I’m writing to get some clarification on Chirpstack’s MQTT Integration feature. I have set up TLS and can generate certificates by navigating to Tenant>MyTenant>Applications>MyApplication, then clicking Integrations and ‘Generate Certificate’ - I see the CA and TLS certs as well as the TLS key. However, I’m curious if there’s a way to provision data from this MQTT integration. For context, we’re running docker-compose on an Azure server and are hoping to integrate it with a website.
We’re hoping to have data separated by tenants, or at least by application, to keep things fairly separated. However after configuring a MQTT node in Node-RED and adding a debug node, I can see all traffic on the MQTT ports 1883 and 8883 (running Mosquitto with normal and TLS functions).
As I understand it, Chirpstack isn’t able to partition this data based on tenant or application, and just passes the LoRaWAN data to the Mosquitto ports. From what I’ve read, the next best option is to create an ACL file in Mosquitto or use Node-RED to filter by tenants or applications.
Is there a function in Chirpstack to keep the data separate for integration, or will we need to proceed with Mosquitto/Node-RED/other configuration?
If you did the TLS guide and mosquitto_sub from a separate host, you should only see the data associated to that application. This is due to the line in the ACL:
pattern readwrite application/%u/#
Perhaps this was on the same machine? Still shouldn’t happen using 8883 though, maybe share your mosquitto.conf.
Thank you so much for your response - that’s a great catch as I only checked data flow from the host machine. I tried the mosquitto_sub example in the guide (on the host) and got the following error:
If you are using the TLS described in the guide (looks like you are) any external connections will have to use the certificates generated through the WebUI to connect to the broker (and it will only show the application info associated to the application you generated the certificate in). So you will have to get those certs and reference them in the mosquitto sub to connect.
I am confused by a few of your files though. Why is there two references to mosquitto.conf and listeners.conf? Only ~/chirpstack-docker/configuration/mosquitto/config/mosquitto.conf is required, and the mosquitto.conf you shared has some issues. this might be causing some strange behaviour like being able to connect to 8883 locally, as your mosquitto.conf does not have the per_listener_settings true. Maybe you got confused as the guide is for Ubuntu not docker but it seems like you took both routes.
I’d suggest copy-pasting your current /etc/mosquitto/conf.d/listeners.conf into the ~/chirpstack-docker/configuration/mosquitto/config/mosquitto.conf, then removing any mounting of the /etc files in your docker-compose, and move your certs + acl to ~/chirpstack-docker/configuration/mosquitto on host. That way, all of your configuration will be in the docker-compose file instead of having some scattered to /etc.
Another aside is that you do not need to mount each directory in the /configuration/mosquitto folder, you could mount the whole directory with just
Great catches - yes I tried following the TLS guide as instructed, and certificates generated in the WebUI just fine. I was able to save those to local files and will use those for securing a connection from a separate computer. What you described is a perfect scenario for how we’re hoping to have our data provisioned.
Yeah, it’s definitely been a learning process for me. I appreciate all of the help to simplify and remove duplicates! I got confused with the Ubuntu guides vs Docker guides & the configurations on the local machine vs what’s inside the containers & volumes. I’ve hesitated cleaning up because I was afraid of breaking things. It’s been a hodge-podge of work, so I’ll definitely make the corrections you suggested & will only use the mosquitto.conf file.
Beautiful simplifications and asides are much appreciated - I’ll make those changes and update as I progress. Many thanks!
Ya theres definitely some reading between the lines required in a lot of the guides. And host vs container is always a struggle when starting docker. I was in a similar position just a few months ago.
Glad I’m not alone on that one, it’s gotten easier with time and exposure though.
Your recommendation worked like a charm - I was able to subscribe on the host computer and read all MQTT events. I set up Mosquitto on my personal computer, and using the certs & key from Chirpstack, was able to see only traffic from devices belonging to that application. It works perfectly!
One more question if you have the chance: do you know if there’s a way to generate an MQTT certificate for all devices from all tenants and applications? Or some other way to get into the 1883 and/or 8883 ports to see all data flowing for use with another software for integration?
Interesting question, I am certain there is but I am not experienced enough in mosquitto ACLs to know the cleanest way to do that.
Off the top of my head one way you could implement this is to create another MQTT listener in your mosquitto.conf (on port 8882 for example) that is a copy/paste of your 8883 listener but without the acl_file line, and with different certificates so clients cant connect to it with the certificates they use for 8883. You would have to generate those certificates yourself (pretty easy) but then if you use those certificates to connect to that port you would be able to see all the topics as the ACL is not restricting it.
