Using internal MQTT domain name (.local) to Install and Secure the Mosquitto MQTT Messaging Broker on Ubuntu 16.04


#1

Hi,
My project is IOT based on Node-Red & MQTT.
I am using Raspberry Pi with Ubuntu Linux 16.04.1 Operating system (Peter Scargill’s “Script”).

I am trying to improve the net side of it by implementing Certbot as another backbone, and use it behind a router/NAT. The router’s DHCP is independently assigning the IPs, and .local is used (Networking device hostnames ending with .local are often employed in private networks, where they are resolved either via the multicast domain name service (mDNS) or local Domain Name System (DNS) servers. https://en.wikipedia.org/wiki/.local)

For example, my Pi (Node-Red/MQTT server) are defined with hostname pi.local (127.0.1.1). Each other device (Sensors, actuators, etc.) will also be defined by it’s name and not IP.

I found and following the instructions of a very helpful introduction for securing MQTT service by Password and Certbot:

“How to Install and Secure the Mosquitto MQTT Messaging Broker on Ubuntu 16.04” (https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-ubuntu-16-04).

I set certbot service, using my internal MQTT domain name - namely: pi.local, (In the instructions it uses a domain name pointed at the MQTT server - the tutorial uses mqtt.example.com throughout), as follows:

nadav@pi:~$ sudo certbot certonly --standalone --standalone-supported-challenges http-01 -d pi.local
[sudo] password for nadav:

The below is the response I received:

WARNING: The standalone specific supported challenges flag is deprecated.
Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel):nadav.barkai@gmail.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

(A)gree/©ancel: A

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights.

(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
An unexpected error occurred:
The request message was malformed :: Name does not end in a public suffix
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

  • If you lose your account credentials, you can recover through
    e-mails sent to nadav.barkai@gmail.com.
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My question:
Can we bypass the error "Name does not end in a public suffix"
and get a set of certificates that will work in our “private” (.local) domain, and secure the service, or it can only work with “public” domains?

Regards,
Nadav


#2

Hi @NadavBarkai,

Only public domains. This is an explicit policy that results from requirements of the CA/Browser Forum.


#3

hi @NadavBarkai

is your raspebrry pi MQTT broker available to the web? If so you should have a tld that is not .local

Using .local addresses means that you will not be able to

If you do not have one but want people to access your MQTT broker i would suggest buying a .xyz domain from godaddy (1.99), pointing it to cloudflare and then obtaining a certificate

Do you currently have a public IP address?

Andrei


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.