Basic Station TLS setup with ChirpStack v4 – CN mismatch when using GUI-generated client certificate

ChirpStack (v4) Setup and configuration
1

Hi,

I am trying to set up Basic Station with ChirpStack v4 using TLS certificates.
I followed the official ChirpStack certificate generation repo:

From that, I generated the following certificates:

  • basicstation.csr, basicstation.pem, basicstation-key.pem
  • ca-key.pem, ca.csr, ca.pem
  • mqtt-broker-key.pem, mqtt-broker.csr, mqtt-broker.pem
    Then created new directory called certs in /chirpstack-docker and copied all the certificates.
~/chirpstack-docker/certs$ ls
basicstation-key.pem  basicstation.csr  basicstation.pem  ca-key.pem  ca.csr  ca.pem  mqtt-broker-key.pem  mqtt-broker.csr  mqtt-broker.pem

Configuration I applied
docker-compose.yml

  chirpstack-gateway-bridge-basicstation:
    image: chirpstack/chirpstack-gateway-bridge:4
    restart: unless-stopped
    command: -c /etc/chirpstack-gateway-bridge/chirpstack-gateway-bridge-basicstation-eu868.toml
    ports:
      - "3001:3001"
    volumes:
      - ./configuration/chirpstack-gateway-bridge:/etc/chirpstack-gateway-bridge
      - ./certs:/etc/certs
    depends_on:
      - mosquitto

chirpstack.toml

[integration.mqtt.client]
  client_cert_lifetime = "12months"
  ca_cert = "/etc/certs/ca.pem"
  ca_key = "/etc/certs/ca-key.pem"

[gateway]
  client_cert_lifetime = "12months"
  ca_cert = "/etc/certs/ca.pem"
  ca_key = "/etc/certs/ca-key.pem"

chirpstack-gateway-bridge-basicstation-eu868.toml

[backend]
type="basic_station"

  [backend.basic_station]
  bind=":3001"
  tls_cert="/etc/certs/basicstation.pem"
  tls_key="/etc/certs/basicstation-key.pem"
  ca_cert="/etc/certs/ca.pem"

chirpstack-gateway-bridge.toml

# TLS configuration
ca_cert="/etc/certs/ca.pem"
tls_cert="/etc/certs/basicstation.pem"
tls_key="/etc/certs/basicstation-key.pem"

Issue

  • When I generate a gateway client certificate from the ChirpStack GUI, it creates a new CA certificate. Which is different from the Original CA I created ca.pem.

  • Using that GUI-generated certificate, the Basic Station gateway cannot connect to ChirpStack due to a CN mismatch error.
    Question:

  • Is ChirpStack supposed to reuse the provided ca.pem + ca-key.pem for issuing client certificates?

  • Or am I missing a configuration step that causes ChirpStack to fall back to generating its own CA?

Thanks for the help!

2

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.