update mosquitto tls

mosquitto/Dockerfile

@@ -5,7 +5,7 @@
 FROM alpine
 MAINTAINER kev <noreply@easypi.pro>
 
-RUN apk add --no-cache mosquitto
+RUN apk add --no-cache ca-certificates mosquitto
 
 VOLUME /etc/mosquitto
 EXPOSE 1883 8883

mosquitto/README.md

@@ -24,27 +24,33 @@ mosquitto:
 
 ## mosquitto.conf
 
-```
-port 8883
+```ini
+port 1883
 log_dest stdout
+allow_anonymous false
 password_file /etc/mosquitto/pwfile
 persistence true
 persistence_location /var/lib/mosquitto
-cafile /var/lib/mosquitto/ca.crt
-certfile /var/lib/mosquitto/server.crt
-keyfile /var/lib/mosquitto/server.key
+
+###### ENABLE TLS ######
+listener 8883
+protocol mqtt
+capath /etc/ssl/certs
+certfile /var/lib/mosquitto/fullchain.pem
+keyfile /var/lib/mosquitto/privkey.pem
 require_certificate false
 ```
 
 - `pwfile` is managed by [mosquitto_passwd][3].
-- TLS keys are generated by [openssl][2].
+- Two methods to support TLS:
+  - You can get free TLS certificates from letsencrypt, `capath` is needed.
+  - Self-signed TLS keys can be generated by [openssl][2], `cafile` is needed.
 
-> It is important to use different certificate subject parameters for your CA,
-> server and clients.
+> It is important to use different certificate subject parameters for your self-signed CA, server and clients.
 
 ## server
 
-```
+```bash
 $ mkdir -p data
 $ touch data/mosquitto.conf data/pwfile
 $ docker-compose up -d

mosquitto/arm/Dockerfile

@@ -5,7 +5,7 @@
 FROM easypi/alpine-arm
 MAINTAINER EasyPi Software Foundation
 
-RUN apk add --no-cache mosquitto
+RUN apk add --no-cache ca-certificates mosquitto
 
 VOLUME /etc/mosquitto
 EXPOSE 1883 8883

mosquitto/arm/data/mosquitto.conf

@@ -12,7 +12,7 @@ persistence_location /var/lib/mosquitto
 ###### ENABLE WS ######
 #listener 8080
 #protocol websockets
-#cafile /var/lib/mosquitto/DST_Root_CA_X3.pem
+#capath /etc/ssl/certs
 #certfile /var/lib/mosquitto/fullchain.pem
 #keyfile /var/lib/mosquitto/privkey.pem
 #require_certificate false
@@ -20,7 +20,7 @@ persistence_location /var/lib/mosquitto
 ###### ENABLE TLS ######
 #listener 8883
 #protocol mqtt
-#cafile /var/lib/mosquitto/DST_Root_CA_X3.pem
+#capath /etc/ssl/certs
 #certfile /var/lib/mosquitto/fullchain.pem
 #keyfile /var/lib/mosquitto/privkey.pem
 #require_certificate false

mosquitto/data/mosquitto.conf

@@ -12,7 +12,7 @@ persistence_location /var/lib/mosquitto
 ###### ENABLE WS ######
 #listener 8080
 #protocol websockets
-#cafile /var/lib/mosquitto/DST_Root_CA_X3.pem
+#capath /etc/ssl/certs
 #certfile /var/lib/mosquitto/fullchain.pem
 #keyfile /var/lib/mosquitto/privkey.pem
 #require_certificate false
@@ -20,7 +20,7 @@ persistence_location /var/lib/mosquitto
 ###### ENABLE TLS ######
 #listener 8883
 #protocol mqtt
-#cafile /var/lib/mosquitto/DST_Root_CA_X3.pem
+#capath /etc/ssl/certs
 #certfile /var/lib/mosquitto/fullchain.pem
 #keyfile /var/lib/mosquitto/privkey.pem
 #require_certificate false