Hello, I’m having several issues configuring SSL + MQTT + Certificates.
I’m following:
1: No matter which values i put into chirpstack-certificates/config/ca-config.json, the CA and all generated certificates have the duration of 5 years.
ca-config.json
{
"signing": {
"default": {
"expiry": "80000h"
},
"profiles": {
"client": {
"expiry": "80000h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"server": {
"expiry": "80000h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"signing": {
"expiry": "80000h",
"usages": [
"signing",
"key encipherment"
]
}
}
}
}
2: I’m trying to generate certificates for the [application_server.external_api], but I cannot find the scheme in “chirpstack-certificates” to generate a self signed certificate. That’s in order to secure a connection to it from outside using HTTPS. I’m aware of the fact that the browser would throw a error. It should be fine if I install the certificate on the technicians’ computers, but correct me if I’m wrong :).
3:I’m using docker-compose for the Application Server + Network Server. Is it necessary to have an internal SSL connection between the Application Server and Network Server between the dockers, to be able to have a secure MQTT/SSL connection towards the gateways? Is it necessary for the gateway key generation?
4: No matter what I write on client_cert_lifetime under [application_server.integration.mqtt.client], all certificates have the duration of 1 year from now.
chirpstack-application-server.toml
[join_server]
ca_cert="/etc/certs/ca/ca.pem"
tls_cert="/etc/certs/chirpstack-application-server/join-api/server/chirpstack-application-server-join-api-server.pem"
tls_key="/etc/certs/chirpstack-application-server/join-api/server/chirpstack-application-server-join-api-server-key.pem"
[application_server.integration.mqtt]
server="tcp://mosquitto:1883"
username="_USERNAME_"
password="_PASSWORD_"
[application_server.integration.mqtt.client]
ca_cert="/etc/certs/ca/ca.pem"
ca_key="/etc/certs/ca/ca-key.pem"
## Time expressed in hours ??
client_cert_lifetime="80000h"
[application_server.api]
public_host="chirpstack-application-server:8001"
ca_cert="/etc/certs/ca/ca.pem"
tls_cert="/etc/certs/chirpstack-application-server/api/server/chirpstack-application-server-api-server.pem"
tls_key="/etc/certs/chirpstack-application-server/api/server/chirpstack-application-server-api-server-key.pem"
[application_server.external_api]
## What to put here in terms of ca_cert, tls_cert, tls_key?
bind="0.0.0.0:8080"
jwt_secret="_JWT_SECRET_"
5: While using the default Mosquitto, which of the generated files under certs/mqrrt and certs/ca are the correct ones for the configuration options: certfile, keyfile, cafile?
6: Would the following config setup two Mosquitto listeners:
One local for the Application Server and Network server, through TCP
One secured through SSL with an ACL gateway_acl.acl
or have I missed something?
mosquitto.conf
per_listener_settings true
listener 1883 localhost
allow_anonymous false
password_file /mosquitto/config/mosquitto.passwd
listener 8883
allow_anonymous false
password_file /mosquitto/config/mosquitto_gateways.passwd
acl_file /mosquitto/config/gateway_acl.acl
require_certificate true
certfile mosquitto/certs/mqtt/????
keyfile mosquitto/certs/mqtt/mqtt-server-key.pem
cafile mosquitto/certs/mqtt/???
7: Would the following ACL be complete to limit the readability of the gateways to their own topics, being secured and identified through their key?
gateway_acl.acl
pattern readwrite gateway/%u/#
pattern readwrite application/%u/#
Thank you. I’ve been trying to solve these problems for a few days now, sorry for the numerous questions.