Hi,
I also had some minor challenges getting the MQTT TLS configuration to work.
Read this topic: MQTT with TLS Issue - Setup and configuration - ChirpStack Community Forum
And then following articles for background information
- Creating a Self-Signed Certificate With OpenSSL
- Create your own Certificate Authority (CA) using OpenSSL
I built a setup like the one in the image below, where the mqtt-forwarder communicates with the Chirpstack Mosquitto MQTT server. Certificates has been done by using openssl tool.
Here are some notes about configuring an SSL connection.
Self-Signed Root CA
Creating a Self-Signed Certificate With OpenSSL
Create self-signed certificate, a certificate that’s signed with its own private key.
Generate private key + Self-Signed Root CA.
# create a password-protected, 4096-bit RSA private key
openssl genrsa -des3 -out rootCA.key 4096
Enter PEM pass phrase: somepasspharse
# rootCA.key
# Self-signed certificate with just a private key. No CSR.
openssl req -x509 -new -sha256 -key rootCA.key -days 365 -out rootCA.crt
# rootCA.crt
# Create a Self-Signed Root CA just a single command.
# openssl req -x509 -sha256 -days 365 -newkey rsa:4096 -keyout rootCA.key -out rootCA.crt
Check the certificate.
openssl x509 -text -noout -in rootCA.crt
MQTT server-certificate
Creating a CA-Signed Certificate With Our Own CA with SAN Extensions.
Create a mosquitto-csr.cnf file.
[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=Fi # Example country code for mosquitto certificate
O=Mosquitto MQTT Broker # Example name of certificate
CN=localhost # Docker hostname of server where mosquitto is hosted
SAN extension mosquitto_v3.ext file. DNS.1 should have same value as CN property in mosquitto-csr.cnf file.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
extendedKeyUsage=serverAuth, clientAuth
[alt_names]
DNS.1 = localhost # Example hostname
DNS.2 = mosquitto # A Docker DNS name
DNS.3 = glstation.zz.fi
DNS.4 = static.6.44.27.99.clients.your-server.zz
IP.1 = 37.27.44.99 # the IP of Mosquitto ssh reverse tunneling remote host
#IP.2 = 192.168.1.200
Mosquitto private key + CSR
openssl req -new -sha256 -nodes -out mosquitto.csr -newkey rsa:2048 -keyout mosquitto.key -config <( cat mosquitto-csr.cnf )
# mosquitto.key
# mosquitto.csr
Sign CSR With Root CA. Generate the certificate and sign it with CA certificate and add SAN extension to it.
openssl x509 -req -in mosquitto.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mosquitto.crt -days 825 -sha256 -extfile mosquitto_v3.ext
# mosquitto.crt
Check the certificate.
openssl x509 -text -noout -in mosquitto.crt
openssl x509 -text -noout -in mosquitto.crt -purpose
Root CA + Mosquitto server certificates
rootCA.crt
rootCA.key
mosquitto.crt
mosquitto.key
Configure Mosquitto MQTT
msiquitto.conf
#listener 1883
#allow_anonymous true
per_listener_settings true
listener 1883
allow_anonymous true
listener 8883
cafile /etc/mosquitto/certs/rootCA.crt
certfile /etc/mosquitto/certs/mosquitto.crt
keyfile /etc/mosquitto/certs/mosquitto.key
allow_anonymous true
require_certificate true
#use_identity_as_username true
#acl_file /etc/mosquitto/acl
#password_file /etc/mosquitto/mqtt_passwords
Check the connection.
# Check TLS connection
openssl s_client -connect <MQTT_BROKER_HOST>:8883 -CAfile /etc/chirpstack/certs/rootCA.crt
# no TSL
mosquitto_sub -h <MQTT_BROKER_HOST> -p 1883 -t "#" -v -d
# TLS
mosquitto_sub -h <MQTT_BROKER_HOST> -p 8883 --cafile ./configuration/certs/rootCA.crt --cert ./configuration/certs/mosquitto.crt --key ./configuration/certs/mosquitto.key -t "#" -v -d
# --insecure
Configure ChirpStack
chirpstack.toml
# MQTT integration configuration.
[integration.mqtt]
# MQTT server (e.g. scheme://host:port where scheme is tcp, ssl or ws)
#server="tcp://$MQTT_BROKER_HOST:1883/"
server="ssl://glstation.zz.fi:8883"
# CA certificate file (optional)
#
# Use this when setting up a secure connection (when server uses ssl://...)
# but the certificate used by the server is not trusted by any CA certificate
# on the server (e.g. when self generated).
ca_cert="/etc/chirpstack/certs/rootCA.crt"
# TLS certificate file (optional)
#tls_cert=""
tls_cert="/etc/chirpstack/certs/mosquitto.crt"
# TLS key file (PKCS#8) (optional)
#tls_key=""
tls_key="/etc/chirpstack/certs/mosquitto.key"
Check the connection.
# Check TLS connection
openssl s_client -connect <MQTT_BROKER_HOST>:8883 -CAfile /etc/chirpstack/certs/rootCA.crt
# no TSL
mosquitto_sub -h <MQTT_BROKER_HOST> -p 1883 -t "#" -v -d
# TLS
mosquitto_sub -h <MQTT_BROKER_HOST> -p 8883 --cafile ./configuration/certs/rootCA.crt --cert ./configuration/certs/mosquitto.crt --key ./configuration/certs/mosquitto.key -t "#" -v -d
# --insecure
Configure ChirpStack mqtt-forwarder
Now the mqtt server can be connected from the internet using URL: ssl://glstation.zz.fi:8883
Add a new certs folder.
sudo mkdir /etc/opt/gls/certs
Copy mosquitto.crt, mosquitto.key, rootCA.crt from the MQTT server to the /etc/opt/gls/certs folder
Add CA/TLS certification information into chirpstack-mqtt-forwarder.toml file.
sudo nano /etc/opt/gls/chirpstack-mqtt-forwarder.toml
# MQTT settings.
[mqtt]
# CA certificate file (optional)
#
# Use this when setting up a secure connection (when server uses ssl://...)
# but the certificate used by the server is not trusted by any CA certificate
# on the server (e.g. when self generated).
ca_cert="/etc/opt/gls/certs/rootCA.crt"
# TLS certificate file (optional)
# tls_cert=""
tls_cert="/etc/opt/gls/certs/mosquitto.crt"
# TLS key file (optional)
# tls_key=""
tls_key="/etc/opt/gls/certs/mosquitto.key"
Check chirpstack concentratord and mqtt-forwarder logs after restart. There should be seen message: Configuring client with TLS certificate...