mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard
verified publisher icon eclipse

Mosquitto restarts following dynamic-security command over bridge

Open BrodieGriggs opened this issue 8 months ago • 1 comments

I am using mosquitto with the dynamic-security plugin as part of chirpstack-docker.

I need the dynamic security plugin to be controllable from another broker, so I have configured a bridge from the mosquitto broker to remote within mosquitto.conf:

connection remote-control-test
cleansession true
bridge_outgoing_retain false
address ...
remote_clientid mqtt-bridge
remote_username ...
remote_password ...
local_clientid mqtt-bridge
local_username ...
local_password ...
topic application/# out 0 "" LoRaWAN/
topic $CONTROL/dynamic-security/v1/response out 0 "" LoRaWAN/
topic $CONTROL/dynamic-security/v1 in 0 "" LoRaWAN/

I have tested dynamic-security interactions using the login provided to the bridge (local_username/local_password). Connecting using Mqtt Explorer to mosquitto, everything works with no issues.

However, when I attempt to send a command from the remote broker, via the bridge, the mosquitto broker restarts immediately after the publish is received:

2025-04-24 15:56:42 1745506602: Received PUBLISH from mqtt-bridge (d0, q0, r0, m0, '$CONTROL/dynamic-security/v1', ... (128 bytes))
2025-04-24 15:56:43 1745506603: mosquitto version 2.0.21 starting

If I issue a command on the mosquitto broker, the response is successfully forwarded to the remote broker $CONTROL/dynamic-security/v1/response. so it seems to be an issue solely with issuing commands via the bridge.

Is there something wrong with my configuration, or is it not possible to publish to the $CONTROL/dynamic-security/v1 topic using mosquitto's bridge connections?

Full mosquitto.conf

BrodieGriggs avatar Apr 24 '25 15:04 BrodieGriggs

Thanks for the full details. This is related to using per_listener_settings true with the bridge control topic that you're doing. The fix will result in the control topics not working in this scenario - the bridges aren't connected to a listener, so they can't interact with any of those per-listener plugins.

Having said that, the fix for what you actually want to do is straightforward. You have no need for per_listener_settings true in your config file, so just use this instead:

log_type all

plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/data/dynamic-security.json

listener 1883 127.0.0.1

listener 8883
cafile /mosquitto/tls-certs/ca-chain.pem
certfile /mosquitto/tls-certs/chirpstack-mosquitto.pem
keyfile /mosquitto/tls-certs/chirpstack-mosquitto-key.pem

connection remote-control-test
cleansession true
bridge_outgoing_retain false
address ...
remote_clientid mqtt-bridge
remote_username ...
remote_password ...
local_clientid mqtt-bridge
local_username ...
local_password ...
topic application/# out 0 "" LoRaWAN/
topic $CONTROL/dynamic-security/v1/response out 0 "" LoRaWAN/
topic $CONTROL/dynamic-security/v1 in 0 "" LoRaWAN/

ralight avatar May 01 '25 00:05 ralight