Mosquitto "allow_anonymus true" doesn't work

[Vrrrum]

Hi!
I have installed mosquitto broker (v2.0.11) on raspberry PI 3. Then created config file custm.conf in the conf.d directory:
/etc/mosquitto/conf.d/custm.conf

listener 1883
allow_anonymous true

Despite this, mosquitto still doesn't allow unauthorized connections.
systemctl status mosquitto.service says, the file was loaded:

 mosquitto.service - Mosquitto MQTT Broker
     Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-11-12 20:53:16 GMT; 14min ago
       Docs: man:mosquitto.conf(5)
             man:mosquitto(8)
    Process: 461 ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto (code=exited, status=0/SUCCESS)
    Process: 473 ExecStartPre=/bin/chown mosquitto /var/log/mosquitto (code=exited, status=0/SUCCESS)
    Process: 475 ExecStartPre=/bin/mkdir -m 740 -p /run/mosquitto (code=exited, status=0/SUCCESS)
    Process: 477 ExecStartPre=/bin/chown mosquitto /run/mosquitto (code=exited, status=0/SUCCESS)
   Main PID: 478 (mosquitto)
      Tasks: 1 (limit: 1597)
        CPU: 484ms
     CGroup: /system.slice/mosquitto.service
             └─478 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf

Nov 12 20:53:16 raspberrypi systemd[1]: Starting Mosquitto MQTT Broker...
Nov 12 20:53:16 raspberrypi mosquitto[478]: 1636750396: Loading config file /etc/mosquitto/conf.d/custm.conf
Nov 12 20:53:16 raspberrypi systemd[1]: Started Mosquitto MQTT Broker.

When I run mosquitto -v in the shell, the oputput looks like this:

1636751373: mosquitto version 2.0.11 starting
1636751373: Using default config.
1636751373: Starting in local only mode. Connections will only be possible from clients running on this machine.
1636751373: Create a configuration file which defines a listener to allow remote access.
1636751373: For more details see https://mosquitto.org/documentation/authentication-methods/
1636751373: Opening ipv4 listen socket on port 1883.
1636751373: Error: Address already in use
1636751373: Opening ipv6 listen socket on port 1883.
1636751373: Error: Address already in use

I really don't know what to do at this point

[ralight]

Sorry to hear you're having problems. Could you try systemctl stop mosquitto to stop the instance running in the background, then run mosquitto -c /etc/mosquitto/mosquitto.conf -v manually?

[cromefire]

This is what I get on the latest version, using compose with password auth in a bridge network.

1644030040: mosquitto version 2.0.14 starting
1644030040: Config loaded from /mosquitto/config/mosquitto.conf.
1644030040: Opening ipv4 listen socket on port 1883.
1644030040: Opening ipv4 listen socket on port 1883.
1644030040: Error: Address in use

[cromefire]

Funnily enough, changing the port behind listener to something else just works and the /mosquitto-no-auth.conf works too although I have only configured tls, persistence and a password file and the listener line was the same.

[abiliojr]

Maybe a silly question, but did you stop any other broker that might be running on the machine before trying to capture these logs?

Address in use is what mosquitto prints if it tries to open 1883, but there is already someone else listening there.

[cromefire]

I'm running it inside docker, so yes, it is the only process even alive in that container, any port used has to be used by mosquitto.

docker-compose.yaml

services:
  mqtt:
    container_name: <censored>
    image: "eclipse-mosquitto:2-openssl"
    volumes:
      - "<censored>:/mosquitto/config"
      - "<censored>:/mosquitto/data"
      - "<censored>:/mosquitto/log"
    restart: unless-stopped
    expose:
      - "1883"
    ports:
      - <censored>:1883:1883
    runtime: runsc
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    networks:
      <censored>:
        ipv4_address: <censored>
        ipv6_address: <censored>

mosquitto config (that fails)

# Data
persistence true
persistence_location /mosquitto/data/

# Logging
#log_dest file /mosquitto/log/mosquitto.log

# TLS
cafile /mosquitto/config/ca.pem
certfile /mosquitto/config/cert.pem
keyfile /mosquitto/config/key.pem
tls_version tlsv1.2

# Auth
listener 1883
password_file /mosquitto/config/password.txt

mosquitto config (that works on port 1883)

# Data
persistence true
persistence_location /mosquitto/data/

# Logging
#log_dest file /mosquitto/log/mosquitto.log

# TLS
cafile /mosquitto/config/ca.pem
certfile /mosquitto/config/cert.pem
keyfile /mosquitto/config/key.pem
tls_version tlsv1.2

# Auth
listener 1883 <censored, container ip>
password_file /mosquitto/config/password.txt

or (untested if auth works)

# Data
persistence true
persistence_location /mosquitto/data/

# Logging
#log_dest file /mosquitto/log/mosquitto.log

# TLS
cafile /mosquitto/config/ca.pem
certfile /mosquitto/config/cert.pem
keyfile /mosquitto/config/key.pem
tls_version tlsv1.2

# Auth
listener 1888
password_file /mosquitto/config/password.txt

So I just think it's opening a default (unconfigured) listener on localhost:1883 which conflicts with *:1883 (so it blocks itself).

[abiliojr]

Yeah, I noticed you were running a docker. I had memories of having a similar situation while running a server for multiple devices in the network. I configured the container network so mosquitto could listen to the network card, port 1883. Of course a broker running in the same machine, outside docker will make the broker in the container fail.

But I just did a quick experiment, and realized that my memory is not that good. Of course in my scenario there is a failure but is docker who complains, not the containerized broker (as it does not even start running). My bad.

As soon as I have some free time, I'll try to experiment with your config files (thanks for them). See if I can spot something.

Just for completeness, did you try in a platform different than a RPi?

[cromefire]

Just for completeness, did you try in a platform different than a RPi?

Not running on a PI, but rather a x86_64 server.

[abiliojr]

Ohhh, @cromefire, sorry, I missed the point that you're not the OP. I wrote in many tickets late at night, and after reading your comment over mail this morning, somehow I assumed it was a single person.

[grumpy-dude]

Was having a similar issue on my RPi running v2.0.11 on top of Raspi OS Bullseye. Limiting the connections to only IPv4 seems to have solved the problem for me.

@cromefire , even though you disabled IPv6 in the container, you might try adding the following to your mosquitto config file and see if it helps:
socket_domain ipv4

[cromefire]

@cromefire , even though you disabled IPv6 in the container, you might try adding the following to your mosquitto config file and see if it helps:
socket_domain ipv4

I explicitly enabled IPv6 (by setting disable to 0, I know kinda confusing but grabbed that off some docker docs, but I actually use IPv6, where possible) and that might very well what failed. Will test with only IPv4 enabled.

[cromefire]

Didn't work, but it also still seems to register a IPv6 listener:

mqtt_1           | 1644865256: mosquitto version 2.0.14 starting
mqtt_1           | 1644865256: Config loaded from /mosquitto/config/mosquitto.conf.
mqtt_1           | 1644865256: Opening ipv4 listen socket on port 1883.
mqtt_1           | 1644865256: Opening ipv6 listen socket on port 1883.
mqtt_1           | 1644865256: Opening ipv4 listen socket on port 1883.
mqtt_1           | 1644865256: Error: Address in use

New config

# Data
persistence true
persistence_location /mosquitto/data/

# Logging
#log_dest file /mosquitto/log/mosquitto.log

# TLS
cafile /mosquitto/config/ca.pem
certfile /mosquitto/config/cert.pem
keyfile /mosquitto/config/key.pem
tls_version tlsv1.2

# Auth
socket_domain ipv4
listener 1883
password_file /mosquitto/config/password.txt

[THilliranta]

Related to the last comment the listener and socket_domain -settings seem not to work properly when the listener is configured after the socket_domain.
So at least you could get rid of the ipv6 listener by changing the order in the configuration:

# Auth
listener 1883
socket_domain ipv4
password_file /mosquitto/config/password.txt

[ralight]

I've had a look at this, and I wonder if you've also configured a listener on port 1883 in a different config file, or twice in the same config file?

[cromefire]

If the docker container doesn't have any second config that I don't know of, that's all of my config.

[ralight]

I've missed the obvious. You're suffering from the curse of the default listener.

Some config options can be used without first specifying the listener that they apply to. This then creates a default listener, a design decision that came from the config format of RSMB, an earlier MQTT broker that I now rue following.

# This bit sets up a default listener on port 1883
# TLS
cafile /mosquitto/config/ca.pem
certfile /mosquitto/config/cert.pem
keyfile /mosquitto/config/key.pem
tls_version tlsv1.2

# Auth
socket_domain ipv4

# The creates a new listener on port 1883 - we should be checking for duplicate port entries
listener 1883

# This is global
password_file /mosquitto/config/password.txt

Suggested config:

# Data
persistence true
persistence_location /mosquitto/data/

# Logging
#log_dest file /mosquitto/log/mosquitto.log

# Listeners
listener 1883
cafile /mosquitto/config/ca.pem
certfile /mosquitto/config/cert.pem
keyfile /mosquitto/config/key.pem
tls_version tlsv1.2

# Auth
password_file /mosquitto/config/password.txt

[cromefire]

I think I've tried that before, but can't hurt to test it one more time just to be sure.

[ralight]

Have you managed to sort this out?

[cromefire]

Yes, that seems to work (sorry for the huge delay), maybe a bit more (obvious) documentation/logging on the order could be great, it's not really self describing it seems like. Can't close this, but as the original author hasn't responded, you might want to go ahead and close it.

Thank you for the help.