Good day everyone,
I would just like know if someone has managed to configure a working docker enviroment with MQTT certificates. I’ve been struggeling with this for the past 2 weeks reading few articles but nothing is helping.
Screenshot attached. Btw working without tls I have no issues.
!
It’s pretty straight forward, I’m sure most people on the forum have atleast at one point used a self-signed certs setup, I’ve since moved to using a reverse-proxy called Traefik for TLS termination; it seems commonly used here, and helps you avoid needing to generate certificates.
There are many configuration issues that could be causing your problems. If you share what you’ve done so far from the base docker install and your docker-compose.yml file it would be easier to help.
Also just clarify from the title you do mean you are having issues securing the gateway bridge → MQTT broker connection and you are not talking about the optional MQTT Integration?
Hi Liam thanks for coming back to me.
So I will share the docker compose file and the necesarry mosquitto folder structure in a moment. But to be clear I will only be using the UDP for gateway bridge so need for mqtt here(maybe on a later stage) I’m struggeling with the MQTT integration to forward the packets to my 3rd party application via MQTT.
On the same note I am familiar with traefix but this will not be needed reason being our 3rd pary app is on the same private network so self signed certificates will do 100%
I’m also receiving issues on my acl file I don’t know if I’m passing it through on my docker compose file
version: "3"
services:
chirpstack:
image: chirpstack/chirpstack:4
command: -c /etc/chirpstack
restart: unless-stopped
volumes:
- ./configuration/chirpstack:/etc/chirpstack
- ./lorawan-devices:/opt/lorawan-devices
depends_on:
- postgres
- mosquitto
- redis
environment:
- MQTT_BROKER_HOST=mosquitto
- REDIS_HOST=redis
- POSTGRESQL_HOST=postgres
ports:
- 8080:8080
chirpstack-gateway-bridge:
image: chirpstack/chirpstack-gateway-bridge:4
restart: unless-stopped
ports:
- 1700:1700/udp
volumes:
- ./configuration/chirpstack-gateway-bridge:/etc/chirpstack-gateway-bridge
environment:
- INTEGRATION__MQTT__EVENT_TOPIC_TEMPLATE=eu868/gateway/{{ .GatewayID }}/event/{{ .EventType }}
- INTEGRATION__MQTT__STATE_TOPIC_TEMPLATE=eu868/gateway/{{ .GatewayID }}/state/{{ .StateType }}
- INTEGRATION__MQTT__COMMAND_TOPIC_TEMPLATE=eu868/gateway/{{ .GatewayID }}/command/#
depends_on:
- mosquitto
chirpstack-gateway-bridge-basicstation:
image: chirpstack/chirpstack-gateway-bridge:4
restart: unless-stopped
command: -c /etc/chirpstack-gateway-bridge/chirpstack-gateway-bridge-basicstation-eu868.toml
ports:
- 3001:3001
volumes:
- ./configuration/chirpstack-gateway-bridge:/etc/chirpstack-gateway-bridge
depends_on:
- mosquitto
chirpstack-rest-api:
image: chirpstack/chirpstack-rest-api:4
restart: unless-stopped
command: --server chirpstack:8080 --bind 0.0.0.0:8090 --insecure
ports:
- 8090:8090
depends_on:
- chirpstack
postgres:
image: postgres:14-alpine
restart: unless-stopped
volumes:
- ./configuration/postgresql/initdb:/docker-entrypoint-initdb.d
- postgresqldata:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=root
redis:
image: redis:7-alpine
restart: unless-stopped
command: redis-server --save 300 1 --save 60 100 --appendonly no
volumes:
- redisdata:/data
mosquitto:
image: eclipse-mosquitto:2
restart: unless-stopped
ports:
- 1883:1883
- 8883:8883
volumes:
- ./configuration/mosquitto/config/:/mosquitto/config/
- ./configuration/mosquitto/config/acl/acl.conf:/mosquitto/config/acl.conf
- ./configuration/mosquitto/config/certs:/mosquitto/config/certs
volumes:
postgresqldata:
redisdata:
# Logging.
[logging]
# Log level.
#
# Options are: trace, debug, info, warn error.
level="info"
# PostgreSQL configuration.
[postgresql]
# PostgreSQL DSN.
#
# Format example: postgres://<USERNAME>:<PASSWORD>@<HOSTNAME>/<DATABASE>?sslmode=<SSLMODE>.
#
# SSL mode options:
# * disable - no SSL
# * require - Always SSL (skip verification)
# * verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA)
# * verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate)
dsn="postgres://chirpstack:chirpstack@$POSTGRESQL_HOST/chirpstack?sslmode=disable"
# Max open connections.
#
# This sets the max. number of open connections that are allowed in the
# PostgreSQL connection pool.
max_open_connections=10
# Min idle connections.
#
# This sets the min. number of idle connections in the PostgreSQL connection
# pool (0 = equal to max_open_connections).
min_idle_connections=0
# Redis configuration.
[redis]
# Server address or addresses.
#
# Set multiple addresses when connecting to a cluster.
servers=[
"redis://$REDIS_HOST/",
]
# TLS enabled.
tls_enabled=false
# Redis Cluster.
#
# Set this to true when the provided URLs are pointing to a Redis Cluster
# instance.
cluster=false
# Network related configuration.
[network]
# Network identifier (NetID, 3 bytes) encoded as HEX (e.g. 010203).
net_id="000000"
# Enabled regions.
#
# Multiple regions can be enabled simultaneously. Each region must match
# the 'name' parameter of the region configuration in '[[regions]]'.
enabled_regions=[
"eu868",
]
# API interface configuration.
[api]
# interface:port to bind the API interface to.
bind="0.0.0.0:8080"
# Secret.
#
# This secret is used for generating login and API tokens, make sure this
# is never exposed. Changing this secret will invalidate all login and API
# tokens. The following command can be used to generate a random secret:
# openssl rand -base64 32
secret="secret"
[integration]
enabled=["mqtt"]
[integration.mqtt]
server="tcp://$MQTT_BROKER_HOST:1883/"
json=true
[gateway]
client_cert_lifetime="12months"
ca_cert="/etc/chirpstack/certs/ca.pem"
ca_key="/etc/chirpstack/certs/ca-key.pem"
[integration.mqtt.client]
client_cert_lifetime="12months"
ca_cert="/etc/chirpstack/certs/ca.pem"
ca_key="/etc/chirpstack/certs/ca-key.pem"
# This file contains an example EU868 configuration.
[[regions]]
# ID is an user-defined identifier for this region.
id="eu868"
# Description is a short description for this region.
description="EU868"
# Common-name refers to the common-name of this region as defined by
# the LoRa Alliance.
common_name="EU868"
# Gateway configuration.
[regions.gateway]
# Force gateways as private.
#
# If enabled, gateways can only be used by devices under the same tenant.
force_gws_private=false
# Gateway backend configuration.
[regions.gateway.backend]
# The enabled backend type.
enabled="mqtt"
# MQTT configuration.
[regions.gateway.backend.mqtt]
# Topic prefix.
#
# The topic prefix can be used to define the region of the gateway.
# Note, there is no need to add a trailing '/' to the prefix. The trailing
# '/' is automatically added to the prefix if it is configured.
topic_prefix="eu868"
# MQTT server (e.g. scheme://host:port where scheme is tcp, ssl or ws)
server="tcp://$MQTT_BROKER_HOST:1883"
# Connect with the given username (optional)
username=""
# Connect with the given password (optional)
password=""
# Quality of service level
#
# 0: at most once
# 1: at least once
# 2: exactly once
#
# Note: an increase of this value will decrease the performance.
# For more information: https://www.hivemq.com/blog/mqtt-essentials-part-6-mqtt-quality-of-service-levels
qos=0
# Clean session
#
# Set the "clean session" flag in the connect message when this client
# connects to an MQTT broker. By setting this flag you are indicating
# that no messages saved by the broker for this client should be delivered.
clean_session=false
# Client ID
#
# Set the client id to be used by this client when connecting to the MQTT
# broker. A client id must be no longer than 23 characters. If left blank,
# a random id will be generated by ChirpStack.
client_id=""
# Keep alive interval.
#
# This defines the maximum time that that should pass without communication
# between the client and server.
keep_alive_interval="30s"
# CA certificate file (optional)
#
# Use this when setting up a secure connection (when server uses ssl://...)
# but the certificate used by the server is not trusted by any CA certificate
# on the server (e.g. when self generated).
ca_cert=""
# TLS certificate file (optional)
tls_cert=""
# TLS key file (optional)
tls_key=""
# Gateway channel configuration.
#
# Note: this configuration is only used in case the gateway is using the
# ChirpStack Concentratord daemon. In any other case, this configuration
# is ignored.
[[regions.gateway.channels]]
frequency=868100000
bandwidth=125000
modulation="LORA"
spreading_factors=[7, 8, 9, 10, 11, 12]
[[regions.gateway.channels]]
frequency=868300000
bandwidth=125000
modulation="LORA"
spreading_factors=[7, 8, 9, 10, 11, 12]
[[regions.gateway.channels]]
frequency=868500000
bandwidth=125000
modulation="LORA"
spreading_factors=[7, 8, 9, 10, 11, 12]
[[regions.gateway.channels]]
frequency=867100000
bandwidth=125000
modulation="LORA"
spreading_factors=[7, 8, 9, 10, 11, 12]
[[regions.gateway.channels]]
frequency=867300000
bandwidth=125000
modulation="LORA"
spreading_factors=[7, 8, 9, 10, 11, 12]
[[regions.gateway.channels]]
frequency=867500000
bandwidth=125000
modulation="LORA"
spreading_factors=[7, 8, 9, 10, 11, 12]
[[regions.gateway.channels]]
frequency=867700000
bandwidth=125000
modulation="LORA"
spreading_factors=[7, 8, 9, 10, 11, 12]
[[regions.gateway.channels]]
frequency=867900000
bandwidth=125000
modulation="LORA"
spreading_factors=[7, 8, 9, 10, 11, 12]
[[regions.gateway.channels]]
frequency=868300000
bandwidth=250000
modulation="LORA"
spreading_factors=[7]
[[regions.gateway.channels]]
frequency=868800000
bandwidth=125000
modulation="FSK"
datarate=50000
# Region specific network configuration.
[regions.network]
# Installation margin (dB) used by the ADR engine.
#
# A higher number means that the network-server will keep more margin,
# resulting in a lower data-rate but decreasing the chance that the
# device gets disconnected because it is unable to reach one of the
# surrounded gateways.
installation_margin=10
# RX window (Class-A).
#
# Set this to:
# 0: RX1 / RX2
# 1: RX1 only
# 2: RX2 only
rx_window=0
# RX1 delay (1 - 15 seconds).
rx1_delay=1
# RX1 data-rate offset
rx1_dr_offset=0
# RX2 data-rate
rx2_dr=0
# RX2 frequency (Hz)
rx2_frequency=869525000
# Prefer RX2 on RX1 data-rate less than.
#
# Prefer RX2 over RX1 based on the RX1 data-rate. When the RX1 data-rate
# is smaller than the configured value, then the Network Server will
# first try to schedule the downlink for RX2, failing that (e.g. the gateway
# has already a payload scheduled at the RX2 timing) it will try RX1.
rx2_prefer_on_rx1_dr_lt=0
# Prefer RX2 on link budget.
#
# When the link-budget is better for RX2 than for RX1, the Network Server will first
# try to schedule the downlink in RX2, failing that it will try RX1.
rx2_prefer_on_link_budget=false
# Downlink TX Power (dBm)
#
# When set to -1, the downlink TX Power from the configured band will
# be used.
#
# Please consult the LoRaWAN Regional Parameters and local regulations
# for valid and legal options. Note that the configured TX Power must be
# supported by your gateway(s).
downlink_tx_power=-1
# ADR is disabled.
adr_disabled=false
# Minimum data-rate.
min_dr=0
# Maximum data-rate.
max_dr=5
# Rejoin-request configuration (LoRaWAN 1.1)
[regions.network.rejoin_request]
# Request devices to periodically send rejoin-requests.
enabled=false
# The device must send a rejoin-request type 0 at least every 2^(max_count_n + 4)
# uplink messages. Valid values are 0 to 15.
max_count_n=0
# The device must send a rejoin-request type 0 at least every 2^(max_time_n + 10)
# seconds. Valid values are 0 to 15.
#
# 0 = roughly 17 minutes
# 15 = about 1 year
max_time_n=0
# Class-B configuration.
[regions.network.class_b]
# Ping-slot data-rate.
ping_slot_dr=3
# Ping-slot frequency (Hz)
#
# set this to 0 to use the default frequency plan for the configured region
# (which could be frequency hopping).
ping_slot_frequency=0
# Below is the common set of extra channels. Please make sure that these
# channels are also supported by the gateways.
[[regions.network.extra_channels]]
frequency=867100000
min_dr=0
max_dr=5
[[regions.network.extra_channels]]
frequency=867300000
min_dr=0
max_dr=5
[[regions.network.extra_channels]]
frequency=867500000
min_dr=0
max_dr=5
[[regions.network.extra_channels]]
frequency=867700000
min_dr=0
max_dr=5
[[regions.network.extra_channels]]
frequency=867900000
min_dr=0
max_dr=5
listener 1883 0.0.0.0
allow_anonymous true
listener 8883 0.0.0.0
cafile /mosquitto/certs/ca.pem
certfile /mosquitto/certs/mqtt-server.pem
keyfile /mosquitto/certs/mqtt-server-key.pem
allow_anonymous false
require_certificate true
use_identity_as_username true
acl_file /mosquitto/acl/acl.conf
# Logging.
[logging]
# Log level.
#
# Options are: trace, debug, info, warn error.
level="info"
# PostgreSQL configuration.
[postgresql]
# PostgreSQL DSN.
#
# Format example: postgres://<USERNAME>:<PASSWORD>@<HOSTNAME>/<DATABASE>?sslmode=<SSLMODE>.
#
# SSL mode options:
# * disable - no SSL
# * require - Always SSL (skip verification)
# * verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA)
# * verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate)
dsn="postgres://chirpstack:chirpstack@$POSTGRESQL_HOST/chirpstack?sslmode=disable"
# Max open connections.
#
# This sets the max. number of open connections that are allowed in the
# PostgreSQL connection pool.
max_open_connections=10
# Min idle connections.
#
# This sets the min. number of idle connections in the PostgreSQL connection
# pool (0 = equal to max_open_connections).
min_idle_connections=0
# Redis configuration.
[redis]
# Server address or addresses.
#
# Set multiple addresses when connecting to a cluster.
servers=[
"redis://$REDIS_HOST/",
]
# TLS enabled.
tls_enabled=false
# Redis Cluster.
#
# Set this to true when the provided URLs are pointing to a Redis Cluster
# instance.
cluster=false
# Network related configuration.
[network]
# Network identifier (NetID, 3 bytes) encoded as HEX (e.g. 010203).
net_id="000000"
# Enabled regions.
#
# Multiple regions can be enabled simultaneously. Each region must match
# the 'name' parameter of the region configuration in '[[regions]]'.
enabled_regions=[
"eu868",
]
# API interface configuration.
[api]
# interface:port to bind the API interface to.
bind="0.0.0.0:8080"
# Secret.
#
# This secret is used for generating login and API tokens, make sure this
# is never exposed. Changing this secret will invalidate all login and API
# tokens. The following command can be used to generate a random secret:
# openssl rand -base64 32
secret="cordys"
[integration]
enabled=["mqtt"]
[integration.mqtt]
server="tcp://$MQTT_BROKER_HOST:1883/"
json=true
[gateway]
client_cert_lifetime="12months"
ca_cert="/etc/chirpstack/certs/ca.pem"
ca_key="/etc/chirpstack/certs/ca-key.pem"
[integration.mqtt.client]
client_cert_lifetime="12months"
ca_cert="/etc/chirpstack/certs/ca.pem"
ca_key="/etc/chirpstack/certs/ca-key.pem"
So I’m still a little confused. You say you are struggling with just the external MQTT integration but the logs seem to show much greater issues (neither gateway bridge nor chirpstack itself connects to your MQTT broker).
Also for “I will only be using the UDP for gateway bridge so need for mqtt here(maybe on a later stage)” perhaps you are confused on the connection of gateways to Chirpstack? If you plan on using UDP packet forwarder on your gateway it still must communicate to a gateway bridge which then communicates to the MQTT broker using MQTT, which is where Chirpstack receives the messages.
So Gateway (UDP) → gateway bridge (MQTT) → MQTT Broker (MQTT) → Chirpstack, and looking at the logs you showed neither gateway bridge (udp or basicstation) nor Chirpstack connects to the MQTT broker.
Unless I am misunderstanding something this would mean you are receiving no data from your sensors or information from your gateways. Essentially nothing should even work in Chirpstack, let alone using an integration to forward data out. Is this not the issue that should be resolved first?
So I tested our non production environment that is using 1883 and this is working 100% receiving data from our water meters. But to use the mqtt integration to my 3rd party broker you need to setup tls if im not misunderstanding.
If you could use please assist me in this regard because I’m getting so confused at the moment.
Sorry to bother you with this
If you maybe have a docker environment running maybe if possible to share it with me i thing i might catch up quickly
No worries, I’m just trying to clarify so I know what you’re trying to do. I think you are confusing a few different guides on the Chirpstack documentation, there is a guide Mosquitto TLS configuration - ChirpStack open-source LoRaWAN® Network Server documentation that I believe you have done. The goal of that is not to set up the third party integration but to secure traffic from the gateway bridge to the MQTT broker. If all you are trying to do is to forward the events to another broker then this section in your chirpstack.toml is all you are worried about:
[integration]
enabled=["mqtt"]
[integration.mqtt]
server="tcp://$MQTT_BROKER_HOST:1883/"
json=true
Change the server to the location of your third part MQTT broker and chirpstack will immediately start publishing the MQTT events there.
If you look at the full configuration file: Configuration - ChirpStack open-source LoRaWAN® Network Server documentation
You can see that in that section integration.mqtt there are also options for self-signed certificates (but they are optional, you can use TLS or not, although whatever you set up here must be supported in your 3rd part MQTT brokers configuration)
So i have dns server, my ttn server is pointing to this dns server of courses, certificates have been generated for the dns records i created. So my question is where do I specify the certificates?
And for example you said saying it shoud be something like this:
integration.mqtt]
server=“tcp://test.local:8883/”(the port shoud be changed i assume)
json=true
So to summarize, please correct me if I’m wrong, you have so far done some steps for securing other parts of the system (gateway bridge → MQTT broker, chirpstack → MQTT broker, which are not very important as they are on the same machine/network), and you wish to leave these unencrypted for now. All you wish to achieve is to forward the events to your external (already set up) MQTT broker with TLS?
If all of that is true, what I recommend is just go back to your working version. Then in your chirpstack.toml add the following
[integration]
enabled=[“mqtt”][integration.mqtt]
server=“ssl://$MQTT_BROKER_HOST:8883/”
json=true# CA certificate file (optional) # # Use this when setting up a secure connection (when server uses ssl://...) # but the certificate used by the server is not trusted by any CA certificate # on the server (e.g. when self generated). ca_cert="/path/to/cert" # TLS certificate file (optional) tls_cert="/path/to/cert" # TLS key file (optional) tls_key="/path/to/cert"
Because my non-production is using the same config you showed me but as soon as i click on the integration tab en choose mqtt is tells me this is not possible without a cerficate.
The normal http integration works like a charm due to the fact the http integration does not need a certificate it seems
Ah I see, the MQTT integration button inside the web UI simply signs a self signed certificate allowing a gateway bridge to connect to it, if you have already set up TLS for the MQTT broker.
This makes more sense now i see, the location of the certificates are the actual location n the server I assume?
Thanks for guiding me to the correct direction