I've had good experience with unattended upgrades on Debian/Ubuntu, and I know from several people who say the same.

Key would have to be identical for all friends, as Recorder supports a single key only.

Recorder has support for per/user encryption keys.

"mapLayerStyle" : "OpenStreetMapNormal"

that setting is now in .otrc config / inline config

Currently this is set to 3 (MQTTV31), but should be 4 (MQTTV311). We cannot use MQTTV5 because Android doesn't support it yet.

But we have not experience with MQTTV31, which was replaced by MQTTV311 in 2014!!!

EDIT: Found the issue. Needed to re-import config file, even though I manually made the changes in the app on my end.

Hi, I just wanted to ask: Is the following log due to being rate-limited by OpenCage? If so, is there a better free alternative that allows many more, or even unlimited?

2024-03-21 15:49:54.385 W OpenCageGeocoder: Rate-limited, not querying until 2024-03-22T00:00:00Z
2024-03-21 15:49:59.299 W OpenCageGeocoder: Rate-limited, not querying until 2024-03-22T00:00:00Z
2024-03-21 15:50:01.054 W MessageProcessorEndpointMqtt: failed connection attempts: 13

Only noticed it because location data stopped updating in OT server.
I have tried removing the OpenCage API key from configuration & re-using sudo ./bootstrap.sh, as well as switching from OpenCage to Google in the app itself, but it seems I am still not getting location updates?

And now I am getting:

2024-03-21 16:10:08.254 W MessageProcessorEndpointMqtt: failed connection attempts: 34
2024-03-21 16:10:08.254 E MessageProcessor: Message delivery failed. queueLength: 4813, messageId: 1711050466922-87debc
2024-03-21 16:10:08.258 W MessageProcessor: Error sending message. Re-queueing
2024-03-21 16:10:08.262 I MessageProcessor: Waiting for 120 s before retrying
2024-03-21 16:10:18.613 I ServiceStarter$Impl: starting service
2024-03-21 16:10:40.221 I MQTTReconnectWorker: MQTTReconnectWorker started on threadID: Thread[androidx.work-2,5,main]
2024-03-21 16:10:40.753 E MessageProcessorEndpointMqtt: Failed to reconnect to MQTT broker
org.owntracks.android.services.MqttConnectionException:  (5)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:243)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(SourceFile:46)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1(Unknown Source:0)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.$r8$lambda$3UR4gQL2b_UbF_ekJLIMhafolpU(Unknown Source:0)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda0.run(Unknown Source:18)
	at android.os.Handler.handleCallback(Handler.java:938)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:246)
	at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by:  (5)
	at okio.Okio__OkioKt.createMqttException(Unknown Source:15)
	at org.eclipse.paho.client.mqttv3.internal.ClientState.notifyReceivedAck(SourceFile:259)
	at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(Unknown Source:91)
	at java.lang.Thread.run(Thread.java:923)

d1

system: generate user .otrc files in userdata ------------------------------------- 12.14s
system: create password files in userdata ------------------------------------------ 8.43s
ot-recorder: add/delete keys for users which have them ----------------------------- 6.75s
nginx: add users to htpasswd ------------------------------------------------------- 6.25s
system: add ufw open ports --------------------------------------------------------- 4.71s
system: install required packages -------------------------------------------------- 4.11s
lego: enroll at letsencrypt -------------------------------------------------------- 1.87s
frontend: unpack dist -------------------------------------------------------------- 1.85s
ot-recorder: install package ------------------------------------------------------- 1.60s
system: create directories --------------------------------------------------------- 1.58s
ot-recorder: launch service -------------------------------------------------------- 1.54s
Gathering Facts -------------------------------------------------------------------- 1.46s
restart_mosquitto ------------------------------------------------------------------ 1.20s
lego: get certificate information -------------------------------------------------- 1.13s
system: enable ufw ----------------------------------------------------------------- 1.10s
system: template out sys.info ------------------------------------------------------ 1.09s
nginx: install OwnTrack's index.php ------------------------------------------------ 1.06s
lego: template out enroller -------------------------------------------------------- 1.06s
system: install OwnTracks repository key ------------------------------------------- 1.05s
lego: template out certificate/key installer --------------------------------------- 1.01s

Please Delete This

Mosquitto 2.1 will add a --test-config switch:

Cannot reproduce on either Firefox or Chrome (on Mac). Safari periodically asks for basic auth credentials in spite of saving them.

So, when I locally hosted OwnTracks in a Docker container on Windows, my battery percentage showed properly on the server localhost table URL. I am now using a Linux VPS and I noticed at the table URL (https://owntracks.domain.com/owntracks/table/), the battery is showing 0%, even though I am at 100%. Why is this?

Image showing 0%: https://i.imgur.com/21K430O.png

Not sure how it's work fine on Docker container but not now that I'm using a proper VPS. If it matters, was using HTTP mode on Docker, but MQTT on VPS.

Similarly to how we create friend-specific MQTT ACLs, we could add user-specific waypoints to the inline/otrc configuration during bootstrapping.

A directory waypoints/ would contain <username>.json with an array of waypoints which is merged into .otrc.

This permits, say, a family to pre-configure "Home", "Sports", etc. for certain or all members.

There's no real reason why it shouldn't work on Raspbian but we should test

Not bad, I think.

$ free
               total        used        free      shared  buff/cache   available
Mem:          468740      125608       55036        4040      304200      343132
Swap:        2097148       52204     2044944

$ mosquitto_sub -u _lr -P "$(cat /usr/local/owntracks/userdata/.lr.pw)" -v -t '$SYS/broker/load/messages/#'

$SYS/broker/load/messages/received/1min 24.08
$SYS/broker/load/messages/sent/1min 105.69
$SYS/broker/load/messages/received/5min 11.80
$SYS/broker/load/messages/sent/5min 48.34
$SYS/broker/load/messages/received/15min 4.61
$SYS/broker/load/messages/sent/15min 18.64

Would be nice to have: an Ansible module which does that, somewhat like community.general.htpasswd

Upon configuring Quicksetup we automagically set up friends and add them to mosquitto.acl, give them passwords in mosquitto.pw and htpasswd.

In Mosquitto's ACL we configure one friend can see all which at least for the moment is okay'ish.

But when configuring httpmode for a friend, there's no automatic addition of anybody to the friends in HTTP mode Recorder database.

This is both an enhancement and a bug. ;-)

Hi, I'm trying to install the latest version. However, I'm facing the following issues during the bootstrap phase:

TASK [verify some requirements] ************************************************
fatal: [localhost]: FAILED! => {
"assertion": "ansible_distribution_release in [ 'bookworm', 'jammy' ]",
"changed": false,
"evaluated_to": false,
"msg": "Assertion failed"
}

I'm running Ubuntu 23.10 and carefully followed all installation steps you provided.

tks!

Been following this: https://owntracks.org/booklet/guide/quicksetup/
I am using an Ubuntu VPS. It is all set up now and I was able to login to the page at https://owntracks.example/owntracks/

However, I wanted to change the password that was given to me automatically to something simple. So, in my VPS, I navigated to /usr/local/owntracks/userdata/ and then did nano username.pass. I changed the password here, pressed CTRL+X to exit, then chose "Y" to save the file.

Well, when I go to login to https://owntracks.example/owntracks/, it is still taking the old password and not the new one I set, even after a reboot of the VPS, and even though the username.pass file is showing my new password that I wanted. Help?

With randon rid

Where do ot-recorder logs end up (systemd in debian)? I think this is handled by systemd
mosquitto and nginx use logrotate
There is another log /var/log/php8.2-fpm.log ...

We've done almost all testing on quicksetup with MQTT, which is obvious as we prefer that protocol.

I've tested HTTP POST, but we need to test whether an OwnTracks device (Android, iOS) correctly works on HTTP.

Reminder: we do not support WS over MQTT.

We'll have to add automation for creating Frontend dist/ releases. There's an open request for doing so.

If a friend is configured and deployed with secret key, and the key is later removed from configuration.yaml, the user-device entry Recorder's keys database remains in place.

In terms of idempotency we should fix this.

Maybe a bit overkill at the moment, but doable.

OwnTracks supports username/devicename, but during creation of quicksetup we assumed a user would have one device only.

Test whether this is a problem. After reviewing the mkpasswords filter, i don't actually think so ...

I'm running a ubuntu jammy 24.04 vps on oracle cloud and a seperately hosted domain.
I followed all the steps in the "new" quicksetup in the booklet and everything worked fine running bootstrap.sh until task lego:enroll at letsencrypt.

I think its best if I just paste the error message here. I replaced what I thought was sensitive with IplaceholdersI

fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["/usr/local/owntracks/lego/enroll.sh"], "delta": "0:00:18.573103", "end": "2024-05-04 22:08:31.223056", "msg": "non-zero return code", "rc": 1, "start": "2024-05-04 22:08:12.649953", "stderr": "", "stderr_lines": [], "stdout": "2024-05-04T22:08:12\n2024/05/04 22:08:13 

[INFO] [IdomainI] acme: Obtaining bundled SAN certificate\n2024/05/04 22:08:14 
[INFO] [IdomainI] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/IauthidI\n2024/05/04 22:08:14 
[INFO] [IdomainI] acme: Could not find solver for: tls-alpn-01\n2024/05/04 22:08:14
[INFO] [IdomainI] acme: use http-01 solver\n2024/05/04 22:08:14 
[INFO] [IdomainI] acme: Trying to solve HTTP-01\n2024/05/04 22:08:31 
[INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/IauthidI\n2024/05/04 22:08:31 Could not obtain certificates:\n\terror: one or more domains had a problem:\n[IdomainI] acme: error: 400 :: urn:ietf:params:acme:error:connection
:: IIP-AddressI: Fetching http://IdomainI/.well-known/acme-challenge/Irandom lettersI: Timeout during connect (likely firewall problem), url: ", "stdout_lines": ["2024-05-04T22:08:12", "2024/05/04 22:08:13
 
[INFO] [IdomainI] acme: Obtaining bundled SAN certificate", "2024/05/04 22:08:14 
[INFO] [IdomainI] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/IauthidI", "2024/05/04 22:08:14 
[INFO] [IdomainI] acme: Could not find solver for: tls-alpn-01", "2024/05/04 22:08:14 
[INFO] [IdomainI] acme: use http-01 solver", "2024/05/04 22:08:14 
[INFO] [IdomainI] acme: Trying to solve HTTP-01", "2024/05/04 22:08:31 
[INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/IauthidI", "2024/05/04 22:08:31 Could not obtain certificates:", "\terror: one or more domains had a problem:", "[IdomainI] acme: error: 400 :: urn:ietf:params:acme:error:connection :: IIP-AddressI: Fetching http://IdomainI/.well-known/acme-challenge/Irandom lettersI: Timeout during connect (likely firewall problem), url: "]}

My question is mainly where the problem exactly lies. Is it a problem with the domain? With the settings of the VPS on Oracle Cloud? Or is it just a directory that doesnt have proper chmod. Im struggling with this error message for days now. I already configured the iptables to allow everything but still it just says "firewall problem"

This is the first Issue I ever post on Github, so Im sorry if im labeling it wrong 😅
Thanks in advance

-Gus

I'm working on two things that are both MQTT related with the recent change.

Short Question:
1) Where do I put the extra configuration lines for the own tracks-cards (listener 9001)

2) Can the 'listener 1883 127.0.0.1' be chaged to just 'listener 1883' for local (non ssl) access to the MQTT broker?

Long version of question 1)
Cards: I used the online tool to create a card https://avanc.github.io/owntracks-cards/. Since I'm really new to MQTT, I tried publishing the card via MQTT Explorer https://apps.apple.com/us/app/mqtt-explorer/id1455214828?mt=12

In that application, I used:
topic owntracks/indigo/myphone/info
copy/paste the json from the saved file created with the online tool. Click "Publish"

On the owntracks web interface... "Device Table"... it worked. The icon is there, and name is now "Indigo Server" instead of "IS". However, on the other devices, the card didn't populate? From my device "bill/myphone" I still see "IS" and just the circle with an "IS" in the middle. So it kida worked.

Next I decided to add the card page thing to my raspberry pi. https://github.com/avanc/owntracks-cards

Where I'm stuck.... where to put the extra configuration lines? Since mosquitto now uses owntracks.conf, I considered adding it to the end of that file (spoiler: don't do that) crashed mosquitto, removed the extra lines, restart rPi a couple times, now I'm back to square 1.

# -- 1883 ----- Plain (loopback only)
listener 1883 127.0.0.1

# -- 8883 ----- TLS
listener 8883
# cafile /etc/mosquitto/certs/.lego/certificates/isl.mynetgear.com.issuer.crt
cafile /usr/local/owntracks/tls/cert.crt
certfile /usr/local/owntracks/tls/cert.crt
keyfile /usr/local/owntracks/tls/cert.key
# -- ends

# -- 9001 ----- Cards
listener 9001
protocol websockets
http_dir /home/williammoore/owntracks-cards

Long version of question 2)
I'm having a booger of a time connecting my home automation system (on the same LAN network) to the MQTT broker. IPaddress/User/password is right. Tried DNS instead of IPaddress. Selected SSL/TLS. Tried adding the .cert file to my indigo server from /usr/local/owntracks/tls/cert.crt Every thing I have tried so far has yielded zero. But it is a local connection, so I'm not too concerned about the security of it and I closed port forwarding on 1883 when the MQTT changed to 8883. Can the 1883 config line be changed to:

# -- 1883 ----- Plain 
listener 1883
# -- 1883 ------ loopback
listener 1883 127.0.0.1

or something similar?

OTRC config can contain keys which either OS doesn't support, but there are some keys with values that need to differ:

• mqttProtocolLevel :
  - ios: 5
  - android: 3
• waypoints :
  - ios: +follow
  - android: none

.. and bail otherwise.

wenn es mehrere devices per user gibt und dort verschiedene passwörter angegeben werden klappt der MQTT connect nicht, weil im otrc nicht das erste sondern die verschiedenen Passwörter stehen

Instead of installing via packages, we should install via pip (to user). Installing ansible-core and the two required collections is likely faster and will consume less space.

The advantage for us is pinning the release we want and thus having same versions on Debian and Ubuntu.

Must verify we then have

• passlib
• requests
• paho.mqtt

When Quicksetup configures a system, we create a mosquitto.conf which can, if necessary, be augmented by user-specific files dropped into conf.d/; these will be picked up during a Mosquitto restart.

Assuming a user needs specific ACLs, however, we have no provision for specifying these. Bootstrapping creates a mosquitto.acl which, if necessary, is overwritten at each run.

It's probably worth our while, long-term, to look at the dynamic security plugin which is auto-installed with the Debian Mosquitto package.

I'm running MQTT and owntracks on the same raspberry pi. I have everything working pretty well except for a couple oddities with having a few older phones in my setup (running older versions of owntracks). It still works, but can't do certain things like enable them to receive commands to force a location update. (Seperate issue but not a show stopper)

On the server side, I want to be able to have more control over manipulating data. The data store is located in the default location which works, but I started seeing issues when I tried to delete a user. During testing I created a user with a typo in the name. Re-created a user on that device, but the old user is still there.

I tried the "Kill" command but got the "No comprendo" message. Doing a version check, however, shows that "WITH_KILL = yes" so ?
deleting a file is combersome as I can't use cyberduck or GUI due to permissions. I have to telnet in and use sudo commands to delete stuff in the var/spool/owntracks/recorder/store/rec/(user_directory)/(YYYY-MM.rec).

When I finally deleted the user file and folder under rec directory, the user is still visible on devices and on the recorder page.

I also tried getting around the permissions thing by moving the store to home/me/Documents/owntracks...../store (I made a full copy at that location).... then I get an error with owntracks... something about ghash Permissions Denied.

So I know I messed up something somewhere but I'm not sure what direction to go in now.