惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
GRAHAM CLULEY
T
Tenable Blog
Know Your Adversary
Know Your Adversary
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Privacy International News Feed
S
Security Affairs
NISL@THU
NISL@THU
O
OpenAI News
Attack and Defense Labs
Attack and Defense Labs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
S
SegmentFault 最新的问题
S
Schneier on Security
G
Google Developers Blog
V
V2EX
C
Check Point Blog
U
Unit 42
Google DeepMind News
Google DeepMind News
T
Threatpost
阮一峰的网络日志
阮一峰的网络日志
T
The Exploit Database - CXSecurity.com
Recent Announcements
Recent Announcements
M
MIT News - Artificial intelligence
S
Secure Thoughts
博客园 - 司徒正美
Recorded Future
Recorded Future
P
Proofpoint News Feed
Spread Privacy
Spread Privacy
K
Kaspersky official blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
AI
AI
博客园 - 聂微东
N
News and Events Feed by Topic
SecWiki News
SecWiki News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Vulnerabilities – Threatpost
P
Palo Alto Networks Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
Recent Commits to openclaw:main
Recent Commits to openclaw:main
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
酷 壳 – CoolShell
酷 壳 – CoolShell
WordPress大学
WordPress大学
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
Project Zero
Project Zero
W
WeLiveSecurity
博客园 - Franky

Nemo

再见,2025 Complete ORB-SLAM3 Setup Guide for Jetson Xavier NX with RealSense D455 20250723 再见,2024 Create Your Own GPS Data Publisher Support SSL AGV Dispatching System Technical Documentation Finding Nemo No title 香港賽馬會呈獻系列:黑白——攝影敘事 再见,2023 团团是只猫 Design an FSM for Robot State Machines – Basics of Computer Science Data-driven robot lifespan: Collection 数据驱动的机器人寿命:收集、诊断、预测 Exploring the design space of binary search trees 特首来了 Large language models, explained with a minimum of math and jargon 设计有缓存异步逻辑的监控脚本并测试其资源占用 使用loguru记录串口数据并使用Docker搭建ARM开发环境 在vscode的Dev Container中构建.NET开发环境及使用doxygen和graphviz绘制函数调用图 State or Status? A*算法两种时间复杂度 /A* Algorithm: Two Types of Time Complexity 使用KD-Tree快速收敛到最近坐标点/Fast convergence to the nearest coordinate point using KD-Tree 翻译 || 总结 - Go语言中的空结构体(The empty struct) 再见,2022 从PE工作报告中能读出什么 Give me miles, give me truth AMR调度系统性能优化/AMR Dispatch System Performance Optimization 条件触发AMR避让流程/Conditionally triggered AMR avoidance process Docker实现调度系统整体部署/Docker implementation of dispatching system overall deployment 调度系统中加密算法的使用/增加SM4补0方法/Use of encryption algorithms in scheduling systems/add SM4 complementary 0 method 一篇关于北京四天三夜的攻略 2022 藏疆自驾 策划/招募书 AMR仿真模型/AMR Simulation Model 东东有鱼2022年会分享 使用perf-FlameGraph监控系统性能 Beyond Compare 4删除试用 你的灵魂有香气 Pyinstaller打包Python项目 [转载]Python中的单例模式的几种实现方式的及优化 - Nemo 再见! 2020 1024 UML软件建模 入职优必选一个月 写论文时 那些让你开心的软件 - Nemo 分享一个记录刷题次数的模版 LeetCode-查找表类算法题精析 PyCharm 调用vs 2010 C++库导致提示报错R6034解决方法 MySQL基础教程 多种数据结构的Python实现形式 字节跳动-挑战字符串 选择排序 二分查找和大O表示法 算法中的动态规划问题 高高手课程-青山裕企人像摄影 笔记(内含福利)
Using CertBot for Automatic Secure EMQX Broker
Nemo · 2024-07-11 · via Nemo

As mentioned in my previous blog posts, I took a vacation at the beginning of May, so I haven’t written much in the past six months. Today, I want to share a simple project about using CertBot to automatically renew certificates for the EMQX Broker, which is crucial for managing numerous MQTT brokers in a robotics lab.

Logic Flow

image.png
The first step is to create a CertBot container to apply for a certificate for the host. If successful, then create the EMQX container to use the applied certificate. CertBot checks the validity period of the certificate every 12 hours, and if the certificate file is modified, the EMQX container will restart.

Structure

├── docker-compose.yml
├── emqx-custom
│   └── Dockerfile
├── start-emqx.sh
└── update-certs-and-setup.sh

Code Example

docker-compose.yml

version: '3'

services:
  certbot:
    image: certbot/certbot
    container_name: certbot
    volumes:
      - ./update-certs-and-setup.sh:/update-certs-and-setup.sh
      - certs:/certs
    entrypoint: ["/bin/sh", "-c", "/update-certs-and-setup.sh"]
    environment:
      DOMAIN : ${DOMAIN}
      EMAIL : ${EMAIL}
    ports:
      - "80:80"
    restart: always

  emqx:
    build:
      context: ./emqx-custom
    container_name: emqx
    environment:
      EMQX_NAME: emqx
      EMQX_HOST: 127.0.0.1
      EMQX_LISTENERS__SSL__DEFAULT__BIND: "0.0.0.0:8883"
      EMQX_LISTENERS__SSL__DEFAULT__SSL_OPTIONS__CACERTFILE: "/emqx/certs/chain.pem"
      EMQX_LISTENERS__SSL__DEFAULT__SSL_OPTIONS__CERTFILE: "/emqx/certs/fullchain.pem"
      EMQX_LISTENERS__SSL__DEFAULT__SSL_OPTIONS__KEYFILE: "/emqx/certs/privkey.pem"
      EMQX_LISTENERS__SSL__DEFAULT__SSL_OPTIONS__VERIFY: verify_none
    ports:
      - "1883:1883"
      - "8083:8083"
      - "8883:8883"
      - "18083:18083"
    volumes:
      - "./start-emqx.sh:/start-emqx.sh"
      - "certs:/emqx/certs"
      - "emqx-log:/opt/emqx/log"
      - "emqx-data:/opt/emqx/data"
    entrypoint: ["/bin/bash", "/start-emqx.sh"]
    restart: always

volumes:
  emqx-data:
  emqx-log:
  certs:

Dockerfile:

# Using EMQ X official image as the base image
FROM emqx/emqx:5.5.0

# Switch to root to install additional packages
USER root

# Update the package list and install inotify-tools
RUN apt-get update && \
    apt-get install -y inotify-tools

# Switch back to the default user for security, replace `emqx` with the actual user if it's different
USER emqx

start-emqx.sh:

#!/bin/bash

CERT_PATH="${EMQX_LISTENERS__SSL__DEFAULT__SSL_OPTIONS__CERTFILE}"
KEY_PATH="${EMQX_LISTENERS__SSL__DEFAULT__SSL_OPTIONS__KEYFILE}"

# Function to start EMQX
start_emqx() {
    echo "Start EMQX..."
    emqx start
}

# Monitor for changes
inotifywait -m -e modify "$CERT_PATH" "$KEY_PATH" |
while read path action file; do
    echo "Detected new certificate. Restarting EMQX..."
    emqx stop
    start_emqx
done &

# Start EMQX initially if not already running
if [ -f "$CERT_PATH" ] && [ -f "$KEY_PATH" ]; then
    start_emqx
fi

# Keep script running
while true; do
    sleep 60
done

update-certs-and-setup.sh:

#!/bin/sh

set -e

DOMAIN="${DOMAIN}"
EMAIL="${EMAIL}"

SOURCE_DIR="/etc/letsencrypt/live/${DOMAIN}"
DEST_DIR="/certs"
LOCKFILE="/tmp/certbot.lock"

while :; do
    if [ ! -f "$LOCKFILE" ]; then
        touch $LOCKFILE
        certbot certonly --standalone --preferred-challenges http-01 -d ${DOMAIN} --email ${EMAIL} --agree-tos --non-interactive

        mkdir -p ${DEST_DIR}

        if [ -d "${SOURCE_DIR}" ]; then
            cp -L ${SOURCE_DIR}/* ${DEST_DIR}/
            chmod -R 755 ${DEST_DIR}
        fi

        rm $LOCKFILE
    else
        echo "Certbot is already running."
    fi

    sleep 12h
done

Prerequisites

The only configuration needed is the domain name in the .env file. You should change the :

DOMAIN=xx.com
EMAIL=xx@xx

Domain name and email address to your own.

Then pull the repo and make sure the script is executable.

chmod +x update-certs-and-setup.sh

Lastly, you need to make sure that the port 80 is open for the Let’s Encrypt to verify the domain name.

Build and Run

docker compose up -d --build

Inspection

You can inspect the logs by running the following command:

docker logs --details certbor

then you can see the logs of the certbot include the expiration.

docker logs --details emqx

then you can see the logs of the emqx broker, started successed.