Installing Chirpstack Server with different server for Network Server and Application Server and securing with TLS

christoph.merscher · September 28, 2021, 8:24am

Hello everyone,

I want to install a Chirpstack instance where I use a dedicated Application Server and a dedicated Network server while securing the whole communication with TLS (for the TLS part I was following this guide https://github.com/brocaar/chirpstack-certificates ). The installation itself went well, the problem arise when I try to register the network server in my application server (using the WebUI). When I try to register the network-server I get the following error message:

context deadline exceeded (code: 2)

When checking in the log I see a more meaningful error message:

transport: Error while dialing dial tcp NS-IP:443: connect: connection refused".INFO[0792] creating network-server client                server=NS-Server
WARN[0792] grpc: addrConn.createTransport failed to connect to {NS-IP:443  <nil> 0 <nil>}. Err: connection error: desc = "transport: Error while dialing dial tcp NS-IP:443: connect: connection refused". Reconnecting...
ERRO[0793] finished unary call with code Unknown         ctx_id=8fe7d907-5695-4443-8074-ed74ea94c7d3 error="rpc error: code = Unknown desc = context deadline exceeded" grpc.code=Unknown grpc.method=Create grpc.service=api.NetworkServerSe                                                                                rvice grpc.start_time="2021-09-28T09:48:57+02:00" grpc.time_ms=519.036 peer.address="127.0.0.1:47938" span.kind=server system=grpc

In the image below I try to add the network server to the application server:

In the part mentioning Certificates for ChirpStack Application Server to ChirpStack Network Server connection I put:

CA certificate content of certs/ca/ca.pem
TLS certificate content of certs/chirpstack-network-server/api/client/chirpstack-network-server-api-client.pem
TLS key content of certs/chirpstack-network-server/api/client/chirpstack-network-server-api-client-key.pem

While in the part mentioning Certificates for ChirpStack Network Server to ChirpStack Application Server connection I put:

CA certificate content of certs/ca/ca.pem
TLS certificate content of certs/chirpstack-application-server/api/client/chirpstack-application-server-api-client.pem
TLS key content of certs/chirpstack-application-server/api/client/chirpstack-application-server-api-client-key.pem

Also the rules of my firewall seems ok (below an output from the network server):

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client http https ssh
  ports: 7001/udp 4241/tcp 8000/tcp 8000/udp 443/tcp 443/udp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

However if try to open a telnet connection to my network server using the port 443 I also get a connection refused. Any ideas ?

christoph.merscher · September 28, 2021, 9:35am

So for me it looks like the application server tries to connect to network server on port 443 but this does not work since nothing seem to run on port 443.

I tried to turn off the whole certification mechanism but the issue remain the same

fmgst · September 28, 2021, 2:33pm

Sounds like the components of ChirpStack are not configured correctly. Check your configuration against THESE instructions and see which step returns unexpected/wrong results.

I did what he recommended verbatim (except I’m on US915 and some of my sensors require the ChirpStack network server to have 500kHz channels enabled - section 5.2.3 HERE ) and it worked the first time!

christoph.merscher · September 28, 2021, 3:18pm

Thanks for your reply. I managed to solve the issue by simply adding the port for the server that I want to add. Unfortunately now I’m facing a different issue. I get a error message saying

WARN[4738] grpc: addrConn.createTransport failed to connect to {SERVER:8000 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake". Reconnecting...
ERRO[4739] finished unary call with code Unknown ctx_id=da7e13b0-02cc-4ae9-bfab-699f42be0013 error="rpc error: code = Unknown desc = context deadline exceeded" grpc.code=Unknown grpc.method=Create grpc.service=api.NetworkServerService grpc.start_time="2021-09-28T17:12:42+02:00" grpc.time_ms=516.596 peer.address="127.0.0.1:48746" span.kind=server system=grpc

fmgst · September 28, 2021, 5:13pm

Searching for your error yielded two hits - does this help?

christoph.merscher · September 28, 2021, 6:13pm

Hi @fmgst ,

Thanks for your answer. Before Posting the issue I was doing some Research my self. During this search process I also found the links that suggested. Unfortunately, they do not help. The issue remains the same.

christoph.merscher · September 29, 2021, 9:47am

So when trying to add a network server ( installed on a different server ) secured with TLS I get this error and warn message

WARN[0005] grpc: addrConn.createTransport failed to connect to {IP:8000  <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake". Reconnecting...
ERRO[0006] finished unary call with code Unknown         ctx_id=334e27e7-a086-4426-bdc5-2ff9eef35f04 error="rpc error: code = Unknown desc = context deadline exceeded" grpc.code=Unknown grpc.method=Create grpc.service=api.NetworkServerService grpc.start_time="2021-09-29T11:45:25+02:00" grpc.time_ms=533.205 peer.address="127.0.0.1:50104" span.kind=server system=grpc

Any ideas ?

fmgst · September 29, 2021, 7:17pm

What OS are you under? How is it being installed, Docker?

Other ideas:
LINK
LINK