That guide is a little confusing but it isn’t the same as a the http integration for instance. To do what you are trying to achieve you only need to add the parts to the chirpstack.toml I outlined above.
And no the location that you put in your chirpstack.toml is not where they are on the server but rather where you mount them in your docker-compose.yml file. For example:
chirpstack-gateway-bridge-basicstation:
image: chirpstack/chirpstack-gateway-bridge:4
restart: unless-stopped
command: -c /etc/chirpstack-gateway-bridge/chirpstack-gateway-bridge-basicstation-us915_1.toml
volumes:
- ./configuration/chirpstack-gateway-bridge:/etc/chirpstack-gateway-bridge
- ./certs:/certs
Mounting volumes on containers is path-on-server:path-on-container
So I have a file of certificates for my chirpstack gateway bridge, that on my server is in a certs directory in the same folder as the docker-compose.yml file (so I reference that by ./certs) then I mount that to a directory with just the path /certs on my container. So in my chirpstack-gateway-bridge.toml I would reference those certs just using ca_file=/certs/ca.crt
So all you would need to do from your working version is:
- Add a directory with the certificates to you server.
- Mount that directory to your chirpstack container
- Change the integration.mqtt section in your chirpstack.toml file to have the correct server information, and add the lines for ca_cert, tls_cert, tls_key.
Then as long as your third party MQTT broker has the listeners set up correctly for these certificates everything will work.
Currently though as you have dabbled in a few different guides and have set up the main Chirpstack MQTT broker to use TLS your gateway bridges and chirpstack itself cannot to the MQTT broker, nothing on your server will function.
Ok let me recreate the docker compose file. And if possible just review it?
And the for this part is it correct should I remove the acl part?
listener 1883 0.0.0.0
allow_anonymous true
listener 8883 0.0.0.0
cafile /mosquitto/certs/ca.pem
certfile /mosquitto/certs/mqtt-server.pem
keyfile /mosquitto/certs/mqtt-server-key.pem
allow_anonymous false
require_certificate true
use_identity_as_username true
acl_file /mosquitto/acl/acl.conf
The ACL section is only if you wish to add TLS to the main MQTT broker, such that the gateway bridges / chirpstack must connect over TLS
And remove all volumes on the mosquito container regarding cerficates?
Yes the only necessary section with certificates is in the chirpstack.toml
You do currently have a third party MQTT broker set up with proper ACL rules and listeners for those certificates correct? If not using no certificates now would be easier.
No certificates are being used on the 3rd party broker or acl
Then the only thing that is necessary from a working version is to change the server location in the integration.mqtt section of chirpstack.toml to your third part broker, no need for self-signed certs.
version: "3"
services:
chirpstack:
image: chirpstack/chirpstack:4
command: -c /etc/chirpstack
restart: unless-stopped
volumes:
- ./configuration/chirpstack:/etc/chirpstack
- ./lorawan-devices:/opt/lorawan-devices
- ./certs:/certs
depends_on:
- postgres
- mosquitto
- redis
environment:
- MQTT_BROKER_HOST=mosquitto
- REDIS_HOST=redis
- POSTGRESQL_HOST=postgres
ports:
- 8080:8080
chirpstack-gateway-bridge:
image: chirpstack/chirpstack-gateway-bridge:4
restart: unless-stopped
ports:
- 1700:1700/udp
volumes:
- ./configuration/chirpstack-gateway-bridge:/etc/chirpstack-gateway-bridge
environment:
- INTEGRATION__MQTT__EVENT_TOPIC_TEMPLATE=eu868/gateway/{{ .GatewayID }}/event/{{ .EventType }}
- INTEGRATION__MQTT__STATE_TOPIC_TEMPLATE=eu868/gateway/{{ .GatewayID }}/state/{{ .StateType }}
- INTEGRATION__MQTT__COMMAND_TOPIC_TEMPLATE=eu868/gateway/{{ .GatewayID }}/command/#
depends_on:
- mosquitto
chirpstack-gateway-bridge-basicstation:
image: chirpstack/chirpstack-gateway-bridge:4
restart: unless-stopped
command: -c /etc/chirpstack-gateway-bridge/chirpstack-gateway-bridge-basicstation-eu868.toml
ports:
- 3001:3001
volumes:
- ./configuration/chirpstack-gateway-bridge:/etc/chirpstack-gateway-bridge
depends_on:
- mosquitto
chirpstack-rest-api:
image: chirpstack/chirpstack-rest-api:4
restart: unless-stopped
command: --server chirpstack:8080 --bind 0.0.0.0:8090 --insecure
ports:
- 8090:8090
depends_on:
- chirpstack
postgres:
image: postgres:14-alpine
restart: unless-stopped
volumes:
- ./configuration/postgresql/initdb:/docker-entrypoint-initdb.d
- postgresqldata:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=root
redis:
image: redis:7-alpine
restart: unless-stopped
command: redis-server --save 300 1 --save 60 100 --appendonly no
volumes:
- redisdata:/data
mosquitto:
image: eclipse-mosquitto:2
restart: unless-stopped
ports:
- 1883:1883
volumes:
- ./configuration/mosquitto/config/:/mosquitto/config/
volumes:
postgresqldata:
redisdata:
Should i still add 8883 to the ports on mosquitto container?
No, as none of your gateways, or gateway bridges will communicate to the Chirpstack MQTT broker over that. Is your third party broker in a separate container? You also should get rid of the references to the certificates in your chirpstack.toml and chirpstack-gateway-bridge.toml if you haven’t already
# Logging.
[logging]
# Log level.
#
# Options are: trace, debug, info, warn error.
level="info"
# PostgreSQL configuration.
[postgresql]
# PostgreSQL DSN.
#
# Format example: postgres://<USERNAME>:<PASSWORD>@<HOSTNAME>/<DATABASE>?sslmode=<SSLMODE>.
#
# SSL mode options:
# * disable - no SSL
# * require - Always SSL (skip verification)
# * verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA)
# * verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate)
dsn="postgres://chirpstack:chirpstack@$POSTGRESQL_HOST/chirpstack?sslmode=disable"
# Max open connections.
#
# This sets the max. number of open connections that are allowed in the
# PostgreSQL connection pool.
max_open_connections=10
# Min idle connections.
#
# This sets the min. number of idle connections in the PostgreSQL connection
# pool (0 = equal to max_open_connections).
min_idle_connections=0
# Redis configuration.
[redis]
# Server address or addresses.
#
# Set multiple addresses when connecting to a cluster.
servers=[
"redis://$REDIS_HOST/",
]
# TLS enabled.
tls_enabled=false
# Redis Cluster.
#
# Set this to true when the provided URLs are pointing to a Redis Cluster
# instance.
cluster=false
# Network related configuration.
[network]
# Network identifier (NetID, 3 bytes) encoded as HEX (e.g. 010203).
net_id="000000"
# Enabled regions.
#
# Multiple regions can be enabled simultaneously. Each region must match
# the 'name' parameter of the region configuration in '[[regions]]'.
enabled_regions=[
"eu868",
]
# API interface configuration.
[api]
# interface:port to bind the API interface to.
bind="0.0.0.0:8080"
# Secret.
#
# This secret is used for generating login and API tokens, make sure this
# is never exposed. Changing this secret will invalidate all login and API
# tokens. The following command can be used to generate a random secret:
# openssl rand -base64 32
secret="test"
[integration]
enabled=["mqtt"]
[integration.mqtt]
server=“ssl://$MQTT_BROKER_HOST:8883/”
json=true
ca_cert="/cert/ca.pem"
# TLS certificate file (optional)
tls_cert="/cert/mqtt-server.pem"
# TLS key file (optional)
tls_key="/cert/mqtt-server-key.pem"
ok kept the port on mosquito container only as 1883:1883
does the chirpstack.toml look fine?
Those look okay to me, although if your third party broker is not set up to handle the self-signed certs, the lines ca_cert,tls_cert,tls_key will make Chirpstack try to connect to the third party broker using TLS, which will fail. You can remove those lines and set the server back to tcp://host-ip:1883 as long as you don’t need TLS.
But that is then a simple standard as was installation? And this was giving me issues in gui if I click on the mqtt selection.
Okay so:
The “Get Certificate” button only signs a certificate that allows someone to connect to the chirpstack MQTT broker if you have already set up TLS through this guide. But it is meant to generate certificates for you gateway bridges such that they can connect. It does nothing to forward MQTT messages to another broker
We are using MQTTnet for our 3rd party broker.
Currently chirpstack is posting its “integration” MQTT messages to the same broker it uses for its necessary MQTT messages it uses in functioning, all you need to do to forward the integration events to another broker is change the IP in the line server=“tcp://$MQTT_BROKER_HOST:1883/”. This will change where it forwards its integration events to, since your third party broker does not need certificates, you obviously do not need to specify them.