i am trying to connect Thingsboard PE via MQTT integration to CS V4
I am getting the following error:
java.lang.RuntimeException: Creating TLS factory failed!
at org.thingsboard.integration.mqtt.credentials.CertPemClientCredentials.initSslContext(CertPemClientCredentials.java:93)
at org.thingsboard.integration.mqtt.AbstractMqttIntegration.initSslContext(AbstractMqttIntegration.java:245)
at org.thingsboard.integration.mqtt.AbstractMqttIntegration.initClient(AbstractMqttIntegration.java:209)
at org.thingsboard.integration.mqtt.basic.BasicMqttIntegration.init(BasicMqttIntegration.java:75)
at org.thingsboard.integration.mqtt.AbstractMqttIntegration.update(AbstractMqttIntegration.java:107)
at org.thingsboard.server.service.integration.DefaultIntegrationManagerService.processUpdateEvent(DefaultIntegrationManagerService.java:575)
at org.thingsboard.server.service.integration.DefaultIntegrationManagerService.lambda$reInitIntegrations$10(DefaultIntegrationManagerService.java:667)
at java.base/java.util.concurrent.ConcurrentHashMap$ValuesView.forEach(ConcurrentHashMap.java:4772)
at org.thingsboard.server.service.integration.DefaultIntegrationManagerService.reInitIntegrations(DefaultIntegrationManagerService.java:663)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key
at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:251)
at java.base/java.security.KeyFactory.generatePrivate(KeyFactory.java:390)
at org.thingsboard.integration.mqtt.credentials.CertPemClientCredentials.readPrivateKeyFile(CertPemClientCredentials.java:174)
at org.thingsboard.integration.mqtt.credentials.CertPemClientCredentials.createAndInitKeyManagerFactory(CertPemClientCredentials.java:104)
at org.thingsboard.integration.mqtt.credentials.CertPemClientCredentials.initSslContext(CertPemClientCredentials.java:87)
... 14 more
It seems that the KEY generated by CS v4 MQTT Integration is not an RSA Key
I try to convert it to RSA format getting this error:
openssl rsa -in lns-de-key.pem -out private.key
Not an RSA key
These are different key algorithms and conversion is not possible. If they must use an RSA key, you need to generate an RSA key. ECC can be seen as possibly being more secure, so it is preferred by some usecases.
If you need a new key and if Chirpstack itself cannot generate the right type of key, you should be able to use tools like openssl to generate the keypair as required.
In order to generate a key that will be similar to the one created by MQTT Integration, which CA should I use, Chirpstack CA, Mosquito CA or Bridge CA?
in the Guide on MQTT with TLS, it says:
The ca.pem, cert.pem and key.pem must be obtained from the ChirpStack web-interface (gateway certificate or application MQTT integration certificate).
so I guess I need to manually create this process with RSA type key, question is with which CA?
If you have been following the documentation, then all the CAs are the same. What you need is the CA certificate + related key file, e.g.:
At the ChirpStack Gateway Bridge / ChirpStack MQTT Forwarder and Mosquitto sides, only the CA certificate is configured, not the key.
With the CA certificate + CA key file you can sign a certificate
With only the CA certificate, you can validate if a given certificate was signed by the CA
ECC can be seen as possibly being more secure, so it is preferred by some usecases.
ECC certificates are also a lot easier with low-power gateways. Back in the days ChirpStack was using RSA, but this didn’t work on the MiniHub gateways (Basics Station protocol).
There is no configuration option to switch between ECC and RSA. Maybe you could also request Thingsboard support for ECC certificates?
thanks again for taking the time to reply to my post
There is no configuration option to switch between ECC and RSA. Maybe you could also request Thingsboard support for ECC certificates?
Yes I did comment on an issue on Thingsboard GIT and sent a support ticket to TB guys about adding support to ECC.
If you have been following the documentation, then all the CAs are the same. What you need is the CA certificate + related key file, e.g.:
Actually I’ve used the really-awesome vagrant script to setup this Chirpstack server, saved me tons of time and headache! how did I not know about this method prior??
works like a charm!
Right so CA is the same for all of them, makes sense, therefor the CA and CA key are located at /etc/chirpstack/certs/ after the ansible setup
Cool, so I just managed to generate a key that works with thingsboard!!!
Here is my method in case someone find themselves in this limbo well:
description: Use EasyRSA with existing CA to generate RSA keys