OwnTracks is a free and open source application for iOS and Android that allow you to track your location and send it via MQTT to your home automation system. But the location data needs to be send secured. How to do this, is written in this post.
Prepare the generate-CA script
Important is that the following OwnTracks script is running on a public server, with Mosquitto server already installed.
$ cd /etc/mosquitto/certs
$ wget https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh
$ chmod +x generate-CA.sh
Make the lifetime of the certificates longer on Android (till year 2032). On iOS this is not possible and limited to 825 days.
Change server_days=825 into server_days=$days
$ vi generate-CA.sh
server_days=$days
Create the server keys
The following command is generating the server key set
$ ./generate-CA.sh <full domainname>
for example
$ ./generate-CA.sh vps.firm-ware.cz
Create the client keys
The following command is generating the client key set. Change arjan into your own name.
$ ./generate-CA.sh client arjan
Mosquitto server config
Add the key files to the Mosquitto configuration. Change the example vps.firm-ware.cz into your own domainname.
$ vi /etc/mosquitto/conf.d/default.conf
#Secure MQTT messages
listener 12383
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/vps.firm-ware.cz.key
certfile /etc/mosquitto/certs/vps.firm-ware.cz.crt
#Bridge to mosquitto at home
connection brug
address 192.168.5.248:1883
topic mobiel/# both
topic owntracks/# both
Test the Mosquitto server:
$ systemctl stop mosquitto.service
$ tail -f /var/log/mosquitto/mosquitto.log &
$ usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
Testing the Mosquitto client
Copy the client keys and the ca.crt file to the local desktop/laptop. The remote domain needs to be the same as used in the
$ mosquitto_sub -d -h vps.firm-ware.cz -p 12383 -t owntracks/# --cafile ca.crt --cert arjan.crt --key arjan.key
Enable OwnTracks TLS
Docs: https://owntracks.org/booklet/features/tlscert/#pkcs12
Generate a PKCS#12 file to send it to the mobile phone
$ openssl pkcs12 -export -in arjan.crt -inkey arjan.key -name "Arjan's key" -out arjan.p12
Enter Export Password:
Verifying - Enter Export Password:
Copy the ca.crt and the arjan.p12 file to the mobile phone by email. Save these files on the phone in a new OwnTracks directory in the root of the file system.
On Android
In OwnTracks: * go to menu Preferences->Connection->Security * Set TLS on * CA Certificate: Select the downloaded ca.crt file from the OwnTracks directory * Client certificate: Select the arjan.p12 file from the OwnTracks directory * Client certificate password: Enter the password from the P12 file generation * Klik on ACCEPT
Check Status if the connection is successful.
iOS
For iOS you can find the instructions here: iOS OwnTracks