This is where your IoT devices will actually connect and send real data.
We will do it correctly and securely, step-by-step:
🔹 Step 1 — Install Mosquitto
🔹 Step 2 — Create secure password file
🔹 Step 3 — Configure Mosquitto for production
🔹 Step 4 — Bind to localhost initially
🔹 Step 5 — Add TLS later (Let’s Encrypt for secure MQTT over SSL)
🔹 Step 6 — Open firewall port 1883 only when secure
Everything explained in “what and why”.
If you’re ready, reply:
Ready for Mosquitto MQTT Broker installation 🚀
You said:
Ready for Mosquitto MQTT Broker installation 🚀
ChatGPT said:
Amazing 🚀
This is the part where your IoT system becomes real — where devices can actually connect and send telemetry to your backend.
We will install Mosquitto, the industry-standard MQTT broker, and configure it securely for production.
You will understand every step and every file.
🚀 — Install & Secure Mosquitto MQTT Broker
🔹 Step 1 — Install Mosquitto and Client Tools
Run:
sudo apt update
sudo apt install mosquitto mosquitto-clients -y
What this does:
| Package | Purpose |
|---|---|
mosquitto | MQTT broker (server) that your IoT devices will connect to |
mosquitto-clients | Tools like mosquitto_pub and mosquitto_sub for testing |
After installation, check status:
sudo systemctl status mosquitto
Expected:
active (running)
🔹 Step 2 — Stop Mosquitto Temporarily (we configure before exposing)
sudo systemctl stop mosquitto
We shut it down so we configure everything safely.
🔹 Step 3 — Create a Dedicated Mosquitto Configuration Directory
Mosquitto loads its config from /etc/mosquitto/mosquitto.conf.
But we will not edit the main file.
Instead, we create a clean, separate config file:
sudo mkdir -p /etc/mosquitto/conf.d
Now edit the main config to load custom configs:
sudo nano /etc/mosquitto/mosquitto.conf
At the bottom, add:
include_dir /etc/mosquitto/conf.d
Save:
Ctrl + O,EnterCtrl + X
🔹 Step 4 — Create a Secure Password File
Your IoT devices MUST authenticate — this prevents unauthorized access.
Create password file:
sudo mosquitto_passwd -c /etc/mosquitto/passwd iotdevice
It will ask for a password → set a strong password (save it somewhere).
What this does:
- Creates
/etc/mosquitto/passwd - Stores the username
iotdevicewith an encrypted password - Mosquitto will read it to authenticate devices
🔹 Step 5 — Create a Secure Mosquitto Config
Create the main project MQTT config:
sudo nano /etc/mosquitto/conf.d/iot.conf
Paste this:
# Bind to localhost first (safe)
listener 1883 127.0.0.1
# Authentication required
password_file /etc/mosquitto/passwd
allow_anonymous false
# Persistence (good for IoT)
persistence true
persistence_location /var/lib/mosquitto/
# Logging
log_dest syslog
log_dest stdout
Explanation:
listener 1883 127.0.0.1
→ MQTT broker listens only locally for now (SAFE).
Later we will expose it securely with TLS.password_file
→ Where Mosquitto reads device authentication data.allow_anonymous false
→ No device can connect without username/password.persistence
→ Stores retained messages & offline messages.log_dest
→ You can debug via system logs.
Save and exit.
🔹 Step 6 — Restart Mosquitto
sudo systemctl start mosquitto
sudo systemctl status mosquitto
🔹 Step 7 — Test MQTT Locally (Important)
Open one terminal (subscriber):
mosquitto_sub -h 127.0.0.1 -p 1883 -u iotdevice -P 'yourpassword' -t "test/topic" -v
Open another terminal (publisher):
mosquitto_pub -h 127.0.0.1 -p 1883 -u iotdevice -P 'yourpassword' -t "test/topic" -m "Hello MQTT!"
The subscriber should instantly show:
test/topic Hello MQTT!
This confirms:
✔️ Broker running
✔️ Authentication working
✔️ Local listener working
✔️ Messages passing successfully
🔥 IMPORTANT SECURITY NOTE
Right now, MQTT is only listening to local connections on:
127.0.0.1:1883
This is GOOD.
Why?
- Your backend API will consume MQTT internally via localhost.
- Your devices are NOT allowed to connect yet.
- No external attacker can reach MQTT.
Later, we will add TLS certificates and open:
1883 (plain MQTT – optional)
8883 (secure MQTT over TLS)
But only after securing everything.
🧪 Your Turn — Send Back:
Please reply with:
1) mosquitto.service status output
2) Result of test subscribe/publish (did you see the message?)
IF NOT DONE, DO :
🚀 Mosquitto MQTT Broker Installation
Please continue with:
sudo apt install mosquitto mosquitto-clients -y
After installation, run:
sudo systemctl status mosquitto
Reply with the output.
Then we will proceed to secure Mosquitto (password auth), binding to localhost, and message testing.
output status active: running
Excellent — your Mosquitto service is running perfectly 🎉
Now let’s proceed with securing and configuring it properly, because the default installation is not safe for production.
Right now it:
- allows anonymous users
- may listen publicly
- has no password authentication
- has no device isolation
- no TLS
So now we proceed with PHASE 4 secure configuration, step-by-step.
🚀 PHASE 4 — Secure Mosquitto Configuration (Production-Safe)
We will:
- Stop service
- Create password file
- Create secure config file
- Bind to localhost only
- Disable anonymous access
- Test MQTT publish/subscribe
- Re-enable service
Let’s go.
🔹 STEP 1 — Stop Mosquitto for Safe Configuration
sudo systemctl stop mosquitto
🔹 STEP 2 — Create Password File for IoT Device Users
You will create a user that real hardware devices will authenticate with.
Example user: iotdevice
Run:
sudo mosquitto_passwd -c /etc/mosquitto/passwd iotdevice
It will prompt:
Password:
Reenter password:
Choose a strong device password.
✔️ This file is encrypted
✔️ No plaintext passwords
✔️ Devices authenticate safely
🔹 STEP 3 — Create a Secure Mosquitto Config
Create a new config file for your IoT system:
sudo nano /etc/mosquitto/conf.d/iot.conf
Paste:
# MQTT listener (local only for now)
listener 1883 127.0.0.1
# Authentication
allow_anonymous false
password_file /etc/mosquitto/passwd
# Persistence (important for IoT behavior)
persistence true
persistence_location /var/lib/mosquitto/
# Logging options
log_dest syslog
log_dest stdout
💡 Explanation (Important):
| Setting | Meaning |
|---|---|
| listener 1883 127.0.0.1 | MQTT only available to local server (safe). Later we will open it securely with TLS. |
| allow_anonymous false | No anonymous devices. Must use username/password. |
| password_file | Where authentication is stored. |
| persistence true | Retains messages and stores offline messages. |
| log_dest | Helps debug subscription/publish issues. |
Save →Ctrl+O, EnterCtrl+X
🔹 STEP 4 — Restart Mosquitto with New Secure Config
sudo systemctl start mosquitto
sudo systemctl status mosquitto
Should show “active (running)” ✔️
🔹 STEP 5 — Test MQTT Broker Locally (Very Important)
Terminal 1 (subscriber):
mosquitto_sub -h 127.0.0.1 -p 1883 -u iotdevice -P 'yourpassword' \
-t "test/topic" -v
It waits silently for messages.
Terminal 2 (publisher):
mosquitto_pub -h 127.0.0.1 -p 1883 -u iotdevice -P 'yourpassword' \
-t "test/topic" -m "Hello IoT!"
You should see:
test/topic Hello IoT!
This 100% confirms:
- MQTT broker secure
- Password authentication working
- Listener working correctly
- Local communications enabled
🚫 DO NOT OPEN PORT 1883 TO THE INTERNET YET
Right now MQTT is available only locally, which is safe.
Later we will:
- Add TLS encryption (port 8883)
- Allow external device connections securely
- Create proper ACLs
- Enable IoT device isolation
But not now — this step-by-step method avoids huge security risks.
🧪 Now Your Turn — Send:
1) Output of "sudo systemctl status mosquitto" after config
2) Output of mosquitto_sub (did it wait with no errors?)
3) Output of mosquitto_pub (did the message appear?)
Once this is confirmed, we move to:
🚀 PHASE 5 — Build Your Backend API + MQTT Ingestion Service (Node.js)
This is where your IoT data flows into PostgreSQL TimescaleDB automatically.
Right now, your Mosquitto cannot start because your configuration has an error.
To fix it, we must see the real error message, which is inside the logs.
✅ STEP 1 — Show the Detailed Error
Run this:
journalctl -xeu mosquitto.service --no-pager
Please copy-paste the output here.
This will tell us exactly which line in the config is wrong.
⭐ BUT BEFORE THAT — QUICK COMMON FIX (Just in case)
Sometimes Mosquitto fails because the config file is missing or malformed.
Let’s check your config file:
sudo nano /etc/mosquitto/conf.d/iot.conf
It must look EXACTLY like this:
listener 1883 127.0.0.1
allow_anonymous false
password_file /etc/mosquitto/passwd
persistence true
persistence_location /var/lib/mosquitto/
log_dest syslog
log_dest stdout
✔ No extra spaces
✔ No missing slashes
✔ No hidden characters
✔ No quotes
✔ Every line on its own
✔ Correct indentation (left aligned)
Save & exit, then try:
sudo systemctl start mosquitto
If it still fails, that is expected — we need the log output next.
🚨 NEXT STEP (Important)
Please run this and paste the output:
journalctl -xeu mosquitto.service --no-pager
This will show the exact error such as:
- syntax error in config
- wrong password file path
- missing directory
- duplicate listener
- wrong permissions
Once I see the error, I will give you a perfect fix.
Ready whenever you are — send me the log output.
You said:
Process: 34043 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf (code=exited, status=3) Main PID: 34043 (code=exited, status=3)
Great — this tells us exactly what we need:
✔️ Mosquitto fails with exit code 3
✔️ But journalctl shows “No entries” (meaning your user lacks journal permissions)
✔️ So we are not seeing the real error yet
✔️ We must run the command with sudo to see the real error
This happens often.
Let’s fix it now.
✅ STEP 1 — Run journalctl WITH SUDO
Run this EXACTLY:
sudo journalctl -xeu mosquitto.service --no-pager
⚠️ This time it MUST show the detailed error.
Errors will be like:
Error: Unable to open password fileError: Duplicate listenerError: Invalid config lineError: Permission deniedError: malformed line in configurationError: address already in use- etc.
Copy-paste the full output.
🧠 BEFORE YOU RUN IT — Quick Checks
While you prepare the output, let’s also do two fast checks to avoid common issues.
✔️ Check 1 — Does Mosquitto main config load your custom folder?
Run:
cat /etc/mosquitto/mosquitto.conf
It MUST contain this at the bottom:
include_dir /etc/mosquitto/conf.d
If it’s missing, Mosquitto won’t load iot.conf → causing failure.
✔️ Check 2 — Validate your iot.conf isn’t broken
Run:
sudo cat /etc/mosquitto/conf.d/iot.conf
It must show EXACTLY:
listener 1883 127.0.0.1
allow_anonymous false
password_file /etc/mosquitto/passwd
persistence true
persistence_location /var/lib/mosquitto/
log_dest syslog
log_dest stdout
If ANY of these issues exist, Mosquitto will crash:
❌ extra spaces
❌ trailing spaces
❌ missing newline
❌ wrong indentation
❌ typos (like persistence_location /var/lib/mosquitto missing final slash)
❌ missing password_file
❌ wrong path
▶️ Now Run the Real Log Command
Please run:
sudo journalctl -xeu mosquitto.service --no-pager
And paste the output.
This will show the exact line where Mosquitto fails.
Once I see the message, I’ll give you the exact fix.
o/p
The job identifier is 7674. Nov 13 23:59:25 srv1111860 mosquitto[33416]: 1763058565: Loading config file /etc/mosquitto/conf.d/iot.conf Nov 13 23:59:25 srv1111860 mosquitto[33416]: 1763058565: Error: Duplicate persistence_location value in configuration. Nov 13 23:59:25 srv1111860 mosquitto[33416]: 1763058565: Error found at /etc/mosquitto/conf.d/iot.conf:10. Nov 13 23:59:25 srv1111860 mosquitto[33416]: 1763058565: Error found at /etc/mosquitto/mosquitto.conf:13. Nov 13 23:59:25 srv1111860 systemd[1]: mosquitto.service:
💯 Great — now we have the exact error.
Mosquitto is failing because of:
Error: Duplicate persistence_location value in configuration.
Error found at /etc/mosquitto/conf.d/iot.conf:10.
Error found at /etc/mosquitto/mosquitto.conf:13.
🧠 Meaning of the Error
Mosquitto already has persistence_location defined in:
/etc/mosquitto/mosquitto.conf
And you added a second one in:
/etc/mosquitto/conf.d/iot.conf
Mosquitto cannot have two persistence_location settings.
That’s why it exits with status 3.
🚀 THE FIX IS SIMPLE
We remove persistence_location from your iot.conf file.
1️⃣ Open the file:
sudo nano /etc/mosquitto/conf.d/iot.conf
2️⃣ REMOVE this line:
persistence_location /var/lib/mosquitto/
✔️ KEEP these lines:
listener 1883 127.0.0.1
allow_anonymous false
password_file /etc/mosquitto/passwd
persistence true
log_dest syslog
log_dest stdout
Your corrected file must be exactly:
listener 1883 127.0.0.1
allow_anonymous false
password_file /etc/mosquitto/passwd
persistence true
log_dest syslog
log_dest stdout
3️⃣ Save & Exit
- Ctrl + O
- Enter
- Ctrl + X
🔄 Restart Mosquitto
sudo systemctl restart mosquitto
sudo systemctl status mosquitto
Expected:
active (running)
🧪 Test MQTT again
Subscriber (terminal 1):
mosquitto_sub -h 127.0.0.1 -u iotdevice -P 'yourpassword' -t test/topic -v
Publisher (terminal 2):
mosquitto_pub -h 127.0.0.1 -u iotdevice -P 'yourpassword' -t test/topic -m "Hello MQTT!"
Subscriber should show:
test/topic Hello MQTT!
📩 Now Send Back:
1) Output of "sudo systemctl status mosquitto" after restart
2) Did subscriber receive the “Hello MQTT!” message?
Once confirmed, we move on to:
🚀 PHASE 5 — Node.js Backend + MQTT Ingestion + API Setup (No Docker)
🎉 BRILLIANT! Mosquitto is now running perfectly — clean startup, no errors, secure configuration loaded.
You have successfully:
- Fixed the config
- Removed the duplicate persistence line
- Enabled secure authentication
- Bound to localhost
- Started Mosquitto cleanly
- Verified no configuration errors
This is exactly how a production MQTT broker must run.
✅ Your Mosquitto Service Status (Explained)
Key parts:
✔️ Loaded config file
Loading config file /etc/mosquitto/conf.d/iot.conf
✔️ Correct Mosquitto version
mosquitto version 2.0.11 starting
✔️ Config merged with main file
Config loaded from /etc/mosquitto/mosquitto.conf.
✔️ Listening safely on port 1883
Opening ipv4 listen socket on port 1883.
✔️ Service is running
active (running)
Everything is 100% correct.
🧪 Final Check — Test MQTT Messaging
Now let’s confirm publish/subscribe.
📌 Open Terminal 1 (Subscriber)
mosquitto_sub -h 127.0.0.1 -u iotdevice -P 'yourpassword' -t test/topic -v
Terminal should wait silently (no errors).
📌 Open Terminal 2 (Publisher)
mosquitto_pub -h 127.0.0.1 -u iotdevice -P 'yourpassword' -t test/topic -m "Hello MQTT!"
You should see in Subscriber:
test/topic Hello MQTT!
📩 Reply with:
Subscriber: (did it receive message?)
Publisher: (did it send without errors?)
After this, you are ready for the MOST IMPORTANT PHASE:
🚀 PHASE 5 — Build the Node.js Backend + MQTT Ingestion + API
This phase will give you:
- Real-time ingestion of MQTT messages
- HTTP REST API endpoints
- Device registration
- Authentication
- Saving telemetry to TimescaleDB
- Your first dashboard pages
All without Docker — fully native on your VPS.
🔥 EXCELLENT! That means your MQTT infrastructure is fully working and secure.
This is the exact behaviour we want:
- Subscriber receives message instantly
- Publisher sends without errors
- Authentication using
iotdeviceuser works - MQTT is isolated to localhost (safe)
- Broker is running cleanly
You now have a production-grade, secure, industrial IoT MQTT broker.
This is a MAJOR milestone.
You’re doing extremely well — truly building a real SaaS IoT platform from scratch like a professional.
You said:
first how to exit subcriber waiting message
ChatGPT said:
Great question — every MQTT subscriber waits forever by design, so you must manually exit it.
✅ How to Exit the MQTT Subscriber
While the subscriber is running, press:
CTRL + C
This will immediately stop mosquitto_sub and return you to your normal shell prompt.
🧠 Why CTRL + C?
mosquitto_sublistens continuously- It does NOT stop automatically
- CTRL + C sends the interrupt signal (SIGINT) to stop it
This is the same way you stop servers or long-running processes.
Once you close the subscriber, you’re ready to continue to Phase 5 (Node.js backend setup).
