How to Install and Secure Mosquitto MQTT Messaging Broker on Ubuntu 16.04

Join us at the Alibaba Cloud ACtivate Online Conference on March 5–6 to challenge assumptions, exchange ideas, and explore what is possible through digital transformation.

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Mosquitto is a lightweight, open source and machine-to-machine messaging protocol for communication between “Internet of Things” devices such as ESP8266, Raspberry Pi, etc. It is designed for connections with remote locations where a small code footprint is required and/or network bandwidth is at a premium. It is written in C language and suitable for use on all devices from low power single board computers to full servers. It is also ideal for mobile applications because of its small size, low power usage, minimized data packets, and efficient distribution of information to one or many receivers. Mosquitto is one of the most popular MQTT brokers due to its good community support, documentation and ease of installation.

In this tutorial, we will be installing Mosquitto with Let’s Encrypt on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.


  1. A fresh Alibaba Cloud Ubuntu 16.04 instance.

Launch Alibaba Cloud ECS Instance

First, log in to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install Mosquitto

By default, Mosquitto is available in the Ubuntu 16.04 default repository. You can easily install it by just running the following command:

apt-get install mosquitto mosquitto-clients -y

Once the installation has been completed, you can check the status of Mosquitto service with the following command:

systemctl status mosquitto


mosquitto.service - LSB: mosquitto MQTT v3.1 message broker
Loaded: loaded (/etc/init.d/mosquitto; bad; vendor preset: enabled)
Active: active (running) since Sun 2018-09-16 13:30:52 IST; 4s ago
Docs: man:systemd-sysv-generator(8)
Process: 15608 ExecStop=/etc/init.d/mosquitto stop (code=exited, status=0/SUCCESS)
Process: 15623 ExecStart=/etc/init.d/mosquitto start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/mosquitto.service
└─15636 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
Sep 16 13:30:52 systemd[1]: Stopped LSB: mosquitto MQTT v3.1 message broker.
Sep 16 13:30:52 systemd[1]: Starting LSB: mosquitto MQTT v3.1 message broker...
Sep 16 13:30:52 mosquitto[15623]: * Starting network daemon: mosquitto
Sep 16 13:30:52 mosquitto[15623]: ...done.
Sep 16 13:30:52 systemd[1]: Started LSB: mosquitto MQTT v3.1 message broker.

Mosquitto clients help you to test MQTT through a command line utility. To do so, you will need to open two terminal windows, one to subscribe to a topic named and one to publish a message to it.

Let’s subscribe to the topic named testing by running the following command on the first terminal:

mosquitto_sub -t "testing"

Now, publish a message to the topic testing by running the following command on the second terminal:

mosquitto_pub -m "hello world" -t "testing"

You should see a message from mosquitto_pub client displayed in first terminal.

Now, press “Ctrl+C” to exit the subscribe client.

Secure Mosquitto with Password

Mosquitto comes with a utility called mosquitto_passwd to generate a special password file. It is used to configure Mosquitto to use passwords.

Let’s create a user named hitesh and setup password with the following command:

mosquitto_passwd -c /etc/mosquitto/passwd hitesh
Password: admin

Next, configure Mosquitto to use this password file to require logins for all connections. You can do this by editing /etc/mosquitto/conf.d/default.conf file:

nano /etc/mosquitto/conf.d/default.conf

add the following lines:

allow_anonymous false
password_file /etc/mosquitto/passwd

Save and close the file. Then, restart Mosquitto server to test your changes.

systemctl restart mosquitto

Now, open the first terminal and subscribe to topic named testing with username and password by running the following command:

mosquitto_sub -t "testing" -u "hitesh" -P "admin"

Now, open the second terminal try to publish a message without a password:

mosquitto_pub -h localhost -t "testing" -m "hello world"

The message will be rejected with the following error message:

Connection Refused: not authorised.
Error: The connection was refused.

Now publish a message with the username and password:

mosquitto_pub -h localhost -t "testing" -m "hello world" -u "hitesh" -P "admin"

You should see the message in subscribe client window.

Secure Mosquitto with Let’s Encrypt

Let’s Encrypt is a free, automated, and open Certificate Authority that provides free certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the hitherto complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. Before starting, you will need to install Certbot the official Let’s Encrypt client to your system. By default, Certbot is not available in the Ubuntu 16.04 default repository. So, you will need to add PPA for that. You can add it with the following command:

add-apt-repository ppa:certbot/certbot

Next, update the repository and install Certbot by running the following command:

apt-get update -y
apt-get install certbot -y

Next, you will need to run Certbot to get your certificate for domain You can do this by running the following command:

certbot certonly --standalone --preferred-challenges http-01 -d

During the installation, you will be prompted to enter an email address and agree to the terms of service as shown below:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
Starting new HTTPS connection (1):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at You must
agree in order to register with the ACME server at
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for

Next, you will need to setup Certbot automatic renewals, because Let’s Encrypt’s certificates are only valid for ninety days.

You can setup automatic renewals by editing crontab file:

crontab -e

Add the following lines

##Run the command at 6:00 PM everyday, check all certificates installed on the system and update any that are set to expire in less than thirty days.
18 00 * * * certbot renew --noninteractive --post-hook "systemctl restart mosquitto"

Save and close the file, when you are finished.

Configure Mosquitto to Use SSL

Next, you will need to tell Mosquitto where your Let’s Encrypt certificates are stored. You can do this by editing /etc/mosquitto/conf.d/default.conf file:

nano /etc/mosquitto/conf.d/default.conf

Add the following lines:

listener 1883 localhostlistener 8883
certfile /etc/letsencrypt/live/
cafile /etc/letsencrypt/live/
keyfile /etc/letsencrypt/live/

Save and close the file. Then, restart Mosquitto to update the changes.

systemctl restart mosquitto

Now, open your terminal and subscribe client with a username, password and SSL as shown below:

mosquitto_sub -h -t testing -p 8883 --capath /etc/ssl/certs/ -u "hitesh" -P "admin"

Next, open second terminal and publish a message with a username, password and SSL as shown below:

mosquitto_pub -h -t testing -m "hello world" -p 8883 --capath /etc/ssl/certs/ -u "hitesh" -P "admin"

Now, you should see the message in subscribe client window.


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.