Hi, I followed this guide (Mosquitto TLS configuration - ChirpStack open-source LoRaWAN® Network Server documentation) so the users of my LoRaWAN network are able to generate application specific client certificates for the MQTT broker. Unfortunately, when clicking generate certificate, I’m getting this “Error Read mqtt ca_key” notification. Do the Application Server and the Gateway Bridge need to connect to the MQTT broker over SSL for this to work?
Kind regards,
Ameer
Hi,
I also had some minor challenges getting the MQTT TLS configuration to work.
Read this topic: MQTT with TLS Issue - Setup and configuration - ChirpStack Community Forum
And then following articles for background information
I built a setup like the one in the image below, where the mqtt-forwarder communicates with the Chirpstack Mosquitto MQTT server. Certificates has been done by using openssl tool.
Here are some notes about configuring an SSL connection.
Creating a Self-Signed Certificate With OpenSSL
Create self-signed certificate, a certificate that’s signed with its own private key.
Generate private key + Self-Signed Root CA.
# create a password-protected, 4096-bit RSA private key
openssl genrsa -des3 -out rootCA.key 4096
Enter PEM pass phrase: somepasspharse
# rootCA.key
# Self-signed certificate with just a private key. No CSR.
openssl req -x509 -new -sha256 -key rootCA.key -days 365 -out rootCA.crt
# rootCA.crt
# Create a Self-Signed Root CA just a single command.
# openssl req -x509 -sha256 -days 365 -newkey rsa:4096 -keyout rootCA.key -out rootCA.crt
Check the certificate.
openssl x509 -text -noout -in rootCA.crt
Creating a CA-Signed Certificate With Our Own CA with SAN Extensions.
Create a mosquitto-csr.cnf file.
[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=Fi # Example country code for mosquitto certificate
O=Mosquitto MQTT Broker # Example name of certificate
CN=localhost # Docker hostname of server where mosquitto is hosted
SAN extension mosquitto_v3.ext file. DNS.1 should have same value as CN property in mosquitto-csr.cnf file.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
extendedKeyUsage=serverAuth, clientAuth
[alt_names]
DNS.1 = localhost # Example hostname
DNS.2 = mosquitto # A Docker DNS name
DNS.3 = glstation.zz.fi
DNS.4 = static.6.44.27.99.clients.your-server.zz
IP.1 = 37.27.44.99 # the IP of Mosquitto ssh reverse tunneling remote host
#IP.2 = 192.168.1.200
openssl req -new -sha256 -nodes -out mosquitto.csr -newkey rsa:2048 -keyout mosquitto.key -config <( cat mosquitto-csr.cnf )
# mosquitto.key
# mosquitto.csr
Sign CSR With Root CA. Generate the certificate and sign it with CA certificate and add SAN extension to it.
openssl x509 -req -in mosquitto.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mosquitto.crt -days 825 -sha256 -extfile mosquitto_v3.ext
# mosquitto.crt
Check the certificate.
openssl x509 -text -noout -in mosquitto.crt
openssl x509 -text -noout -in mosquitto.crt -purpose
rootCA.crt
rootCA.key
mosquitto.crt
mosquitto.key
msiquitto.conf
#listener 1883
#allow_anonymous true
per_listener_settings true
listener 1883
allow_anonymous true
listener 8883
cafile /etc/mosquitto/certs/rootCA.crt
certfile /etc/mosquitto/certs/mosquitto.crt
keyfile /etc/mosquitto/certs/mosquitto.key
allow_anonymous true
require_certificate true
#use_identity_as_username true
#acl_file /etc/mosquitto/acl
#password_file /etc/mosquitto/mqtt_passwords
Check the connection.
# Check TLS connection
openssl s_client -connect <MQTT_BROKER_HOST>:8883 -CAfile /etc/chirpstack/certs/rootCA.crt
# no TSL
mosquitto_sub -h <MQTT_BROKER_HOST> -p 1883 -t "#" -v -d
# TLS
mosquitto_sub -h <MQTT_BROKER_HOST> -p 8883 --cafile ./configuration/certs/rootCA.crt --cert ./configuration/certs/mosquitto.crt --key ./configuration/certs/mosquitto.key -t "#" -v -d
# --insecure
chirpstack.toml
# MQTT integration configuration.
[integration.mqtt]
# MQTT server (e.g. scheme://host:port where scheme is tcp, ssl or ws)
#server="tcp://$MQTT_BROKER_HOST:1883/"
server="ssl://glstation.zz.fi:8883"
# CA certificate file (optional)
#
# Use this when setting up a secure connection (when server uses ssl://...)
# but the certificate used by the server is not trusted by any CA certificate
# on the server (e.g. when self generated).
ca_cert="/etc/chirpstack/certs/rootCA.crt"
# TLS certificate file (optional)
#tls_cert=""
tls_cert="/etc/chirpstack/certs/mosquitto.crt"
# TLS key file (PKCS#8) (optional)
#tls_key=""
tls_key="/etc/chirpstack/certs/mosquitto.key"
Check the connection.
# Check TLS connection
openssl s_client -connect <MQTT_BROKER_HOST>:8883 -CAfile /etc/chirpstack/certs/rootCA.crt
# no TSL
mosquitto_sub -h <MQTT_BROKER_HOST> -p 1883 -t "#" -v -d
# TLS
mosquitto_sub -h <MQTT_BROKER_HOST> -p 8883 --cafile ./configuration/certs/rootCA.crt --cert ./configuration/certs/mosquitto.crt --key ./configuration/certs/mosquitto.key -t "#" -v -d
# --insecure
Now the mqtt server can be connected from the internet using URL: ssl://glstation.zz.fi:8883
Add a new certs folder.
sudo mkdir /etc/opt/gls/certs
Copy mosquitto.crt, mosquitto.key, rootCA.crt from the MQTT server to the /etc/opt/gls/certs folder
Add CA/TLS certification information into chirpstack-mqtt-forwarder.toml file.
sudo nano /etc/opt/gls/chirpstack-mqtt-forwarder.toml
# MQTT settings.
[mqtt]
# CA certificate file (optional)
#
# Use this when setting up a secure connection (when server uses ssl://...)
# but the certificate used by the server is not trusted by any CA certificate
# on the server (e.g. when self generated).
ca_cert="/etc/opt/gls/certs/rootCA.crt"
# TLS certificate file (optional)
# tls_cert=""
tls_cert="/etc/opt/gls/certs/mosquitto.crt"
# TLS key file (optional)
# tls_key=""
tls_key="/etc/opt/gls/certs/mosquitto.key"
Check chirpstack concentratord and mqtt-forwarder logs after restart. There should be seen message: Configuring client with TLS certificate...
Hi @LouneCode, thank you so much for the detailed explanation on how to set this up. It is greatly appreciated. I managed to have the MQTT Integration to generate the client certificates for me now. I’m currently trying to get my other components (Chirpstack Application Server and Chirpstack Gateway Bridge) to connect to the MQTT Broker over TLS. My idea was to let the Chirpstack MQTT Integration generate certificates for me that I could set in my “chirpstack.toml” and “chirpstack-gateway-bridge.toml” files under the [integration.mqtt.auth.generic] configurations so I could have them connect with TLS. This doesnt work for me for some reason. Any tips I could probably use? Thanks again.
Kind regards,
Ameer
Hi ameerhazo,
Have you read this yet?
chirpstack/chirpstack-certificates: Scripts to generate certificates for the ChirpStack components.
Hi @LouneCode, yes I have used that script to generate the CA certificates and the MQTT broker certificates.
Haven’t used V3 but this is how it works in V4:
If you are looking to connect your Chirpstack components to the MQTT broker, for the gateway bridge you should configure it in the chirpstack-gateway-bridge.toml, but for Chirpstack itself the backend configuration is actually in your regional .toml files.
But if you followed the setup guide, it suggests configuring your mosquitto.conf such that local components can connect on port 1883 without TLS.
Hi @Liam_Philipp, thanks for the reply. I asked my IT admin and he said its fine aswell. Thanks again.
Regards,
Ameer