Configuration of certifications and MQTT

chirp_chirp · December 22, 2020, 4:55pm

Hello, I’m having several issues configuring SSL + MQTT + Certificates.

I’m following:

1: No matter which values i put into chirpstack-certificates/config/ca-config.json, the CA and all generated certificates have the duration of 5 years.

ca-config.json

{
  "signing": {
    "default": {
      "expiry": "80000h"
    },
    "profiles": {
      "client": {
        "expiry": "80000h",
        "usages": [
          "signing",
          "key encipherment",
          "client auth"
        ]
      },
      "server": {
        "expiry": "80000h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth"
        ]
      },
      "signing": {
        "expiry": "80000h",
        "usages": [
          "signing",
          "key encipherment"
        ]
      }
    }
  }
}

2: I’m trying to generate certificates for the [application_server.external_api], but I cannot find the scheme in “chirpstack-certificates” to generate a self signed certificate. That’s in order to secure a connection to it from outside using HTTPS. I’m aware of the fact that the browser would throw a error. It should be fine if I install the certificate on the technicians’ computers, but correct me if I’m wrong :).

3:I’m using docker-compose for the Application Server + Network Server. Is it necessary to have an internal SSL connection between the Application Server and Network Server between the dockers, to be able to have a secure MQTT/SSL connection towards the gateways? Is it necessary for the gateway key generation?

4: No matter what I write on client_cert_lifetime under [application_server.integration.mqtt.client], all certificates have the duration of 1 year from now.

chirpstack-application-server.toml

[join_server]
ca_cert="/etc/certs/ca/ca.pem"
tls_cert="/etc/certs/chirpstack-application-server/join-api/server/chirpstack-application-server-join-api-server.pem"
tls_key="/etc/certs/chirpstack-application-server/join-api/server/chirpstack-application-server-join-api-server-key.pem"

[application_server.integration.mqtt]
server="tcp://mosquitto:1883"
username="_USERNAME_"
password="_PASSWORD_"

[application_server.integration.mqtt.client]
ca_cert="/etc/certs/ca/ca.pem"
ca_key="/etc/certs/ca/ca-key.pem"
## Time expressed in hours ??
client_cert_lifetime="80000h"

[application_server.api]
public_host="chirpstack-application-server:8001"
ca_cert="/etc/certs/ca/ca.pem"
tls_cert="/etc/certs/chirpstack-application-server/api/server/chirpstack-application-server-api-server.pem"
tls_key="/etc/certs/chirpstack-application-server/api/server/chirpstack-application-server-api-server-key.pem"


[application_server.external_api]
## What to put here in terms of ca_cert, tls_cert, tls_key?

bind="0.0.0.0:8080"
jwt_secret="_JWT_SECRET_"

5: While using the default Mosquitto, which of the generated files under certs/mqrrt and certs/ca are the correct ones for the configuration options: certfile, keyfile, cafile?

6: Would the following config setup two Mosquitto listeners:
One local for the Application Server and Network server, through TCP
One secured through SSL with an ACL gateway_acl.acl

or have I missed something?

mosquitto.conf

per_listener_settings true

listener 1883 localhost
allow_anonymous false
password_file /mosquitto/config/mosquitto.passwd


listener 8883
allow_anonymous false
password_file /mosquitto/config/mosquitto_gateways.passwd
acl_file /mosquitto/config/gateway_acl.acl

require_certificate true
certfile mosquitto/certs/mqtt/????
keyfile mosquitto/certs/mqtt/mqtt-server-key.pem
cafile mosquitto/certs/mqtt/???

7: Would the following ACL be complete to limit the readability of the gateways to their own topics, being secured and identified through their key?

gateway_acl.acl

pattern readwrite gateway/%u/#
pattern readwrite application/%u/#

Thank you. I’ve been trying to solve these problems for a few days now, sorry for the numerous questions.

adarshmammen · August 2, 2022, 11:07pm

I have a solution for this problem:

Your ca-csr.json controls the expiration date for the CA certificate. Below is an example to create CA certificates that expire in one year.

ca-csr.json

{
  "CN": "ChirpStack CA",
  "CA":  {
    "expiry": "8760h",
    "pathlen": 0
  },
  "key": {
    "algo": "rsa",
    "size": 2048
  }
}

wdawson61 · January 2, 2023, 4:24am

Hello @brocaar. Thank you so much for your amazing work on this software - it’s well… amazing!
Configuration:
CS Gateway OS-full on RPI
Home assistant OS running MQTT no TLS or certs configured.
I’m trying to solve a seemingly simple problem - to simply forward some CS, Application-specific topics to another MQTT broker on the same network. On the CS RPI, I’m able to successfully run mosquitto_pub -h homeassistant.local -p 1883 -u xx -P xx -t "test/one" -m "the message" to the homeassistant MQTT broker as verified by MQTT Explorer running on a separate machine (but connect to the HA MQTT broker). As I’m having the issue below with the webUI MQTT integration, I’ve been unsuccessfully flailing to manually point CS at the other broker. As for my experience with the WebUI and the MQTT integration:

Clicking the “GET CERTIFICATE” button yields a small popup with “no ca certificate or ca key configured (code: 2).” So I found your thread (this thread) which very nicely explains how to create the missing certs. The issue I’m having now is that there is no package manager (apt-get) nor git client on “Chirpstack Gateway OS” for RPI nor does there appear to be a working gnu toolchain for building your own cfssl tools. Can you offer some guidance?

Again, thanks for your impressive work on this software~
-Wade

brocaar · January 9, 2023, 3:15pm

Please note that you can generate these certificates also from an other host These is no need to run these on the Raspberry Pi / Gateway OS.