Lora-app-server CERTS in Dockerfile

After getting everything running using the docker-compose.yml file (yea!) with all of the services, I started working on security, beginning with generating my own certs for the lora-app-server. To do that, I created a little Dockerfile to pull a version of the lora-app-server and build new certs (see below). However, using this version of the container yields the following error. The only thing different in the two yml files is the version of lora-app-server.

appserver_1 | time=“2017-12-07T18:06:59Z” level=info msg="grpc: addrConn.resetTransport failed to create client transport: connection error: desc = “transport: Error while dialing dial tcp 127.0.0.1:8000: getsockopt: connection refused”; Reconnecting to {127.0.0.1:8000 }"

Here is the Dockerfile to build the new lora-app-server. I’m doing something stupid, but I can’t for the life of me see what it might be

OM debian

WORKDIR /home/root

ENV LORA_APP_SERVER 0.13.3

ADD https://github.com/brocaar/lora-app-server/releases/download/${LORA_APP_SERVER}/lora_app_server_${LORA_APP_SERVER}_linux_amd64.tar.gz lora-app-server.tar.gz

RUN tar -xzf lora-app-server.tar.gz && rm -f lora-app-server.tar.gz

RUN apt-get update

RUN apt-get install -y net-tools openssl

RUN mkdir -p /etc/lora-app-server/certs

RUN openssl req -x509 -newkey rsa:2048
-keyout /etc/lora-app-server/certs/http-key.pem
-out /etc/lora-app-server/certs/http.pem -days 365
-nodes -batch

ENTRYPOINT ["./lora-app-server"]

Instead of re-building a new Docker image, I would recommend to use volumes. That way you’re able to share the certificate files from your host machine with the Docker container.

E.g. -v /host/certs:/etc/lora-app-server/certs would make certificates on your host located at /host/certs available to the container at /etc/lora-app-server/certs. This config option is also available within docker-compose, so you might need to 1 or 2 extra lines for this.

Links that might be helpful:

• https://docs.docker.com/engine/admin/volumes/volumes/
• https://www.digitalocean.com/community/tutorials/how-to-share-data-between-the-docker-container-and-the-host
• https://docs.docker.com/compose/compose-file/#volumes (for docker-compose.yml)

I understand that that is another option, and I have done that before for other projects.

However, it doesn’t answer the real question – why didn’t what I did work?

There are valid certs in the directory – I checked the running container’s file system.

You’re right:

The issue here is that LoRa App Server tries to connect to LoRa Server (note that 8000 is the default --bind port of LoRa Server). However LoRa Server is not running on 127.0.0.1:8000. Probably you need to set the NS_SERVER config variable. See the 0.13.3 config options: chirpstack-application-server/docs/content/install/config.md at 0.13.3 · brocaar/chirpstack-application-server · GitHub

I will try that.

In the meantime, if I am using exactly the same yml file, differing only in the version of lora-app-server that is either (a) pulled from the docker repository or (b) pulled from github and built as a docker image, why am I getting ip/port errors?

Is there something different across the two version?

I did try mounting external certs in the yml file. I got the same error.

So, what could be different about the two versions of the container? Note that I’m pulling

Sorry, that should say I am pulling version 0.13.3

The docker-compose.yml mentioned on the documentation page does not have all the configuration needed for the 0.13.3 version, as there were a couple of config changes in the last release.

This is the docker-compose.yml file for the 0.13.3 version: https://github.com/brocaar/docs.loraserver.io/blob/eaa1215e60985ede3a9bc2db4f37561c295e5036/content/install/docker.md.

Please note that in this case you should also pull LoRa Server 0.21.1.

Thank you! That makes sense.