top | item 25988753

(no title)

majormjr | 5 years ago

This is a good tutorial to get the server side of things secured. I didn't know you could use Traefik to proxy the MQTT connections as well which looks quite useful.

The biggest issue I have is with the client side and its various support of TLS and getting a trusted CA certificate distributed. This is the harder part of the equation in my opinion, support is getting better with firmwares like Tasmota but getting some third party IoT device to work over TLS is still a challenge.

discuss

juriansluiman|5 years ago

You're totally right. Although in my experience this is much easier to maintain with "upstream root certificates" (not sure how you'd call them) then self-signed certs. Applications like Home Assistant are already TLS aware and simply trust all root certs which are available on the host. With self signed certs, you have to distribute them all by yourself.

Besides this trade-off, you have to check all clients to be TLS aware on beforehand. In my setup, all clients were capable of TLS. The only hassle are my NodeMCU devices which need to swap the WifiClient to a WifiSSLClient and you need to embed the public DST Root CA X3 yourselves.