Cerbo MQTT / WEBUI network security profile configuration

I wanted to outline what I’ve learned when creating a script that communicates between a Shelly 1PM and a CerboGX device via MQTT to control the Shelly device relay based on several factors including SoC. The Shelly use a scaled back version of Javascript (Espurino).

I had seen and read a number of posts regarding connecting to the CerboGX MQTT local broker, and issues people had encountered, especially around authentication, most discussed the use of MQTT explorer, but the connection methodology is fundamentally the same for the establishing of any connection.

I hope this will help others in their own projects, and serve as an Aid Memoire for me in the future.

The CerboGX device I was interrogating currently runs firmware version 3.52 (the CerboGX is set to use V2 of the GUI).

The Cerbo has 3 ‘Network Security Profiles’. These can be accessed via the CerboGX UI:

CerboGX UI → Settings → General → Network Security Profile

It is worth noting that this is not documented in the official Victron CerboGX manual (accessed via the product page on the Victron website - Cerbo GX Manual)

The options available for selection are: ‘Unsecured’, ‘Weak’, ‘Secured’.

Upon selecting a profile, you will be prompted with an untitled text box and ‘Confirm’ button. Please see the table below, under ‘Profiles:-’ for what can be entered into this text box. The entry here serves as the ‘password’**** to access the CerboGX WEBUI.

Users will need to determine their preferred option, based on their own use case. The below matrix and explanation may help in this.

Overview:
The Network Security Profiles create a simple settings implementation that should cover most users. These settings also relate to the way in which users access the CerboGX WebUI (http[s]://venus.local or http[s]://[cerbogx-ip-address]), as well as in the case of MQTT access, the authorisation parameters.

Profiles:-

Column 1 Column 2 Column 3 Column 4
Profile TLS Username Password
Unsecured WEBUI: HTTP/HTTPS - MQTT: 1883 NO NO
Weak WEBUI: HTTP/HTTPS - MQTT: 8883* WEBUI: N/A - MQTT: REQUIRED** WEBUI: YES*** - MQTT: REQUIRED***
Secured WEBUI: YES - MQTT: 8883* WEBUI: N/A - MQTT: REQUIRED** WEBUI: YES*** - MQTT: REQUIRED***
* Connection must use TLS (No certificate validation) ** - ANY string (there is no specified user, but a string > 0 character must be provided) *** 8 - 511 characters

****The use of ‘Password’ is probably slightly misleading, and is probably better described as, and more akin to an ‘Access Token’.

It is worth noting that when using TLS, you will need to enable the ability to use / submit TLS connection information, as you would expect, but you will almost certainly not want to validate the certificate. In almost all cases these will be self-signed certificates, and therefore fail validation. Below is a configuration example using MQTT Explorer:

The final thing is to ensure you have enabled MQTT communication on your Cerbo:
CerboGX UI → Settings - > Services → MQTT Access (set it to ‘ON’ )

1 Like