in the procedure below I put some comments and questions ( highlighted with ******) about my configuration to understand why something is wrong in generating certificates, thanks to your kindness and help. I hope this post can help someone else.
Mosquitto TLS configuration
Before proceeding, please make sure that you have installed the cfssl utility. *****Done
You should also already have a working ChirpStack environment. ******Done
If using Debian or Ubuntu ( *******my version 22 04 3), this package can be installed using:
sudo apt-get install golang-cfssl ******Done
The CA certificate (and key) has two purposes:
It is used to sign certificates
It is used to validate certificates (checking it has been signed by the CA)
Save the following files to disk: *******Done ( I created a directory in my home)
“CN”: “ChirpStack CA”,
Then execute the following command to generate the CA certificate and key:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca *******Done (certificate and key created)
Generate MQTT server-certificate
The MQTT server-sertificate is used to establish a secure TLS connection between the MQTT client (gateway or integration) and the MQTT broker.
Save the following file to disk and change example.com into the hostname that will be used by clients that will connect to the MQTT broker: ********Done
********Done, my question: I replaced example.com both on CN and hosts with this syntax: mydomain.duckdns.org, is that correct? That domain is actually the server where my gateways connect correctly.
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile server mqtt-server.json | cfssljson -bare mqtt-server ********Done
You must configure ChirpStack with the CA certificate and CA key which you have generated in the previous step. ChirpStack will use the CA certificate (+ key) to sign the gateway or application MQTT integration client-certificates when generated using the web-interface.
Create a directory for the certificate files and copy these files using the following command:
mkdir -p /etc/chirpstack/certs *******Done
cp ca.pem /etc/chirpstack/certs *******Done
cp ca-key.pem /etc/chirpstack/certs *******Done
Depending your setup, you might need to modify the ownership and / or permissions of the created directory and files. *******Question: I dont’ know well this, I know that to access to chirpstack directory I can only as a root. Is that ok?
*******Attached my section below on chirpstack.toml, is that ok?
Update the following configuration sections in the chirpstack.toml configuration file:
[gateway] section: ********Done
[integration.mqtt.client] section: ********Done
Make sure to restart ChirpStack. ****Done
Also verify the logs for possible errors.****** No errors
Create a directory for the certificate files using the following command:
mkdir -p /etc/mosquitto/certs *******Done
cp ca.pem /etc/mosquitto/certs *******Done
cp mqtt-server.pem /etc/mosquitto/certs *******Done
cp mqtt-server-key.pem /etc/mosquitto/certs ******Done
Depending your setup, you might need to modify the ownership and / or permissions of the created directory and files. ****** Question as above, not sure
To restrict MQTT clients (gateway and integrations) to their own topics, create the following ACL file: ******Done. ******Question: is it ok the only name acl for this file with no extension?
pattern readwrite +/gateway/%u/#
pattern readwrite application/%u/#application-server
Note that the %u will be automatically replaced by the CN field of the client-certificate. The + prefix in +/gateway/%u/# is used for the region prefix.
The following configuration file will configure two listeners:
One listener on port 1883 (no TLS), which is accessible by any MQTT on the same machine (localhost only).
One listener on port 8883 (TLS), which is accessible on any network interface. Client must use a client-certificate in order to connect to this listener.
/etc/mosquitto/conf.d/listeners.conf: *******Done.I did only copy/paste the text below, is it ok?
listener 1883 127.0.0.1
listener 8883 0.0.0.0
Make sure to restart ChirpStack. Also verify the logs for possible errors.
Verify localhost (no TLS)
From the same machine on which Mosquitto is running, you should be able to connect without providing any credentials, using the following command:
mosquitto_sub -h localhost -t “#” -v -d
*******Done, I see data updated, even when sensors send update
********Now below is where I have errors:
Any host (TLS)
From any other machine, you should be able to connect to the MQTT broker using the following command:
mosquitto_sub -h example.com -p 8883 --cafile ca.pem --cert cert.pem --key key.pem -t “#” -v -d
***The command above I undestand that I need to obtain application MQTT integration certificate, and when I do this I get in the top right the error attached
The ca.pem, cert.pem and key.pem must be obtained from the ChirpStack web-interface (gateway certificate or application MQTT integration certificate).
Verify that your firewall rules allow incoming connections to the MQTT broker. ******Done
In case you see TLS related errors, please verify that the hostname (of the -h flag) matches the MQTT server-certificate. *******Question: how to do that?
Validation of the server-certificate can be disabled using the --insecure flag.
*******Final question, maybe silly.
Can I make MQTT integration work without generating certificates, only by subscribe to a topic with user and passwors access only?
Thank you for your help