EDIT: edited on 8/30 to change tls version to tls 1.2. Seems that TLS 1.0 doesn’t work any more. Thanks to Asish Sinha for the heads up. Also updated the api-version to the latest
Earlier, I had a post on connecting an MQTT client to IoT Edge.
It seems like lately my team and I have had a lot of customers with brownfield equipment that can speak MQTT, but are either too old or too low powered (the devices, not the customers ) to do MQTT over TLS. It is also often the case that you have no real control over the MQTT topic(s) that the device sends events/messages over. Additionally, many devices even imply “intelligence” or “data” into the topic structure, meaning the topic hierarchy itself conveys information vs. only having important information in the message payload.
Both a TLS connection, and sending data on a very specific topic, are current requirements to talk to either IoT Edge or IoT Hub itself over MQTT. So, how do we overcome this impedance mismatch between what IoT Hub/Edge requires, and the equipment can do? One way is to use a middle layer to do the translations. A popular choice is the open source MQTT broker mosquitto from the Eclipse Foundation. Mosquitto has a built-in option to set up an MQTT “bridge”, in which the broker will accept incoming messages over MQTT and then forward them as an MQTT client to another MQTT server. The good news is, Mosquitto can listen to the unencrypted MQTT traffic (port 1883 by default), and then forward it along over a TLS-protected MQTTS connection (port 8883) via this bridge.
That takes care of our MQTT vs. MQTTs issue. But what about the any topic vs. a specific topic problem. Unfortunately, IoT Hub and IoT Edge both only accept telemetry/event data on a specific MQTT topic: devices/[device-id]/messages/events where [device-id] is the ID of the connected device. That one is a little trickier, and will be addressed later in this post after we cover the basics of setting up the bridge.
A couple of notes/caveats before we get started:
I am NOT a mosquitto expert. I’ve learned just enough to get this working
This is certainly not the only way to solve this problem. But is one way that seems to work pretty well.
Mosquitto Bridge Setup for IoT Hub/Edge
Before we can configure our Mosquitto MQTT bridge, there are a few pre-requisites to take care of
If you are talking directly to IoT Hub, you can skip this step. If you are wanting to route your messages through IoT Edge, you need to setup an IoT Edge device as a gateway.
Gather the TLS server-side root certificate. In order for mosquitto to establish a TLS connection to either IoT Hub or IoT Edge, it needs to trust the server-side TLS certificate that will be presented to the broker when it tries to open the connection to IoT Hub/Edge. Gathering the CA cert from which the TLS server-side cert was generated, the process differs slightly based on whether you are connecting to IoT Hub or IoT Edge. Either way, save the cert to a file on the mosquitto server, we’ll use it later.
For IoT Hub, the TLS certificate chains up to the public DigiCert Baltimore Root certificate. You can create this file by copying the certificate information from certs.c in the Azure IoT SDK for C. Include the lines —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–, remove the ” marks at the beginning and end of every line, and remove the \r\n characters at the end of every line. Name the file with a .pem extension.
For IoT Edge, use whatever root certificate you used to create the IoT Edge Device CA Certificate. If you used our convenience scripts to set up IoT Edge, that will be the azure-iot-test-only.root.ca.cert.pem found in the ‘certs’ folder where you ran the scripts
install and configure Mosquitto
Now that we have our pre-req’s finished, we can do our Mosquitto bridge setup. This is done via the Mosquitto configuration file. There may be other things in that file, however, below is an example configuration entry.
# Bridge configuration
address [edge or hub fqdn]:8883
bridge_cafile [iot hub or edge root ca cert]
topic devices/[device-id]/messages/events/# out 1
The parts in bold need to be replaced with your values, where
- [iot hub or edge FQDN] is the DNS name of either your IoT Hub (including the .azure-devices.net) or your IoT Edge device (i.e. whatever name was used as the ‘hostname’ in config.yaml on IoT Edge)
- [iothub-shortname] is the name of your IoT Hub (e.g. ‘myiothub’) without the .azure-devices.net
- [device-id] is the name of the IoT device created in IoT Hub to represent this broker
- [sas-token] is a SAS token generated for that device-id in that hub
- [iot hub or edge root ca cert] is the full path to the root certificate file you created earlier
- All values are case sensitive.
The very last line (that starts with the word ‘topic’) subscribes the bridge to all messages that are sent with the topic structure of ‘devices/[device-id]/messages/events/#’ (the # is a wildcard to include any sub-topics). When a message that fits that topic structure gets published, the bridge will get it and pass it along to the IoT Hub/Edge.
restart your Mosquitto broker using the updated configuration file. You should see debug output indicating that it has connected the bridge (and if you are using IoT Edge, you should see debug output in the edgeHub logs showing the connection from the broker)
If you want to test the connection, you can send a test message using the mosquitto_pub command, using the following command (replacing [device-id] with your device id you created above):
mosquitto_pub -t devices/[device-id]/messages/events/ -m "hello world!"
The trailing slash is important and required. You should see the message above be forwarded by the MQTT bridge to either IoT Hub or IoT Edge.
If you are fortunate enough to have full control over your MQTT topic structure from your devices, and there is no intelligence in your topic structure, you’re done. Congrat’s and have fun! You can just point your MQTT clients at the broker address (making sure you update the MQTT topic to point to devices/[device-id]/messages/events/) and rock and roll.
However, for the use cases where you don’t have MQTT topic control, or there is intelligence in your topic hierarchy, keep reading.
MQTT Topic Translation
Unfortunately, this is where things get a little less “clean”. The mosquitto MQTT bridge has no ability to “rewrite” or completely change the topic structure of the messages it receives. One way to do it is to write a simple client that subscribes to all potential topics from which the MQTT devices might send data, and then resend the payload after translating the MQTT topic into the IoT Hub/Edge required topic structure.
Below is a simple python script that I wrote to do the translation as an example. This sample subscribes to all topics (# – the wildcard) and, if the message doesn’t already use the IoT Hub/Edge topic structure, it simply resends the message payload using the hub/edge topic.
import paho.mqtt.client as mqtt
#replace [device-id] with your device you created in IoT Hub.
iothubmqtttopic = "devices/[device-id]/messages/events/"
# this sample just resends the incoming message (on any topic) and just
# resends it on the iothub topic structure. you could, of course, do any
# kind of sophisticated processing here you wanted...
def on_message(client, userdata, message):
if(message.topic != iothubmqtttopic):
messageStr = str(message.payload.decode("utf-8"))
print("message received " ,messageStr)
# replace <broker address> with the FQDN or IP address of your MQTT broker
print("creating new instance")
client = mqtt.Client("iottopicxlate") #create new instance
client.on_message=on_message #attach function to callback
print("connecting to broker")
client.connect(broker_address) #connect to broker
print("Subscribing to all topics")
client.loop_forever() #stop the loop
Of course, this is one extremely simple example, that just passes along the same message payload and swaps out the message topic. You can, of course, add any kind of sophisticated logic you need. For example, you could parse the topic hierarchy, pull out any ‘intelligence’ in it, and add that to the message payload before sending.
if you want to test this, copy this python script to a file, edit it to add your device id and URI of your mosquitto broker, and run it. You can then try….
mosquitto_pub –t /any/topic/structure/you/want –m "hello world"
You should see the python script receive the file, do the translation, and republish the message. Then the mosquitto bridge will forward the new message along to IoT Hub/Edge.