Error Reading CA Certificate File in ChirpStack Setup

ChirpStack (v4) Setup and configuration
1

Hello everyone!

I’m encountering a problem when trying to start ChirpStack. The error message I receive is:

level=fatal msg="setup backend error: new backend error: read ca cert error: open /etc/chirpstack-gateway-bridge/certs/ca.pem: no such file or directory"

Log_error1
Log_error11920×384 124 KB

Log_error2
Log_error21920×97 29.9 KB

To deploy ChirpStack v4, I’m using Docker-compose version 1.29.2 on Ubuntu 22.04.2 LTS.

I followed the official instructions to configure ChirpStack, but I’m still facing this issue.

It seems to be similar to problems discussed in other topics on this forum:

Here are the configuration files I’m using:

  1. chirpstack.toml

    chirpstack.toml
    chirpstack.toml726×559 66.3 KB

  2. chirpstack-gateway-bridge.toml

    chirpstack-gateway-bridge.toml
    chirpstack-gateway-bridge.toml699×281 35.1 KB

  3. /etc/mosquitto/acl

    Mosquitto_acl
    Mosquitto_acl731×64 11.3 KB

  4. /etc/mosquitto/conf.d/listeners.conf

    Mosquitto_listeners.conf
    Mosquitto_listeners.conf893×261 29 KB

I haven’t made any changes to the docker-compose.yml file.

docker-compose.yml
docker-compose.yml960×461 61.3 KB

From what I understand, the “no such file or directory” error could be due to incorrect permissions or ownership of the certificate files. To check the permissions, I used the following command:

ls -l /etc/chirpstack-gateway-bridge/certs/ca.pem

Check_the_permissions
Check_the_permissions978×44 11.8 KB

All_ls
All_ls897×187 42.2 KB

ls_dir
ls_dir859×63 11.5 KB

Additionally, I attempted to view the content of the certificate with:

cat /etc/chirpstack-gateway-bridge/certs/ca.pem

Cat_cert
Cat_cert961×368 105 KB

If the issue is related to the ownership or permissions of my certificate files, could you please advise on the appropriate settings? Or could there be another underlying problem?

Thank you in advance for your help!

2

You didn’t show the Chirpstack service in the shared docker-compose.yml but assuming you didn’t change anything the problem is probably that the certificate folder is not mounted to your container. Here’s my chirpstack service from docker-compose.yml:

  chirpstack:
    image: chirpstack/chirpstack:4.6.0
    command: -c /etc/chirpstack
    restart: unless-stopped
    volumes:
      # Mount Configuration
      - ./configuration/chirpstack:/etc/chirpstack
      # Mount Certificates
      - ./cscerts:/etc/chirpstack/certs
      # Mount Device Profiles
      - ./lorawan-devices:/opt/lorawan-devices
    depends_on:
      - postgres
      - mosquitto
      - redis
    environment:
      - MQTT_BROKER_HOST=mosquitto
      - REDIS_HOST=redis
      - POSTGRESQL_HOST=postgres

My certificate folder ‘cscerts’ is in the same directory as the docker-compose.yml file, then when the container is created it mounts it to /etc/chirpstack/certs

Then in my Chirpstack.toml I reference them like this:

[integration]
  enabled=["mqtt"]

  [integration.mqtt]
    server="tcp://$MQTT_BROKER_HOST:1883/"
    json=true

    [integration.mqtt.client]
      client_cert_lifetime="12months"
      ca_cert="/etc/chirpstack/certs/ca.pem"
      ca_key="/etc/chirpstack/certs/ca-key.pem"

[gateway]
  client_cert_lifetime="12months"
  ca_cert="/etc/chirpstack/certs/ca.pem"
  ca_key="/etc/chirpstack/certs/ca-key.pem"

EDIT: Sorry I clearly wasn’t paying enough attention to notice that your issue was with the gateway bridge and not chirpstack itself, I have my gateway bridge installed on the gateway so I am not super familiar.

One way to verify whether this a mounting or permissions issue is by running the docker-compose with sudo docker-compose up -d and then entering the gateway bridge container using docker exec -it <mycontainer> sh, where the container name is displayed when first running the docker-compose. You may have to edit your gateway-bridge.toml and comment out the references to the certificates for now so the container doesn’t exit.

Then check if the certificates are there under /etc/chirsptack-gateway-bridge/certs.

If they are there it’s a permission issue, if they are not it’s a mounting issue.

1 Like
3

Thank you so much for your help! Your advice has helped me solve my problem!

I misunderstood how to properly configure mounting volumes in the docker-compose.yml file. Here’s what I learned:

docker-compose.yml

services:
  chirpstack:
    image: chirpstack/chirpstack:4
    command: -c /etc/chirpstack
    restart: unless-stopped
    volumes:
      - ./configuration/chirpstack:/etc/chirpstack
      - ./lorawan-devices:/opt/lorawan-devices
  • ./configuration/chirpstack refers to the path on the host.
  • /etc/chirpstack refers to the path inside the containers, indicating where the host directory will be visible within the container.

Consequently, I should have placed the certs/ca.pem file in ./configuration/chirpstack on my host, which I initialy did incorrectly (the same applies to chirpstack-gateway-bridge certificates).

This experience has clarified my understanding and shown me that I need to learn more about the technology I work with)

1 Like
4

Everyone starts somewhere man, it was probably only a month ago I was having the same mounting issues you were :laughing:

Glad I could help

1 Like