mosquitto: upgrade from 1.x to 2.x requires configuration changes to keep working

I updated net/mosquitto from 1.6.7_1 to 2.0.8 on March 14, 2021. It did not get restarted at that time.

It wasn’t until sysutils/anvil brought in a new certificate and attempted to restart mosquitto did the monitoring start detecting the problem: mosquitto wasn’t running.

It’s the pid file

Looking into it, nothing was logged when starting via rc.d:

$ sudo service mosquitto start
Starting mosquitto.

Starting it from the command line gave useful information:

$ sudo /usr/local/sbin/mosquitto -c /usr/local/etc/mosquitto/mosquitto.conf -v
1616184446: Error: Unable to write pid file.

Looking at the rc.d file and comparing it to the documentation I found the documentation refers to pid_file and the script is looking for pidfile.

The following represents the patch I made to the script:

+ pidfile=$(grep pid_file ${mosquitto_config} | awk '{print($2)}')
- pidfile=$(grep pidfile ${mosquitto_config} | awk '{print($2)}')

It’s permissions

After updating the rc.d script to search for the correct pid file, the previously described problem persisted. An internet search for this led me to create a new directory for the pid file, owned by the mosquitto user.

$ sudo mkdir /var/run/mosquitto
$ sudo chown mosquitto:mosquitto /var/run/mosquitto
$ ls -ld /var/run/mosquitto/
drwxr-xr-x  2 mosquitto  mosquitto  512 Mar 22 13:16 /var/run/mosquitto/

I modified /usr/local/etc/mosquitto/mosquitto.conf to locate the pid file to this directory.

Starting mosquitto again, got me past the pid file problems. Now the file was being created and populated, but mosquitto did not stay running.

It’s the password file

Checking /var/log/messages, I found:

Mar 21 13:13:23 supernews mosquitto[8586]: 1616418803: Error: Unable to open pwfile "/usr/local/etc/mosquitto/mosquitto.passwd".

Looking at that file it was:

$ ls -l /usr/local/etc/mosquitto/mosquitto.passwd
-rw-r-----  1 root  wheel  231 Sep  6  2019 /usr/local/etc/mosquitto/mosquitto.passwd

Let’s try this:

$ sudo chgrp mosquitto /usr/local/etc/mosquitto/mosquitto.passwd
$ ls -l /usr/local/etc/mosquitto/mosquitto.passwd
-rw-r-----  1 root  mosquitto  231 Sep  6  2019 /usr/local/etc/mosquitto/mosquitto.passwd

When I started mosquitto and I saw new errors this time.

It’s the certificate key file

Looking at /var/log/messages, I found:

Mar 21 13:14:33 supernews mosquitto[27095]: 1616418873: Error: Unable to load server key file "/usr/local/etc/ssl/example.org.key". Check keyfile.
Mar 21 13:14:33 supernews mosquitto[27095]: 1616418873: OpenSSL Error[0]: error:0200100D:system library:fopen:Permission denied
Mar 21 13:14:33 supernews mosquitto[27095]: 1616418873: OpenSSL Error[1]: error:20074002:BIO routines:file_ctrl:system lib
Mar 21 13:14:33 supernews mosquitto[27095]: 1616418873: OpenSSL Error[2]: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib

I know how to fix this one:

$ ls -l /us/usr/local/etc/ssl/example.org.key
-rw-------  1 root  wheel  1675 Apr 11  2018 /usr/local/etc/ssl/example.org.key
$ sudo chgrp mosquitto /usr/local/etc/ssl/example.org.key
$ sudo chmod g+r /usr/local/etc/ssl/example.org.key
$ ls -l /usr/local/etc/ssl/example.org.key
-rw-r-----  1 root  mosquitto  1675 Apr 11  2018 /usr/local/etc/ssl/example.org.key

One More Time!

Let’s try again:

$ sudo service mosquitto start
Starting mosquitto.
$ ps auwwx | grep mosq
mosquitto  41513   0.8  0.1  19628   9956  -  Ss   13:16       0:00.13 /usr/local/sbin/mosquitto -c /usr/local/etc/mosquitto/mosquitto.conf -d
dan        41965   0.0  0.0  11432   2360  1  S+   13:16       0:00.00 grep mosq

There we go.

Why all this hassle?

Conclusions: it seems that mosquitto is now dropping privs before writing the PID file and before reading the certificate and password files.

I think the

rc.d

script needs updating and an entry added to UPDATING.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

1 thought on “mosquitto: upgrade from 1.x to 2.x requires configuration changes to keep working”

Leave a Comment

Scroll to Top