MQTT Connection to a "secured" Cerbo-GX

Modifications
, ,
1

Hello everyone.

I have some questions about MQTT and TLS.

When I switch my Cerbo-GX v3.53 to TLS, it brings up some problems and questions:

  1. When I switch the MQTT Explorer to port 8883 and enable TLS, the encrypted communication already works without a password, username, and certificate. Where is the additional security here? Why is no certificate provided, and why are no username and password required?

  2. When I try to include the encrypted Cerbo-GX in an MQTT Bridge, it does not work. I use an Eclipse Mosquitto MQTT Bridge and am very satisfied with it, but I cannot integrate the encrypted Cerbo-GX. The unencrypted Cerbo-GX works very well. Again, I am either missing a certificate or password and username.

The configuration for the bridge looks like this:

per_listener_settings true
allow_anonymous true
persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
log_timestamp_format %Y-%m-%dT%H:%M:%S
log_dest stdout
log_type all

## MQTT Secure listener
listener 8883 0.0.0.0
require_certificate false
tls_version tlsv1.2
allow_anonymous true

# MQTT Default listener
listener 1883 0.0.0.0
allow_anonymous true

# MQTT over WebSockets
listener 9001 0.0.0.0
protocol websockets
allow_anonymous true

connection victron
address 192.168.133.71:1883
topic N/# in 0 victron/

connection victron-tls
address 192.168.133.71:8883
topic N/# in 0 victron-tls/
bridge_insecure true
tls_version tlsv1.2

connection openWB
address 192.168.133.79:1883
topic openWB/# both 0 openWB/

connection watermeter
address 192.168.133.90:1883
topic watermeter/# in 0 watermeter/

My error message:

2025-01-25T16:03:54: Connecting bridge victron-tls (192.168.133.71:8883)
2025-01-25T16:03:54: Bridge eclipse-mosquitto.victron-tls sending CONNECT
2025-01-25T16:03:54: Client local.eclipse-mosquitto.victron-tls closed its connection.

My interpretation: If the simple configuration without a certificate, password, and username works with the MQTT Explorer, shouldn’t it also work with the Mosquitto Bridge?

Does anyone have a working bridge configuration if the Cerbo-GX configuration is set to “secure”?

2

Hi Marc,
got about the same problem on my side. Unencrypted communication works like a charm. I can also get a connection & data connecting via MQTT Explorer to my Cerbo GX, but cannot configure the Mosquitto Bridge to work the same way.
My log looks like yours:

2025-02-02 12:44:16: Connecting bridge victron (192.168.1.10:8883)
2025-02-02 12:44:16: Client homeassistant closed its connection.

Regarding your communication without password: Are you sure that the connection is properly reset? I sometimes do get more MQTT data for a while after switching to secured communication in the Cerbo GX.

3

Hey guys,

I’ve maybe found a solution.

  1. get the certificate from Cerbo echo | openssl s_client -connect venus.local:8883 2>/dev/null | openssl x509
  2. save the CA into HomeAssistant
  3. use this config (you can remove credentials if you do not use them)
connection victron
address venus.local:8883
remote_username victron
remote_password YourPassword
topic N/# in 0 victron/
topic R/# out 0 victron/
topic W/# out 0 victron/

bridge_tls_version tlsv1.3
bridge_cafile /share/mosquitto/venus.local.crt
bridge_insecure true
  1. you can test the connection from your computer as well mosquitto_sub -h venus.local -p 8883 -t 'N/#' -u victron -P YourPassword -v --cafile venus.crt
4

Fanda36 thanks so much for your post. Your solution got me on the right track. I had to add a couple of options in my victron.conf file on HomeAssistant.

connection victron
address 192.168.1.111:8883
remote_username victron
remote_password MyPassword
topic N/# in 0 victron/
topic R/# out 0 victron/
topic W/# out 0 victron/
bridge_tls_version tlsv1.3
bridge_cafile /ssl/venus.crt
bridge_insecure true
bridge_protocol_version mqttv50
cleansession true

I kept getting various errors without cleansession true and bridge_protocol_version mqttv50

Just in case anyone is searching for a solution the errors I got before adding those options were:

In the Home Assistant Misquitto Broker log

2025-03-23 00:40:10: Connection Refused: Not authorized

On the Venus GX (Raspberry Pi 4) in /data/log/flashmq/current

[2025-03-23 07:40:10.215] [NOTICE] [T 0] Removing client '[ClientID='core-mosquitto.victron', username='victron', fd=21, keepalive=60s, transport='TCP/SSL', address='192.168.1.111', prot=5.0, clean=1]'. Reason(s): Cannot take over session with different username

Or

[2025-03-23 07:15:36.276] [NOTICE] [T 0] Client '[ClientID='core-mosquitto.victron', username='victron', fd=21, keepalive=60s, transport='TCP/SSL', address='192.168.1.111', prot=5.0, clean=0]' logged in successfully

But, there wouldn’t be any new messages published in the Mosquitto Broker on Home Assistant.
After reading a little about FlashMQ and cleansession Understanding clean session and clean start – FlashMQ

I added cleansession true and now my HA can read the bridged MQTT data. I’m up and running with Home Assistant and Firmware v3.54!

5

Just to say thanks for the solution

The only (noob) issue was not realising that the certificate is created on screen and you must copy that into a file

I found the File editor add on in Home Assistant useful as you can upload files easily