External MQTTS Broker - 8883 using TLS?

Hi folks,

Does Rhasspy support MQTTS? For example, to connect to my external MQTT broker I need to specify the --capath option:

mosquitto_pub -h mqtt.mydomain.com -t “test” -m “hello world” -u username -p 8883 -P ‘secret’ --capath /etc/ssl/certs/

I have added /etc/ssl/certs to the certificate path in the webui, however none seems to get passed when looking at the logs.


I believe that in rhasspy 2.5 this function is not available because looking at the GitHub repository in the file TODO.md is present MQTT TLS support

Thanks for reporting this, it’s a bug indeed. I fixed this now in rhasspy-hermes 0.3.1. I’ll ask @synesthesiam to rebuild the Docker image with the fixed code.

@razzo04 MQTT TLS support has been added only recently, so the TODO file wasn’t updated. I removed the MQTT TLS support now in the TODO file.

1 Like

I’ve tried this with the docker image that was released a couple of days ago and it doesn’t seem to be working - not sure if the fix @koan mentions has landed yet?

My docker image just seems to hang - max out the cpu on my pi0. although i can see some sort of activity on the MQTT server with MQTT expklorer.

I have checked the documentation link but i am not 100% confident i have the right settings in the gui.
Should the ca_certs box be a cert or a folder? ‘certs’ implies folder but i’ve tried both.
Do we need anything in the certfile and keyfile? (I assume these 2 settings are for a client cert)
Should we be using .pem or .crt or does it not matter?

Would be interested to know if anyone has this working and what setting they have!

I verified this with the latest Docker image, TLS connections don’t work indeed. It seems the tls_ca_certs configuration option that you enter in the web interface doesn’t get picked up. If I put the following configuration manually in the “mqtt” section of profile.json, the connection works:

        "tls": {
            "enabled": true,
            "ca_certs": "/etc/ssl/private/rootCA.pem"

You need to enter the path to the CA certificate itself, not a directory.

Can you confirm that this works for you with the manual change?

By the way, the certfile and keyfile are for client certificates indeed, we should probably clarify this in the web interface.

Wait, it doesn’t… I get this message repeatedly in the logs:

rhasspy    | [DEBUG:2020-07-04 13:09:26,871] rhasspyserver_hermes: Connecting to pi-red.home:8883 (retries: 0/10)

Looking at the code of rhasspy-server-hermes/__init__.py, it doesn’t seem to support TLS yet, am I seeing that right, @synesthesiam?

thanks @koan for looking at this. i’ll give it another go when you get the bottom of it!

Ah, that’s right! :man_facepalming: Everything else uses rhasspy-hermes, which has TLS support. The web server needed special MQTT handling, so it uses custom code and I forgot to add TLS.

I’ve added GitHub issue

This is another area where the encapsulation of so much that probably doesn’t need to in Rhasspy code of a small community and ever increasing bloat confuses me.

Why a universal 3rd party TLS is not employed when and where needed without need for code inclusion or support as many know bemuses me.


But hey.