I try to make a mqqt connection to a cloud based mqtt broker. I use this for a remote omnik installation. For some reason I only get "MQTT disconnected" messages in the log, but nothing has been published to the mqtt broker. The messages are like these:

"INFO:omnik.datalogger:I 2021-10-26T14:07:45.747265 MQTT disconnected"

Actually this is more a question, is there support for mqtt using secure protocols (TLS, using port 8883)?

Hi, in the current code_base there has not been support for TLS yet. Secure MQTT uses a different port. I saw this article:
https://stackoverflow.com/questions/51942821/how-to-use-ssl-tls-in-paho-mqtt-using-python-i-got-certificate-verify-failed

Using a client certifcate is a valid use case as well. It does not seem to difficult to implement, but it will need some testing, and perhaps some additional configuration settings.

A good site to test with: http://test.mosquitto.org/

If you want you can use a free cloud mqtt platform to test the solution, for instance hivemq. The advantage of this platform is it uses a valid certificate, though I can imagine most home users will use self signed certificates in their home setup.

However, a nice solution would be a optional "valid certificate" check, as it is used more often in home assistant solutions. I assume it is an enhancement of the mqtt.py script?

I assume it is an enhancement of the mqtt.py script?

Well yeah, it is an output plugin. In fact it is not so difficult to update it.
https://github.com/jbouwh/omnikdatalogger/blob/main/apps/omnikdatalogger/omnik/plugin_output/mqtt.py#L25-L66

Feel free to start a pull request

Working on it, see:

https://github.com/jbouwh/omnikdatalogger/tree/mqtt-tls-support

Got mqtt output working with tls and even client certs or a different CA. Docks need an update.

New settings (example):
ca_certs: ./.omnik/ca/mosquitto.org.crt
client_cert: ./.omnik/client.crt
client_key: ./.omnik/client.key

The mqtt_proxy client needs an update as well, will do that later.

I will push the 1.8.0 release next week.
If have made a beta pre-release in advance, you can find it at https://github.com/jbouwh/omnikdatalogger/releases
Feel free to give some feedback!

However, a nice solution would be a optional "valid certificate" check

You can supply an alternative ca file now (can be self signed/maintained)
Tested with all sorts of scenario from http://test.mosquitto.org/ including client certificates and a alternate CA file.

I tested the pre-release. I think it will work for users with a complete secured local mqtt infrastructure, with self signed and / or public certificates. I havent used the device certs yet, but I might set it up for my local environment.

In my case I needed to connect to a secured mqtt cloud server (with valid certificate) on port 8883. This worked with a few changes in the code, like:
self.tls = self.config.getboolean("output.mqtt", "tls", fallback=True) and
self.mqtt_client.tls_set(tls_version=mqttclient.ssl.PROTOCOL_TLS)

I know this is a quick and dirty workaround, but i couldn't find the parameters in the settings file so quickly. For now I cant test the complete message (no sunshine at night...), but I am sure this works

You should set ca_certs and fill the file with the cert that was used issue the server cert. That can be the same if the certificate was self signed. I have tested with an untrusted set-up.

For now I will close this issue, I think the supplied options should be enough for now.

Thank you, i'll test your last solution! For now it works great!