MQTT TLS configuration

Hello everyone! I need some help with the MQTT TLS configuration, I am using chirpstack V4 using quick start docker-compose provided by brocaar in the official chirpstack and it works great since I have my nodes sending info and using customized payload codec functions.
But I need to add security to my application so I read about MQTT TLS CONFIG and many related topics here in the forum and watched ssl on mqtt broker and TLS with mqtt broker to learn a little more since I am not experienced developer.
As detailed here:
I have generated the CA’s successfully ca-csr.json and ca-config.json exactly like it is said in the guide but I don’t know if I did it ok for example:

mkdir -p /etc/chirpstack/certs
cp ca.pem /etc/chirpstack/certs
cp ca-key.pem /etc/chirpstack/certs

Should I give the chirpstack docker file directory instead of /etc/chirpstack/certs? I mean something like /configuration/chirpstack/certs ???
Also in this part:

    "CN": "",
    "hosts": [
    "key": {
        "algo": "rsa",
        "size": 4096

What am I supposed to write in the “example. com”?? I am running on a local machine (localhost:8080)
and finally the creation of ACL, how could I do it? I tried to read about it but no succed

To restrict MQTT clients (gateway and integrations) to their own topics, create the following ACL file:


pattern readwrite +/gateway/%u/#
pattern readwrite application/%u/#

Many many thanks in advanced, excuse me for my bad english

Please have a look at the volumes configuration:

On the host you will have something like ./configuration/chirpstack/certs/... which within Docker will be /etc/chirpstack/certs/... (because of how the volume is mounted). You probably want to add additional mounts for mosquitto.

The CN and hosts must match the hostname of your machine, e.g. the hostname that your gateway will use to connect to your server.

1 Like

Many thanks Brocaar, I will try it!!!

Many thanks, I will try it!