How configure TLS in gateway bridge => network-server

Hi,

I just managed to configure a communication between the network server, the APP server and the join server thanks to the script in lora-server-certification, and now i want also to configure the encrypted communication between the "network server and lora-gateway-bridge " .

I suppose i should use the same script to generated all certificate and key ( client and server side ) and put them int “loraserver.toml” and “lora-gateway-bridge.toml”.
But i’m not really sur to know how to proceed, How i can generated all nedd for lora-gateway-bridge without modifying all other components by excecuting “make”.
can you help me to make every step to do this ? thanks guy !

Jawad

The gateway bridge and loraserver communicate through mqtt, so you need to secure mosquitto (or whatever other broker you are using) by using tls. As an example, here’s a tutorial from a quick search on how to secure mosquitto with a self-signed certificate: http://www.steves-internet-guide.com/mosquitto-tls/. In this case, be sure to provide ca_cert, tls_cert and tls_key parameters in the bridge’s and loraserver’s configurations.

Thanks @iegomez , i understand the logic !

But what is the usefulness of this file :

i was thinking, i need juste to put :

  • the files of repertoire server in " lora-gateway-bridge.toml"
  • the files of repertoire client in " loraserver.toml"

And if i secure the mqtt broker like it’s explained in tutoriel http://www.steves-internet-guide.com/mosquitto-tls/, Do I have to secure all the elements that use mosquitto? because I have a php web application that controls C class ends device.
My app publishes a topic concerning the end device, and the " lora-app-server" subscribe, i imagine i will also secure this part, because it’s use mqtt ?

Jawad

You are looking at files for the basic station which is included in the test 3.0.0 version (see https://forum.loraserver.io/t/announcement-lora-gateway-bridge-v3-0-0-test-release/4296/10).

And no, it’s not necessary (though preferable) that every client connects over tls to mosquitto, you may have it run through different protocols in different ports. For example, this would allow local tcp connections at port 1883, a secure tls connection at port 8883 and a secure websocket connection through 8083:

listener 1883 localhost

listener 8883
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

listener 8083
protocol websockets
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

Ok, i perfectly understood, thanks for the clarification, i will test this and i’ll let you know :slight_smile:

Hi @iegomez,

After configuring all the certificates and keys for the broker and client(network server & gateway bridge)

I try test to check if it’s working :

 mosquitto_pub -p 8883 --cafile ../ca/ca.crt --cert client.crt --key client.key -h localhost -m hello -t /world

Result => mosquitto log :

then i test the lora-network-serverserver and lora-gateway-bridge.

Loraserver.toml :

   # MQTT server (e.g. scheme://host:port where scheme is tcp, ssl or ws)
   #server="tcp://localhost:1883"
   server="ssl://localhost:8883"
   #server="tcp://172.16.105.158:1883"
   #server="ssl://172.16.105.158:8883"

   # on the server (e.g. when self generated).
   ca_cert="/etc/mosquitto/certs/ca/ca.crt"

   # TLS certificate file (optional)
   tls_cert="/etc/mosquitto/certs/client/client.crt"

   # TLS key file (optional)
   tls_key="/etc/mosquitto/certs/client/client.key"

Lora-gateway-bridge.toml :

    # MQTT server (e.g. scheme://host:port where scheme is tcp, ssl or ws)
    #server="tcp://localhost:1883"
    server="ssl://localhost:8883"
    #server="tcp://172.16.105.158:1883"
    #server="ssl://172.16.105.158:8883"

    # on the server (e.g. when self generated).
    ca_cert="/etc/mosquitto/certs/ca/ca.crt"

    # TLS certificate file (optional)
    tls_cert="/etc/mosquitto/certs/client/client.crt"

    # TLS key file (optional)
    tls_key="/etc/mosquitto/certs/client/client.key"

Then i restart loraserver and the gateway-bridge, and all working fine ! for who want more details i will reply for :wink:
it’s damage that we can’t secure the communication between the gateway bridge and the package forwarder (udp link) , but it’s another topic hahaha
thanks again

Hi i have a problem. I’m sure you can help me.
So the first thing I did was to generate the ca.crt, server.crt and server.key certificates where during the classic configuration I entered the COMMON NAME given by the IP address on which the mqtt broker runs (172.24.157.28 ).
I did all the classic configuration on mosquitto and it works (I tried to communicate with windows using the MQTT.fx software).

Now I would like to have the chirpstack-gateway-bridge communicate correctly with the mqtt broker. But I have problems. First the chirpstack-gateway-bridge runs on the same machine as the mosquitto broker (172.24.157.28). When I go to generate the client key for the chirpstack-gateway-bridge, I enter as CN 127.24.157.28. Quite right?

Then in the configuration file chirpstack-gateway-bridge.toml, I go to write the following fields:
[integration.mqtt.auth.generic]
server=“ssl://172.24.157.28:8883”
ca_cert=“path…/ca.pem”
tls_cert=“path…/client.pem”
tls_key=“path…/key.pem”

it’s correct?
The problem is that although I manage to start the chirpstack-gateway-bridge, I have problems with the certificate. From mosquitto I get the error “OpenSSL Error: error: 14094412: SSL routines: ssl3_read_bytes: sslv3 alert bad certificate”.
Also from systemctl status chirpstack-gateway-bridge I get as error: “integration / mqtt: connection error” error = “network Error: dialup tcp 172.24.157.28:8883: connect: connection refused”

Hi @jawad_didouh,
I have a problem in generating and configuring MQTT certificates,Can you help me please?