How to Connect to Mosquitto MQTT Bridge on AWS

Question

I have set up a Mosquitto bridge on AWS EC2 per the instructions on the page https://aws.amazon.com/blogs/iot/how-to-bridge-mosquitto-mqtt-broker-to-aws-iot/ in order to bridge non-TLS messages from my local IoT devices over to the AWS IoT service (which requires a TLS connection).

The setup works when passing messages back and forth when logged in to the EC2 instance.

I added the remote clientid and credentials and have set up the same values in MQTT.fx, but I get the following when I try to connect from my local machine.

2017-08-09 21:45:41,732  INFO --- BrokerConnectorController      : onConnect
2017-08-09 21:45:41,734  INFO --- ScriptsController              : Clear console.
2017-08-09 21:45:41,736  INFO --- MqttFX ClientModel             : MqttClient with ID bridgeawsiot assigned.
2017-08-09 21:45:41,838 ERROR --- MqttFX ClientModel             : Error when connecting
org.eclipse.paho.client.mqttv3.MqttException: Unable to connect to server
    at org.eclipse.paho.client.mqttv3.internal.TCPNetworkModule.start(TCPNetworkModule.java:79) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
Caused by: java.net.ConnectException: Connection refused (Connection refused)
    at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_131]
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_131]
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_131]
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_131]
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_131]
    at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_131]
    at org.eclipse.paho.client.mqttv3.internal.TCPNetworkModule.start(TCPNetworkModule.java:70) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    ... 2 more
2017-08-09 21:45:41,840 ERROR --- MqttFX ClientModel             : Please verify your Settings (e.g. Broker Address, Broker Port & Client ID) and the user credentials!
org.eclipse.paho.client.mqttv3.MqttException: Unable to connect to server
    at org.eclipse.paho.client.mqttv3.internal.TCPNetworkModule.start(TCPNetworkModule.java:79) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
Caused by: java.net.ConnectException: Connection refused (Connection refused)
    at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_131]
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_131]
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_131]
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_131]
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_131]
    at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_131]
    at org.eclipse.paho.client.mqttv3.internal.TCPNetworkModule.start(TCPNetworkModule.java:70) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    ... 2 more
2017-08-09 21:45:41,842  INFO --- ScriptsController              : Clear console.
2017-08-09 21:45:41,843 ERROR --- BrokerConnectService           : Unable to connect to server

This is the bridge.conf that I'm using:

# AWS IoT endpoint, use AWS CLI 'aws iot describe-endpoint'
connection awsiot
address xxxxxxxxxxxxx.iot.us-east-1.amazonaws.com:8883

# Specifying which topics are bridged
topic awsiot_to_localgateway in 1
topic localgateway_to_awsiot out 1
topic both_directions both 1

# Setting protocol version explicitly
bridge_protocol_version mqttv311
bridge_insecure false

# Bridge connection name and MQTT client Id,
# enabling the connection automatically when the broker starts.
cleansession true
remote_clientid bridgeawsiot
start_type automatic
notifications false
log_type all

local_clientid bridgeawsiot ## Tried also with id different from remote_clientid
local_username localuser
local_password test123

# =================================================================
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# Path to the rootCA
bridge_cafile /etc/mosquitto/certs/rootCA.pem

# Path to the PEM encoded client certificate
bridge_certfile /etc/mosquitto/certs/cert.crt

# Path to the PEM encoded client private key
bridge_keyfile /etc/mosquitto/certs/private.key

Answer 1

So after much research and reading the docs, I found a configuration that works. The bridge.conf file needs to be changed by deleting the local_clientid, local_username, and local_password entries and then adding the following 2 lines in their place:

password_file /path/to/pw/file
listener 8883                    # for AWS, or your port number as applicable

So the complete bridge.conf file will be:

# AWS IoT endpoint, use AWS CLI 'aws iot describe-endpoint'
connection awsiot
address a5d2ye3cyutpb.iot.us-east-1.amazonaws.com:8883

# Specifying which topics are bridged
topic awsiot_to_localgateway in 1
topic localgateway_to_awsiot out 1
topic both_directions both 1

# Setting protocol version explicitly
bridge_protocol_version mqttv311
bridge_insecure false

# Bridge connection name and MQTT client Id,
# enabling the connection automatically when the broker starts.
cleansession true
remote_clientid bridgeawsiot
start_type automatic
notifications false
log_type all

password_file /etc/mosquitto/pwfile
listener 8883

# =================================================================
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# Path to the rootCA
bridge_cafile /etc/mosquitto/certs/rootCA.pem

# Path to the PEM encoded client certificate
bridge_certfile /etc/mosquitto/certs/cert.crt

# Path to the PEM encoded client private key
bridge_keyfile /etc/mosquitto/certs/private.key

Then the password file must be generated by issuing the following command for each user to set the password:

$ sudo mosquitto_passwd -c /path/to/pw/file username

Then restart mosquitto with:

$ sudo service mosquitto restart