No description
  • Shell 83.4%
  • Dockerfile 16.6%
Find a file
paspo f467012862
All checks were successful
Container Publish / on-success-skip (push) Has been skipped
Container Publish / build-image (arm64) (push) Successful in 39s
Container Publish / build-image (amd64) (push) Successful in 47s
Container Publish / update docker manifest (push) Successful in 13s
updated docs
2026-06-14 23:21:34 +02:00
.forgejo/workflows actions update 2026-04-28 08:53:36 +02:00
deploy-cert.sh new paths 2026-06-14 23:15:07 +02:00
Dockerfile new paths 2026-06-14 23:15:07 +02:00
entrypoint.sh chown config 2026-06-14 23:20:41 +02:00
LICENSE initial commit 2019-08-12 18:10:59 +02:00
README.md updated docs 2026-06-14 23:21:34 +02:00
renew-cert.sh fix certificato si rinnova ad ogni avvio 2026-06-14 23:12:24 +02:00
renovate.json update renovate 2026-06-14 17:33:27 +02:00

docker-mqtt

Simple container for my online mqtt server with automatic Let's Encrypt certificates via lego (DNS-01, OVH).

build

docker build . -t docker.asperti.com/paspo/mqtt

docker-compose

version: "3"
services:

  server:
    image: docker.asperti.com/paspo/mqtt
    environment:
      ACME_DOMAIN: mqtt.example.com
      ACME_EMAIL: admin@example.com
      OVH_AK: ${OVH_AK}
      OVH_AS: ${OVH_AS}
      OVH_CK: ${OVH_CK}
    volumes:
      - /srv/mqtt/config:/etc/mosquitto
      - /srv/mqtt/acme:/acme
    ports:
      - "8883:8883"
      - "8983:8983"
    restart: always

Store OVH credentials in a local .env file (do not commit it):

OVH_AK=your_application_key
OVH_AS=your_application_secret
OVH_CK=your_consumer_key

Environment variables

Variable Required Description
ACME_DOMAIN yes Broker FQDN (e.g. mqtt.example.com)
ACME_EMAIL yes Let's Encrypt account email
OVH_AK yes OVH API application key (mapped to OVH_APPLICATION_KEY for lego)
OVH_AS yes OVH API application secret
OVH_CK yes OVH API consumer key
OVH_END_POINT no OVH API endpoint (default: ovh-eu)
ACME_STAGING no Set to true to use Let's Encrypt staging CA

On first start the container waits until the certificate is issued and deployed before starting Mosquitto (retries every 60s on failure). On subsequent starts, if a certificate already exists in /acme, it is deployed without contacting Let's Encrypt. Renewals run daily via cron when the certificate expires within 30 days; Mosquitto reloads the certificate on renewal without restarting the container. Persist /acme to keep lego state and avoid Let's Encrypt rate limits.

OVH API token

Create a consumer key before deploying. Use a token scoped to your DNS zone (replace example.com with your domain):

https://api.ovh.com/createToken/?GET=/domain/zone/example.com/&POST=/domain/zone/example.com/&PUT=/domain/zone/example.com/&GET=/domain/zone/example.com&DELETE=/domain/zone/example.com/record/

Select Unlimited validity and authorize access. Copy the three credentials into your .env file as OVH_AK, OVH_AS, and OVH_CK.

For non-EU OVH accounts, also set OVH_END_POINT (e.g. ovh-ca, ovh-us).

Staging

For testing without production rate limits:

environment:
  ACME_STAGING: "true"

mosquitto configuration

This is the configuration (mosquitto.conf):

listener 8883
certfile /tls/cert.pem
cafile /tls/chain.pem
keyfile /tls/privkey.pem
log_dest syslog
allow_anonymous false
password_file /etc/mosquitto/passwd

listener 8983
psk_hint go away
psk_file /etc/mosquitto/pskfile

The first port is used with a passwd file, that you can create in the usual way.

You also need to create a file named "pskfile" to access the "secondary" port, with this syntax:

user1:password1
user2:password2

password update

docker compose exec -u mosquitto server mosquitto_passwd -b /etc/mosquitto/passwd username StrongPa$$w0rd