Mosquitto and Aedes on Raspberry Pi 4


I currently have The Eclipse Mosquitto MQTT broker running on the Raspberry Pi 2, 3 and 4, Buster Raspbian, not to mention countless other variations of Debian and Ubuntu on various boards used at one time or another in the past (Orange Pi, various FriendlyArm boards and many others).

Below is the link I originally followed for the install – Mosquitto has been part of my standard install using “the script” for a long time – (last update April 2020). See my Bitbucket account and other parts of this blog for more on “the script”. I still use the Mosquitto broker having looked at several alternatives – the MOSCA Node-Red broker didn’t go anywhere – meanwhile, Mosquitto IS ready, works perfectly and it is also free and easy to use – I use it 24-7 in my own RPi4 installations here in Spain and in the UK, not to mention countless installations I’ve helped put together for others.


I started running Mosquitto on RPI2, then RPI3 and now RPI4. As an alternative to Mosquitto you could now take a look at node-red-contrib-Aedes – no other installation needed (you can also use Aedes alongside Mosquitto on a different port – just put the Aedes node somewhere on one of your pages and adjust the port number (if Mosquitto is already on ths standard port 1883) – then use the normal MQTT nodes to access it). I initially used npm to install aedes but in September 2020 installed on another Rpi4 through the Node-Red Pallette Manager. EASY.

This blog entry has been constructed over time going as far back as 2015…

I simply installed the repository then Mosquitto itself, nothing more.

This installation puts a non-personalised config file at /etc/mosquitto – so in there was pointed to the directory /etc/mosquitto/conf.d  – so I put my mosquitto.conf in there which was basically 2 lines…

allow_anonymous false
password_file /etc/mosquitto/conf.d/passwords.txt

I’ve not yet added SSL in there but I certainly wasn’t going to start up the broker with NO security.  I added a simple text file passwords.txt as above with a one-liner admin (colon) password where the password is encrypted using the Mosquitto password program for the PC (thankfully I already had a passwords file).

And that’s it really, stop the broker and restart it to make sure it takes notice of the config file..

sudo /etc/init.d/mosquitto stop
sudo /etc/init.d/mosquitto start

And talk to it via something like MQTT SPY – subscribe to any old topic (“testing”, in my case) and try publishing to that topic. I’ve tested powering down and back up and all is well.

Easiest thing I’ve done all day.. oh, NO it wasn’t – I could not write to the etc/mosquitto/conf.d directory  – the usual Linux security issues….  I did this.. most likely giving FAR too much access (if anyone wants to tell me what it SHOULD be, please do but don’t let’s get complicated)…

sudo chmod 777 ./conf.d

and from there on I could use my FTP described earlier and Notepad++ to create and edit the necessary files.


17 thoughts on “Mosquitto and Aedes on Raspberry Pi 4

  1. Have a look at the node-red-contrib-aedes MQTT broker. Node-red-contrib-aedes is a Node-Red wrapper for Aedes. The installation and operation is a lot better than Mosca. TRUE

  2. Hi Pete
    Has that problem been solved,I’ve just brought a raspberry pi4 to do home automation on, was going to venture to Mtqq to learn this via nodered,with sonoff Tasmota devices.

    1. Has what problem been solved Tony? MQTT on RPI4 works just fine… Aedes also works – have you seen updates to this blog entry as of yesterday?

  3. Hi Pete, one of the great values of your blog is that it allows people to share new discoveries, how they can be set be set up and tested. It is great that this new broker has two methods to install it in NR already.
    I too am very happy with Mosquitto and my longest running version was installed with your script on a Pi3 over 3 years ago and the entire package is still running without a fault through power cuts, several moves. It just sits in the corner of the garage. I have never updated it, NR etc. all still running happy as Larry.

    1. Me too, Bob… I have two 24/7 ninstallations, one here and one in Spain. The latter failed earlier this year due to lightning ehich also took out the router permanently – and killed the SD on the PI. My neighbour there (I’m still stuck in the UK) though not technical helped – I set up a duplicate router setup here in the UK and sent off a replacement SD. He put that lot ogether and we were back in business. Here, not a single falure of any aspect of the Pi for over a year – and I can state that Mosquitto has NEVER failed on me in either installation.

      Here (again this year) I’ve already fitted a significant-size SALICRU UPS – perfect – and when Covid is done, Spain is getting the same treatment, so I’m reasonably confident I’ll see more years of fault-free operation (and bear in mind I tinker a lot with the UK setup – testing smart kit, doing updates) and it all just keeps going. PI + NR + Mosquitto + ESP8266 was definitely one of my better decisions. I developed ESP-GO but more and more I’m using the increasingly versatile Tasmota and that’s working well.
      This prompted me to update this blog entry…

  4. Hi Bob, well, for whatever reason the palette manager didn’t do it for me but an npm install worked a treat. It looks good. I’m moer than happy with Mosquitto as set up in my script (the script) but it is always nice to have alternatives.

  5. I just tried Aedes broker on my linux based PC running NR under docker on Home Assistant. It loads the Aedes node via palette manager exactly as Steve describes. I set the port to 11883 and made a flow to replicate the one on Aedes git hub page, standard mqtt input / output nodes, an inject node and a couple of debug nodes. As Martin said it is very fast. It looks like it could be very useful especially for quick testing of mqtt related things.

  6. Have a look at the node-red-contrib-aedes MQTT broker. The Mosca team discontinued the Mosca broker, started from scratch and created Aedes which is a lot more reliable. Node-red-contrib-aedes is a Node-Red wrapper for Aedes. The installation and operation is a lot better than Mosca.

      1. Pallette manager should install the broker node (search for aedes) – configure this node but just make sure if mosquitto is running on same machine on port 1883 then choose a different port for this broker. After that use standard mqtt in and out nodes after creating a link to new broker. Fast and saves on having a separate mqtt broker if that is needed.

        1. Well, it certainly goes no-where with the pallete manager… however I went to the /home/pi/.node-red directoty and did an npm install – works a treat. No idea about performance of course… but that certainly was painless – I just changed the port, put in my usual admin and password – and made a test send/receive into debug – works… now for some more in depth testing.


  7. Giving 777 permissions is bad,it allows everyone connected to the system to create and execute files.

    Personally i would have simply edited the file as root (sudo vi /etc/mosquitto/conf.d/mosquitto.conf) (or whichever editor you want to use).

    1. Agree 777 is bad, especially if you have your password file stored there. You shouldn’t need to modify the permissions of that folder it should be set so that the mosquitto (root) demon can read and write thats about it.

      As Tomer suggested try using sudo to run a text editor like vi to edit the file with elevated permissions, although if you are starting out I would recommend nano as it is much easier to learn/use than VI. If you want to keep your current method of using WinSCP and a windows text editor then create a new user and add them to the root user group (note: this really isn’t recommended, but it is better than setting all files to RWX for all users).

      1. Why not use the user root when connecting with WinSCP. 😉

        In Raspbian user root is not active by default. But you can activate it by running command “sudo passwd root” without the quotes and type a root password twice.

        1. From a security perspective it isn’t best practice if you plan to have SSH enables to the internet as you are exposing your self to brute force attacks.

          On that note, Pete if you are planning on making ssh available from the internet I would highly recommend you install fail2ban it is in the apt-get repository and will automatically ban IP addresses after 3 failed SSH logins.

          1. Pete,

            I second what Ben is saying here. I had a similar setup for a while with my RPi being web accessible via ssh. So one day just out of curiosity I checked the /var/log/auth.log; to my surprise I found out that some douche-bag had been very busy trying to brute-force in to my home network. I suggest disabling root’s remote ssh access; and configure a key-based ssh authentication instead of a password based one while you are at it.

            Happy hacking.

Comments are closed.