Gateway TLS Cert - Chirpstack 4 Docker Installation

bosavage · July 26, 2023, 11:37am

Good day - I’ve searched through the forums and cannot find the answers I am looking for.

I’m looking to create the TLS certificate to use with my gateway. This is a chirpstack 4 docker installation. Communication with the gateway works fine.

I used chirpstack-certificates to generate the CA certs and added them to the configuration file under [gateway] per the documentation

[gateway]

  # CA certificate and key file (optional).
  #
  # If setting the CA certificate and key file options, ChirpStack 
  # will generate client certificates which can be used by the gateway for
  # authentication and authorization. The Common Name of the certificate will
  # be set to the Gateway ID.
  ca_key="/etc/chirpstack/ca-key.pem"
  ca_cert="/etc/chirpstack/ca.pem"

  # Certificate lifetime.
  #
  # This defines how long (after generating) the certificate remains valid.
  client_cert_lifetime="11months 30days 3h 50m 24s"

  # Allow unknown gateways.
  #
  # If set to true, then uplinks received from gateways not configured in
  # ChirpStack will be allowed.
  allow_unknown_gateways=false

In the ChirpStack web UI, under ** Gateways → TLS Certificate** I generated the CA certificate, the TLS certificate and the TLS key.

The instructions read:

The gateway client-certificate can be used to connect the gateway in case a client-certificate is required for authentication. Please note that this feature might not be available in case it has not been configured in the server configuration. After the certificate has been generated, store the content of the files on your gateway. **Please note the expiration of the certificate and make sure to renew the certificate on time!**

I’m using a tektelic micro gateway - which files get applied to the gateway and where on the file system should they reside?

Thanks and regards,
Peter

Jerome73 · July 27, 2023, 7:48pm

Hi ,
If you are using gateway bridge or MQTT packet forwarder, you can enter the path of those files in the toml file. Home folder of the main user under a “certs” subfolder is a valid choice (among others).
Hope this helps.

bosavage · July 28, 2023, 12:35pm

Hi Jerome,

Thanks for responding. That is exactly what I did to have ChirpStack generate the CA certificate, the TLS certificate and the TLS key. Now that I have these files generated by ChirpStack, I’m looking to finish the instructions:

After the certificate has been generated, store the content of the files on your gateway.

The question is, of the files generated, which ones are copied to the gateway’s file system and where in the gateway’s file system are the files put?

Jerome73 · July 28, 2023, 12:46pm

Hi!
I was talking about the toml file and path on the gateway itself.
See: Configuration - ChirpStack open-source LoRaWAN® Network Server documentation

bosavage · July 28, 2023, 12:58pm

Thanks Jerome - I’ll check that out!

bosavage · August 4, 2023, 7:44pm

After creating the certificate file I added the following to the chirpstack gateway bridge .toml file:

ca_cert="/etc/certs/CA-certificate"
# TLS certificate file (optional)
tls_cert="/etc/certs/TLS-certificate"
# TLS key file (optional)
tls_key="/etc/certs/TLS-key"

I copied those files to the corresponding directory on the gateway. I then rebooted the gateway and the gateway bridge container. Everything seems to work. Do you recommend a way to verify that it is working correctly?

Regards,

Peter

Jerome73 · August 4, 2023, 8:14pm

Hi @bosavage,
If the gateway connects correctly, you should see it in the MQTT logs on the server side.
Cheers

system · November 2, 2023, 8:15pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.