Edge agent with mosquitto in bridge

So, I came with an idea of having a mosquitto broker in bridge mode with Losant platform, and the edge-agent container connected locally to the mosquitto. The reason I came with this is due a scenario where I have others applications talking MQTT within my Edge device (or gateway). Thus, this architecture would allow to have multiple MQTT clients connected to a local broker (including the edge-agent), which is connected in bridge to the Losant broker.

First off, I have already managed to make the bridge connection work, following the steps in the Mosquitto bridge post. So, the local mosquitto broker connects fine with the Losant broker. Then, I did the following steps:

In the Losant platform:

  • I created an Edge Compute device (ID: 5dc33f44bfed950007ef1208);
  • I created access keys for this device;

In my Edge device:

  • I installed mosquitto broker, configured to listen locally at port 1883, as well as configured the bridge with the access keys generated;
  • I successfully made the connection between mosquitto bridge and Losant broker, using port 8883 and RootCA.crt (from Losant github);
  • I’ve pulled the losant/edge-agent image, set the config.toml with the following config:
out = '/data/losant-edge-agent-log.log'
level = 'verbose'
id = '5dc33f44bfed950007ef1208'
key = 'my-key'
secret = 'my-secret'
host = ''
path = '/data/losant-edge-agent-store.db' 
  • I’ve started the container and got the following logs:

root@cl-debian:~# tail -f /var/lib/losant-edge-agent/data/losant-edge-agent-log.log
2019-11-07T16:59:56.780Z [info] Agent Starting…
2019-11-07T16:59:56.798Z [info] Agent Version: 1.12.0
2019-11-07T16:59:57.133Z [info] Webserver started on port: 8080
2019-11-07T16:59:57.145Z [info] Workflows initialized and running…
2019-11-07T16:59:57.149Z [info] Connecting to: mqtts:// …
2019-11-07T16:59:57.490Z [warn] MQTT client error:
{“errno”: “ECONNRESET”, “code”: “ECONNRESET”, “syscall”: “read”}
2019-11-07T16:59:57.499Z [warn] MQTT client disconnected.
2019-11-07T16:59:57.501Z [verbose] Connection Stream Error:
{“errno”: “ECONNRESET”, “code”: “ECONNRESET”, “syscall”: “read”}

I also got the mosquitto logs:

root@cl-debian:~# mosquitto -v -c /etc/mosquitto/mosquitto.conf
1573145933: Loading config file /etc/mosquitto/mosquitto.d/bridge.conf
1573145934: mosquitto version 1.6.7 starting
1573145934: Config loaded from /etc/mosquitto/mosquitto.conf.
1573145934: Opening ipv4 listen socket on port 1883.
1573145934: Opening ipv6 listen socket on port 1883.
1573145934: Opening ipv4 listen socket on port 8883.
1573145934: Opening ipv6 listen socket on port 8883.
1573145934: Bridge local.5dc33f44bfed950007ef1208 doing local SUBSCRIBE on topic losant/#
1573145934: Connecting bridge bridge-to-losant broker.losant.com:8883
1573145934: Bridge 5dc33f44bfed950007ef1208 sending CONNECT
1573145934: Received CONNACK on connection local.5dc33f44bfed950007ef1208.
1573145934: Bridge local.5dc33f44bfed950007ef1208 sending SUBSCRIBE (Mid: 1, Topic: losant/#, QoS: 1, Options: 0x00)
1573145934: Received SUBACK from local.5dc33f44bfed950007ef1208
1573145994: Sending PINGREQ to local.5dc33f44bfed950007ef1208
1573145994: Received PINGRESP from local.5dc33f44bfed950007ef1208
1573145997: New connection from on port 1883.
1573145997: Client disconnected due to protocol error.

Regarding the container log (Connecting to: mqtts:// ...), it looks like it always tries to connect with TLS. I tried to force host = 'mqtt://' in the config.toml, but it didn’t work.

Thus, based on this architecture, my only way out would be to configure certificates in the mosquitto. So I followed the Mosquitto TLS tutorial and made it work.

Now, I would need a field in the config.toml such as cafile = /path/to/cafile, so that I can specify a CA file different from one that is shipped within the docker image.

Does this idea make sense? Is it possible to set other cafile?
I am still open for suggestions.

I think you’re overall architecture is good. You can configure the Edge Agent to connect using non-TLS by adding a protocol field to your config.toml file.

protocol = 'mqtt://'

The field is undocumented, because we generally advise people to use TLS whenever possible, but since you’re connecting to a local broker, it should be fine from a security perspective.

Thank you Brandon, for the help. I’ve managed to work with the protocol = 'mqtt://' field. I’m still wondering though, in the case I choose TLS in the mosquitto broker, is there a way to set the Edge Agent’s CA file?

There are two environment variables you can use to change some of the TLS behavior. These control the underlying runtime (Node.js).

  1. You can provide an additional CA file using NODE_EXTRA_CA_CERTS=file.

  2. You can also set NODE_TLS_REJECT_UNAUTHORIZED=0, which allows TLS connections without a valid certificate authority.

Awesome Brandon! Everything seems to be working. Thank you.