Sigh now I’m confused back to square 1 lol!
I remember I was getting a error message when clicking on that option of “Get certificate”
I know if is alot to ask but you can you please assist with my toml files, mosquitto.conf, and the docker compose file then. I so tired of struggeling with this damn thing, been setting up a few container in my life but for some reason but head just can’t follow on this one
Do you understand this message: “The “Get Certificate” button only signs a certificate that allows someone to connect to the chirpstack MQTT broker if you have already set up TLS through this guide. But it is meant to generate certificates for you gateway bridges such that they can connect to Chirpstack. It does nothing to forward MQTT messages to another broker”
Of course you were getting an error because there is no TLS set up on your Chirpstack server, so it cannot sign a certificate to allow you to connect. If you have a working Chirpstack server, the ONLY thing you need to do is change that server line in the chirpstack.toml
So in other words I’m not even going to use the integration part on the GUI?
You telling me this part should be for example: tcp:/(remote_broker_ip):1883/
No you are not going to use the GUI, and yes that is what it should be
The GUI integrations are if you want to set up an integration only for that application, the integrations you set up under the [integrations] section in the chirpstack.toml are global for all applications. The “MQTT integration” in the GUI is especially confusing, as it is not really an integration at all, but a way to get Chirpstack to sign certificates using the CA that the mosquitto broker expects if you have set up TLS on your MQTT broker.
I think i understand, as soon as you change the broker to use TLS every other service ofcourse needs to be configured for TLS as well.(Gateway bridge,3rd party broker etc)
Yup thats the idea. Not for the third party broker though, if you configure the Chirpstack MQTT broker to use TLS, everything that connects to that must connect to it using the certificates (gateway bridge, chirpstack). But if the third party broker is not set up to use TLS, you don’t need Chirpstack to use TLS to connect to it.
So for example you could have the Chirpstack MQTT broker be set up using TLS but not have the third party broker use TLS. This would be done by following the guide, this would require setting up the mosquitto ACL and listeners, and configuring Chirpstack and the gateway bridge to connect to the broker using the self-signed certs, but Chirpstack could still connect to the third party broker without using TLS. You could also do the opposite, have the Chirpstack MQTT broker not using TLS (as yours is now) but if your third party broker used TLS, you could specify the self signed certs in the three ca_cert,server_cert,server_key lines of the mqtt.integration section in the Chirpstack.toml.
The steps to set up TLS for the chirpstack MQTT broker is in the guide ive linked a few times.
If you wanted Chirpstack to connect to the third party broker using TLS, you would specify that in the ca_cert,server_cert,server_key lines of the mqtt.integration section in the Chirpstack.toml
For context, in the default docker install Chirpstack is using the MQTT broker for the necessary Chirpstack events (starting with topic prefix “eu868”) and also publishing all of the integration events (starting with topic prefix “application”) to the same broker for debugging. All you need to do is change the IP it is publishing these integration events to, to your third party broker. This is done through the [integration.mqtt] section of the chirpstack.toml.
OK so lets say I want to later on implement TLS,
All i need to do is add those certs volume to my chirpstack container, use [integration.mqtt]
server=“ssl://$MQTT_BROKER_HOST:8883/” with tls certificates. And them should I change then the mosquitto container port to 8883:8883 and what should be changed in the mosquitto.conf file:
listener 1883
allow_anonymous true
#listener 8883 0.0.0.0
#cafile /mosquitto/certs/ca.pem
#certfile /mosquitto/certs/mqtt-server.pem
#keyfile /mosquitto/certs/mqtt-server-key.pem
#allow_anonymous false
#require_certificate true
#use_identity_as_username true
Remember the [integration.mqtt] section is only for the “integration” events. You could leave this pointed at your third party broker with tcp://broker-ip:1883 even if TLS is set up on your Chirpstack broker
But if you wanted to implement TLS on your Chirpstack MQTT broker you need to follow the guide. But yes that includes mounting the certificates to chirpstack, but adding them to the [gateway] and [integration.mqtt.client] sections, not the [integration.mqtt] section. The [integration.mqtt.client] section is what actually allows you to click that button in the web UI, and through clicking the button in the web UI, you can get the certificates to put in your chirpstack-gateway-bridge.toml.
I followed that guide previously and that is where all my problems came into play… but Liam I don’t want to waste your time further you already assisted me so much. I’m going to spin up a mqtt broker for testing now don’t want to push any data to our production broker for now. I will just have to trial and error with that tls configs lol
Thanks once again for your time and effort.
This guide I tried to follow: Mqtt integration and TLS - #14 by ric2498 just so that you know lol
Meh don’t worry about me, I’m just avoiding my own work 
Looking all the way back now though, if I had to guess what you did wrong from the guide to set up TLS on the Chirpstack MQTT broker, in your docker-compose.yml you mount the certificates to your mosquitto container as /mosquitto/config/certs, and in your mosquitto ACL you reference them as /mosquitto/certs (no config). That might have been causing the mosquitto broker to crash and consequently none of the other components could reach it. Regardless of whether the fix was that easy or not, I still feel it was very valuable to “start from fresh” for you to properly break down whats what, especially because even after setting that up and clicking the MQTT integration button it would have only given you back a certificate instead of a third party broker setup page 
.
Lol you say that again loL! Would have scratch my head until no hear is left…
I just spinned everything up seems like im getting a error now when forwaring it to my testing broker…
chirpstack-1 | 2024-04-30T20:33:29.588095Z ERROR chirpstack::integration::mqtt: MQTT error error=Timeout
chirpstack-1 | 2024-04-30T20:33:35.590088Z ERROR chirpstack::integration::mqtt: MQTT error error=Timeout
# Logging.
[logging]
# Log level.
#
# Options are: trace, debug, info, warn error.
level="info"
# PostgreSQL configuration.
[postgresql]
# PostgreSQL DSN.
#
# Format example: postgres://<USERNAME>:<PASSWORD>@<HOSTNAME>/<DATABASE>?sslmode=<SSLMODE>.
#
# SSL mode options:
# * disable - no SSL
# * require - Always SSL (skip verification)
# * verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA)
# * verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate)
dsn="postgres://chirpstack:chirpstack@$POSTGRESQL_HOST/chirpstack?sslmode=disable"
# Max open connections.
#
# This sets the max. number of open connections that are allowed in the
# PostgreSQL connection pool.
max_open_connections=10
# Min idle connections.
#
# This sets the min. number of idle connections in the PostgreSQL connection
# pool (0 = equal to max_open_connections).
min_idle_connections=0
# Redis configuration.
[redis]
# Server address or addresses.
#
# Set multiple addresses when connecting to a cluster.
servers=[
"redis://$REDIS_HOST/",
]
# TLS enabled.
tls_enabled=false
# Redis Cluster.
#
# Set this to true when the provided URLs are pointing to a Redis Cluster
# instance.
cluster=false
# Network related configuration.
[network]
# Network identifier (NetID, 3 bytes) encoded as HEX (e.g. 010203).
net_id="000000"
# Enabled regions.
#
# Multiple regions can be enabled simultaneously. Each region must match
# the 'name' parameter of the region configuration in '[[regions]]'.
enabled_regions=[
"eu868",
]
# API interface configuration.
[api]
# interface:port to bind the API interface to.
bind="0.0.0.0:8080"
# Secret.
#
# This secret is used for generating login and API tokens, make sure this
# is never exposed. Changing this secret will invalidate all login and API
# tokens. The following command can be used to generate a random secret:
# openssl rand -base64 32
secret="testing"
[integration]
enabled=["mqtt"]
[integration.mqtt]
server="tcp://192.168.10.14:2883/"
json=true
#ca_cert="/cert/ca.pem"
# TLS certificate file (optional)
#tls_cert="/cert/mqtt-server.pem"
# TLS key file (optional)
#tls_key="/cert/mqtt-server-key.pem"
Last bit of knowledge, assuming you wanted to set up TLS for the Chirpstack MQTT Broker, I was incorrect in saying you would need to configure Chirpstack with the self signed certs. To break down the listeners.conf file of the MQTT broker guide for you:
per_listener_settings true
listener 1883 127.0.0.1
allow_anonymous true
listener 8883 0.0.0.0
cafile /etc/mosquitto/certs/ca.pem
certfile /etc/mosquitto/certs/mqtt-server.pem
keyfile /etc/mosquitto/certs/mqtt-server-key.pem
allow_anonymous false
require_certificate true
use_identity_as_username true
acl_file /etc/mosquitto/acl
For the first listener:
listener 1883 127.0.0.1
allow_anonymous true
It is having the MQTT broker listen to ANY incoming message on port 1883 from the same machine. Meaning it will accept non-TLS traffic from the other components (like chirpstack or the gateway-bridge if it is on the sever).
Then the second listener:
listener 8883 0.0.0.0
cafile /etc/mosquitto/certs/ca.pem
certfile /etc/mosquitto/certs/mqtt-server.pem
keyfile /etc/mosquitto/certs/mqtt-server-key.pem
allow_anonymous false
require_certificate true
use_identity_as_username true
acl_file /etc/mosquitto/acl
Makes it so any connections coming from outside local-host must used the self-signed certs and TLS to connect to the broker. So technically in your current setup you could have TLS on your MQTT broker without having to adjust your gateway bridge or chirpstack instance (although this does nothing because the data is going from the gateway to the gateway bridge unencrypted), but if your gateway bridge was on the gateway and not the server you would need to use the certificates.
is it supposed to be port 2883 for ur third party broker?
Yes to avoid conflict, port is open and working tested.
Does you get any errors setting that integration.mqtt server back to the Chirpstack MQTT broker?
Will test quickly for you
# Logging.
[logging]
# Log level.
#
# Options are: trace, debug, info, warn error.
level="info"
# PostgreSQL configuration.
[postgresql]
# PostgreSQL DSN.
#
# Format example: postgres://<USERNAME>:<PASSWORD>@<HOSTNAME>/<DATABASE>?sslmode=<SSLMODE>.
#
# SSL mode options:
# * disable - no SSL
# * require - Always SSL (skip verification)
# * verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA)
# * verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate)
dsn="postgres://chirpstack:chirpstack@$POSTGRESQL_HOST/chirpstack?sslmode=disable"
# Max open connections.
#
# This sets the max. number of open connections that are allowed in the
# PostgreSQL connection pool.
max_open_connections=10
# Min idle connections.
#
# This sets the min. number of idle connections in the PostgreSQL connection
# pool (0 = equal to max_open_connections).
min_idle_connections=0
# Redis configuration.
[redis]
# Server address or addresses.
#
# Set multiple addresses when connecting to a cluster.
servers=[
"redis://$REDIS_HOST/",
]
# TLS enabled.
tls_enabled=false
# Redis Cluster.
#
# Set this to true when the provided URLs are pointing to a Redis Cluster
# instance.
cluster=false
# Network related configuration.
[network]
# Network identifier (NetID, 3 bytes) encoded as HEX (e.g. 010203).
net_id="000000"
# Enabled regions.
#
# Multiple regions can be enabled simultaneously. Each region must match
# the 'name' parameter of the region configuration in '[[regions]]'.
enabled_regions=[
"eu868",
]
# API interface configuration.
[api]
# interface:port to bind the API interface to.
bind="0.0.0.0:8080"
# Secret.
#
# This secret is used for generating login and API tokens, make sure this
# is never exposed. Changing this secret will invalidate all login and API
# tokens. The following command can be used to generate a random secret:
# openssl rand -base64 32
secret="cordys"
[integration]
enabled=["mqtt"]
[integration.mqtt]
server="tcp://$MQTT_BROKER_HOST:1883/"
json=true
#ca_cert="/cert/ca.pem"
# TLS certificate file (optional)
#tls_cert="/cert/mqtt-server.pem"
# TLS key file (optional)
#tls_key="/cert/mqtt-server-key.pem"
Jip Working
Then it has to be a networking / firewall issue. That would make sense with a timeout error as well.