.listener.https.max_clients = 512
dashboard.listener.https.access.1 = allow all
dashboard.listener.https.keyfile = /etc/letsencrypt/live/grid.net.ar/privkey.pem
dashboard.listener.https.certfile = /etc/letsencrypt/live/grid.net.ar/fullchain.pem

I tried with and without dashboard.listener.https.access.1 = allow all because emqx4 doesn't have that line by default.

rg305 · October 29, 2020, 8:13am

Please show:
sudo apachectl -S

edufmass · October 29, 2020, 12:50pm

apachectl -S

VirtualHost configuration:
*:80 is a NameVirtualHost
default server vps-x.dattaweb.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost vps-x.dattaweb.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost node.net.ar (/etc/apache2/sites-enabled/node.net.ar.conf:1)
alias www.node.net.ar
port 80 namevhost smaug.node.net.ar (/etc/apache2/sites-enabled/smaug.node.net.ar.conf:1)
*:443 is a NameVirtualHost
default server node.net.ar (/etc/apache2/sites-enabled/node.net.ar.conf:11)
port 443 namevhost node.net.ar (/etc/apache2/sites-enabled/node.net.ar.conf:11)
alias www.node.net.ar
port 443 namevhost smaug.node.net.ar (/etc/apache2/sites-enabled/smaug.node.net.ar.conf:10)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Apache works right, the problem is the dashboard, is served by emqx and I want to assign the domain grid.net.ar to that dashboard.

rg305 · October 29, 2020, 1:40pm

Please show:
certbot certificates

edufmass · October 29, 2020, 1:55pm

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: grid.net.ar
    Serial Number: 30dfe4318f13b454f878041f9fafd7cc7f5
    Domains: grid.net.ar iot.grid.net.ar mqtt.grid.net.ar
    Expiry Date: 2021-01-26 23:56:53+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/grid.net.ar/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/grid.net.ar/privkey.pem
  Certificate Name: node.net.ar
    Serial Number: 4fc78d79a21486da1ffa4f7950f97c1dc2f
    Domains: node.net.ar smaug.node.net.ar www.node.net.ar
    Expiry Date: 2021-01-26 22:24:18+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/node.net.ar/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/node.net.ar/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

rg305 · October 29, 2020, 2:25pm

OK
The good news is:

you have a valid cert for that domain
you have a web server that is capable of securing that connection.

The bad news is:

you will need to use a reverse proxy to secure emqx
OR
you will need to configure emqx to use the cert itself

I know nothing about emqx, so I can't say if/how that would be possible.
I do, however, know enough about Apache/NGINX to say that it should be relatively easy to setup a reverse proxy to reach the emqx securely via either port 443 (using SNI), or 18084, or even via both ports (if there is a NAT firewall or port forwarding device inline).

READERS: Get involved and participate: If you read something you like, then click to like it

edufmass · October 29, 2020, 2:36pm

Thank you, I'll read about reverse proxy!

rg305 · October 29, 2020, 2:39pm

It's pretty straight-forward, in the simplest form:
https://grid.net.ar/ > ApacheProxy > http://internal.IP:18083/

edufmass · October 29, 2020, 3:24pm

I solved giving emqx permissions:

chmod 0755 /etc/letsencrypt/{live,archive}
chgrp emqx /etc/letsencrypt/live/grid.net.ar/privkey.pem
chgrp emqx /etc/letsencrypt/archive/grid.net.ar/privkey1.pem
chmod 0640 /etc/letsencrypt/live/grid.net.ar/privkey.pem
chmod 0640 /etc/letsencrypt/archive/grid.net.ar/privkey1.pem

Apache works with node.net.ar
Emqx works with grid.net.ar
certbot renew --dry-run succeeded.

Thank you for your time

rg305 · October 29, 2020, 10:09pm

I'm not sure that you should be changing anything in the archive folder.
I guess we will see if that is required when a new cert is issued; as it will then be xxxxx2.pem (and so on).

So you didn't use a reverse proxy?

edufmass · October 30, 2020, 12:38am

No, I didn't use anything. I've read that emqx need permission to read the cert file.
It changed from root:root to root:emqx and works.
I will see what happens in 3 months.