From e3a3e41f61ce0acfb591b045b0ab87b4172715b7 Mon Sep 17 00:00:00 2001
From: Wolfgang Hottgenroth <wolfgang.hottgenroth@icloud.com>
Date: Thu, 29 Jan 2026 13:07:34 +0100
Subject: [PATCH] changes

---
 certificate.yml  | 2 +-
 deploy.yml       | 4 +++-
 mosquitto.conf   | 2 ++
 update-config.sh | 8 ++++++++
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/certificate.yml b/certificate.yml
index 0bfb741..41586cd 100644
--- a/certificate.yml
+++ b/certificate.yml
@@ -21,7 +21,7 @@ spec:
     - broker2.hottis.de
     - broker.cem-berresheim.ib-hottgenroth.de
   issuerRef:
-    name: letsencrypt-staging-http
+    name: letsencrypt-production-http
     kind: ClusterIssuer
     group: cert-manager.io
 
diff --git a/deploy.yml b/deploy.yml
index b4f3160..ae4c5db 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: mosquitto-broker
-          image: eclipse-mosquitto:2.0.22
+          image: eclipse-mosquitto:2.0.22-openssl
           ports:
             - name: mqtt
               containerPort: 1883
@@ -52,6 +52,8 @@ spec:
                 path: mosquitto.conf
               - key: pwfile
                 path: pwfile
+              - key: dhparam.pem
+                path: dhparam.pem
         - name: mosquitto-broker-cert
           secret:
             secretName: mosquitto-broker-cert
diff --git a/mosquitto.conf b/mosquitto.conf
index ea57e03..ee5156e 100644
--- a/mosquitto.conf
+++ b/mosquitto.conf
@@ -18,8 +18,10 @@ password_file /mosquitto/config/pwfile
 
 listener 8883
 protocol mqtt
+tls_version tlsv1.2
 allow_anonymous false
 password_file /mosquitto/config/pwfile
 certfile /mosquitto/config/ssl/server.crt
 keyfile /mosquitto/config/ssl/server.key
+dhparamfile /mosquitto/config/dhparam.pem
 
diff --git a/update-config.sh b/update-config.sh
index 1cc9685..69e576f 100755
--- a/update-config.sh
+++ b/update-config.sh
@@ -6,9 +6,17 @@ NAMESPACE=mosquitto
 
 SECRETS_PLAINTEXT=$(mktemp)
 gpg --pinentry-mode=loopback --decrypt --output $SECRETS_PLAINTEXT secrets.asc
+
+DHPARAM=$(mktemp)
+openssl dhparam -out $DHPARAM 2048
+
 kubectl create configmap mosquitto-broker-config \
   --from-file=mosquitto.conf=mosquitto.conf \
   --from-file=pwfile=$SECRETS_PLAINTEXT \
+  --from-file=dhparam.pem=$DHPARAM \
   --namespace=$NAMESPACE \
   --dry-run=client -o yaml | kubectl apply -f - -n $NAMESPACE
 
+rm $SECRETS_PLAINTEXT
+rm $DHPARAM
+