Hi all,
I am trying to setup chirpstack-gateway-bridge with the basicstation backend. I can’t use the semtech udp backend for verious reasons (neither local on the gw nor centrally).
I managed to get it running just fine with regular (unencrypted/unauthenticated) ws://, but as soon as I try to setup with tls encryption+authentication I get an error on the basicstation side:
[AIO:INFO] TLS server certificate verification failed: The certificate is not correctly signed by the trusted CA
I am using Amazon’s CA so I can sign my certificates using their JIT API and add them to the gateways
I’ve put the output on the certificates below, but I really don’t understand what is wrong. Are there any specific requirements regarding the certificates on either the client or the server side? I can’t use the scripts supplied by chirpstack since I want to use Amazon’s API and CA.
Cheers,
Dolf.
These are the certificates reported by basicstation for tc.trust and tc.crt:
2021-07-05 04:17:23.760 [any:INFO] ./tc.trust:
cert. version : 3
serial number : 06:6C:9F:CF:99:BF:8C:0A:39:E2:F0:78:8A:43:E6:96:36:5B:CA
issuer name : C=US, O=Amazon, CN=Amazon Root CA 1
subject name : C=US, O=Amazon, CN=Amazon Root CA 1
issued on : 2015-05-26 00:00:00
expires on : 2038-01-17 00:00:00
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Digital Signature, Key Cert Sign, CRL Sign
2021-07-05 04:17:23.762 [any:INFO] ./tc.crt:
cert. version : 3
serial number : 3D:DB:C7:D4:43:A4:0B:C0:3F:C0:28:2B:13:1A:F4:20:40:15:B4:38
issuer name : OU=Amazon Web Services O=Amazon.com Inc. L=Seattle ST=Washington C=US
subject name : C=US, ST=CA, L=San Fransisco, O=FakeMe, CN=32b321d3d8662632
issued on : 2021-07-05 00:57:53
expires on : 2049-12-31 23:59:59
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
key usage 2021-07-05 04:17:23.762 [AIO:INFO]
The CN is also the gateway id, specified in station.conf.
And on the server side, the server cert is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f9:32:5d:fc:df:54:d6:3a:85:f8:d4:ab:c9:b5:38:3d:36:ca:15:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: OU = Amazon Web Services O=Amazon.com Inc. L=Seattle ST=Washington C=US
Validity
Not Before: Jul 5 03:48:22 2021 GMT
Not After : Dec 31 23:59:59 2049 GMT
Subject: C = US, ST = California, L = San Fransisco, O = FakeMe, CN = cs.gw.bridge.ip
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:eb:48:79:36:0f:f4:31:d0:a6:15:50:57:5d:02:
7e:bb:62:a9:e4:f0:78:ca:f9:d9:97:e1:05:d1:b9:
70:7b:ab:48:8a:3f:a8:8f:74:11:61:b3:f5:c8:a0:
12:15:b2:b4:bd:2a:a4:90:34:4e:d4:a8:b8:d2:15:
83:d0:b9:26:e5:cb:1d:18:92:c7:4a:a7:6e:81:32:
a3:17:05:40:82:87:83:36:93:7a:67:aa:ba:0b:3d:
45:c5:c3:f3:8c:7f:0e:68:95:8f:36:be:ea:45:74:
2c:ae:f1:6b:a2:d4:d0:8a:62:53:cb:1c:2c:d2:d7:
7d:6e:00:a6:c2:9c:26:f9:89:d1:30:ba:eb:dc:2d:
c4:9f:c9:0d:80:73:e8:87:51:37:27:f3:2a:c8:8d:
de:18:89:7a:17:b6:0e:0f:9f:1c:16:18:1d:35:87:
01:ad:26:d6:84:61:3e:23:50:9a:9a:be:5d:d7:b2:
ed:3a:08:07:9d:b5:3b:a6:1c:bb:58:c7:94:6b:8b:
00:79:ee:2e:e6:0b:4e:b3:8e:72:31:ee:63:df:89:
b7:ee:9d:ea:58:61:39:23:f4:ab:cb:b9:25:e7:26:
e0:34:3a:22:04:ab:a4:62:c3:ab:13:ad:ed:a2:cb:
19:b7:be:f0:d1:0e:64:70:3e:de:c9:39:21:f4:cd:
a9:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:67:F7:38:02:EA:BC:88:BD:38:12:75:92:1F:A8:E0:87:50:7A:1C:DE
X509v3 Subject Key Identifier:
75:64:A3:A2:F3:9D:90:E3:D5:BB:F3:99:97:3D:E8:4F:DE:8E:18:C4
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
a3:04:25:e3:be:43:20:e9:bc:c8:bb:61:2c:a7:36:f8:f8:6d:
01:f0:10:ea:64:b2:33:99:8c:ef:7e:47:ea:73:63:c9:f6:fd:
cc:5b:c8:9b:58:1d:4d:2b:16:45:cb:f3:bd:9b:dc:9f:24:04:
25:32:ba:dc:0e:da:75:a1:e4:fa:e8:78:95:b7:05:81:33:28:
4d:c3:15:68:10:c0:d8:e9:bf:0b:ac:44:69:e1:e9:ea:24:b6:
d5:2a:d6:34:85:1a:c8:bb:e5:b0:b0:28:af:a4:f8:26:64:81:
73:8e:62:8b:5a:6d:79:9b:b7:1c:2d:30:b1:ed:a5:dc:e2:b9:
a3:fc:a3:c1:41:24:6c:14:35:3c:5a:1f:25:1b:e0:9d:1a:5d:
9c:b5:8c:e2:2f:8f:9c:c5:76:df:66:df:4b:65:2f:23:76:30:
a4:a5:75:18:cf:ca:59:07:2b:a1:5b:50:12:9f:fc:07:79:ee:
c7:c6:45:5a:d7:2a:a5:34:53:c4:e1:7f:1f:e4:d3:c9:97:23:
90:dc:83:3d:c9:eb:dd:fb:07:0b:1c:9b:f2:2f:42:d2:a4:7f:
dd:ec:d2:1f:2a:f1:c2:cf:c0:de:f9:53:e7:bc:e9:3b:fb:23:
4a:82:58:00:84:79:bd:70:c7:52:61:ad:8d:5a:54:5c:23:34:
38:fd:5f:93
and the same CA.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon, CN = Amazon Root CA 1
Validity
Not Before: May 26 00:00:00 2015 GMT
Not After : Jan 17 00:00:00 2038 GMT
Subject: C = US, O = Amazon, CN = Amazon Root CA 1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b2:78:80:71:ca:78:d5:e3:71:af:47:80:50:74:
7d:6e:d8:d7:88:76:f4:99:68:f7:58:21:60:f9:74:
84:01:2f:ac:02:2d:86:d3:a0:43:7a:4e:b2:a4:d0:
36:ba:01:be:8d:db:48:c8:07:17:36:4c:f4:ee:88:
23:c7:3e:eb:37:f5:b5:19:f8:49:68:b0:de:d7:b9:
76:38:1d:61:9e:a4:fe:82:36:a5:e5:4a:56:e4:45:
e1:f9:fd:b4:16:fa:74:da:9c:9b:35:39:2f:fa:b0:
20:50:06:6c:7a:d0:80:b2:a6:f9:af:ec:47:19:8f:
50:38:07:dc:a2:87:39:58:f8:ba:d5:a9:f9:48:67:
30:96:ee:94:78:5e:6f:89:a3:51:c0:30:86:66:a1:
45:66:ba:54:eb:a3:c3:91:f9:48:dc:ff:d1:e8:30:
2d:7d:2d:74:70:35:d7:88:24:f7:9e:c4:59:6e:bb:
73:87:17:f2:32:46:28:b8:43:fa:b7:1d:aa:ca:b4:
f2:9f:24:0e:2d:4b:f7:71:5c:5e:69:ff:ea:95:02:
cb:38:8a:ae:50:38:6f:db:fb:2d:62:1b:c5:c7:1e:
54:e1:77:e0:67:c8:0f:9c:87:23:d6:3f:40:20:7f:
20:80:c4:80:4c:3e:3b:24:26:8e:04:ae:6c:9a:c8:
aa:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
84:18:CC:85:34:EC:BC:0C:94:94:2E:08:59:9C:C7:B2:10:4E:0A:08
Signature Algorithm: sha256WithRSAEncryption
98:f2:37:5a:41:90:a1:1a:c5:76:51:28:20:36:23:0e:ae:e6:
28:bb:aa:f8:94:ae:48:a4:30:7f:1b:fc:24:8d:4b:b4:c8:a1:
97:f6:b6:f1:7a:70:c8:53:93:cc:08:28:e3:98:25:cf:23:a4:
f9:de:21:d3:7c:85:09:ad:4e:9a:75:3a:c2:0b:6a:89:78:76:
44:47:18:65:6c:8d:41:8e:3b:7f:9a:cb:f4:b5:a7:50:d7:05:
2c:37:e8:03:4b:ad:e9:61:a0:02:6e:f5:f2:f0:c5:b2:ed:5b:
b7:dc:fa:94:5c:77:9e:13:a5:7f:52:ad:95:f2:f8:93:3b:de:
8b:5c:5b:ca:5a:52:5b:60:af:14:f7:4b:ef:a3:fb:9f:40:95:
6d:31:54:fc:42:d3:c7:46:1f:23:ad:d9:0f:48:70:9a:d9:75:
78:71:d1:72:43:34:75:6e:57:59:c2:02:5c:26:60:29:cf:23:
19:16:8e:88:43:a5:d4:e4:cb:08:fb:23:11:43:e8:43:29:72:
62:a1:a9:5d:5e:08:d4:90:ae:b8:d8:ce:14:c2:d0:55:f2:86:
f6:c4:93:43:77:66:61:c0:b9:e8:41:d7:97:78:60:03:6e:4a:
72:ae:a5:d1:7d:ba:10:9e:86:6c:1b:8a:b9:59:33:f8:eb:c4:
90:be:f1:b9