SSL verification error

Hi everyone.

First I must apologize if there is another topic convering this. I’ve been searching for a few days without finding the solution.

I installed chirpstack gateway, network and applicacion on a Debian server following the guidelines in the webpage. At the configuration step of the application server, it tells me that I can secure the conections between the services using SSL certificates and sends me here:

I succesfully generated and verified the certificates on another Debian machine and copied them to the Debian server where everything was installed and made the necesary modifications to the configuration files. I want to confirm something and ask you for some guidance.

First, what I want to confirm is if the as_public_id metioned in the link is the “id” label right under " [application_server]" in the application server configuration example.

Second, the issue that brings me here. Using the self-signed certificates I try to add the network server through the web page. It fails, but at the application server log I see this line.

mar 14 18:52:32 lorawan chirpstack-application-server[31351]: time="2021-03-14T18:52:32-03:00" level=warning msg="grpc: addrConn.createTransport failed to connect to {localhost:8000  <nil> 0 <nil>}. Err: connection error: desc = \"transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \\\"crypto/rsa: verification error\\\" while trying to verify candidate authority certificate \\\"ChirpStack CA\\\")\". Reconnecting..."

It says it doesn’t recognize the authority that signed the certificates.

  • Is there a way to skip certificate validation?
  • I’m not used to work with Linux, but if it cannot be skipped, can you give some tip to make it work? I tried to copy the ca.pem generated, copied it to “/usr/local/share/ca-certificates/” and run “sudo update-ca-certificates” but no luck. I restarted both network and application servers of course.

Thanks in advance for any help provided

Configuring these certificates is not a requirement. It is an option and it can be useful, but if you at one side configure certificates and at the other side disable the validation, then not configuring certificates might be easier :wink:

Hahaha, It’s true. I ended doing the configuration that way, and only using a self-signed certificate for dashboard access for now. With the other certificates I was hopping to have encryption between services, even if it was a self-signed one. The problem, I’m not sure how to solve, is to make chirpstack accept them. Maybe, that can wait for a real certificate. :thinking: