TLS Factory RSA KEY Issues between Thingsboard MQTT Integration and Chirpstack V4 (SOLVED)

ChirpStack (v4)
1

hello

i am trying to connect Thingsboard PE via MQTT integration to CS V4

I am getting the following error:

java.lang.RuntimeException: Creating TLS factory failed!
	at org.thingsboard.integration.mqtt.credentials.CertPemClientCredentials.initSslContext(CertPemClientCredentials.java:93)
	at org.thingsboard.integration.mqtt.AbstractMqttIntegration.initSslContext(AbstractMqttIntegration.java:245)
	at org.thingsboard.integration.mqtt.AbstractMqttIntegration.initClient(AbstractMqttIntegration.java:209)
	at org.thingsboard.integration.mqtt.basic.BasicMqttIntegration.init(BasicMqttIntegration.java:75)
	at org.thingsboard.integration.mqtt.AbstractMqttIntegration.update(AbstractMqttIntegration.java:107)
	at org.thingsboard.server.service.integration.DefaultIntegrationManagerService.processUpdateEvent(DefaultIntegrationManagerService.java:575)
	at org.thingsboard.server.service.integration.DefaultIntegrationManagerService.lambda$reInitIntegrations$10(DefaultIntegrationManagerService.java:667)
	at java.base/java.util.concurrent.ConcurrentHashMap$ValuesView.forEach(ConcurrentHashMap.java:4772)
	at org.thingsboard.server.service.integration.DefaultIntegrationManagerService.reInitIntegrations(DefaultIntegrationManagerService.java:663)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key
	at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:251)
	at java.base/java.security.KeyFactory.generatePrivate(KeyFactory.java:390)
	at org.thingsboard.integration.mqtt.credentials.CertPemClientCredentials.readPrivateKeyFile(CertPemClientCredentials.java:174)
	at org.thingsboard.integration.mqtt.credentials.CertPemClientCredentials.createAndInitKeyManagerFactory(CertPemClientCredentials.java:104)
	at org.thingsboard.integration.mqtt.credentials.CertPemClientCredentials.initSslContext(CertPemClientCredentials.java:87)
	... 14 more

It seems that the KEY generated by CS v4 MQTT Integration is not an RSA Key

I try to convert it to RSA format getting this error:

openssl rsa -in lns-de-key.pem -out private.key
Not an RSA key

any idea here? another user had similar struggles: Can't create pkcs1 private key for v4 MQTT client

2

Correct, it is an elliptic curve key (ECC).

3

Since Thingsboard seems to struggle with ECC keys, any way to generate a PKCS RSA format or do you know how to convert ECC to RSA?

4

These are different key algorithms and conversion is not possible. If they must use an RSA key, you need to generate an RSA key. ECC can be seen as possibly being more secure, so it is preferred by some usecases.

If you need a new key and if Chirpstack itself cannot generate the right type of key, you should be able to use tools like openssl to generate the keypair as required.

5

Thanks for the info,

In order to generate a key that will be similar to the one created by MQTT Integration, which CA should I use, Chirpstack CA, Mosquito CA or Bridge CA?

in the Guide on MQTT with TLS, it says:

  • The ca.pem, cert.pem and key.pem must be obtained from the ChirpStack web-interface (gateway certificate or application MQTT integration certificate).

so I guess I need to manually create this process with RSA type key, question is with which CA?

6

If you have been following the documentation, then all the CAs are the same. What you need is the CA certificate + related key file, e.g.:

At the ChirpStack Gateway Bridge / ChirpStack MQTT Forwarder and Mosquitto sides, only the CA certificate is configured, not the key.

  • With the CA certificate + CA key file you can sign a certificate
  • With only the CA certificate, you can validate if a given certificate was signed by the CA

ECC can be seen as possibly being more secure, so it is preferred by some usecases.

ECC certificates are also a lot easier with low-power gateways. Back in the days ChirpStack was using RSA, but this didn’t work on the MiniHub gateways (Basics Station protocol).

There is no configuration option to switch between ECC and RSA. Maybe you could also request Thingsboard support for ECC certificates?

1 Like
7

Hi @brocaar @sp193

thanks again for taking the time to reply to my post :blush:

There is no configuration option to switch between ECC and RSA. Maybe you could also request Thingsboard support for ECC certificates?

Yes I did comment on an issue on Thingsboard GIT and sent a support ticket to TB guys about adding support to ECC.

If you have been following the documentation, then all the CAs are the same. What you need is the CA certificate + related key file, e.g.:

Actually I’ve used the really-awesome vagrant script to setup this Chirpstack server, saved me tons of time and headache! how did I not know about this method prior??

works like a charm!

Right so CA is the same for all of them, makes sense, therefor the CA and CA key are located at /etc/chirpstack/certs/ after the ansible setup

Cool, so I just managed to generate a key that works with thingsboard!!! :partying_face: :tada:

Here is my method in case someone find themselves in this limbo well:

description: Use EasyRSA with existing CA to generate RSA keys

  1. Install EasyRSA: Releases · OpenVPN/easy-rsa · GitHub

  2. Initialize a new EasyRSA environment: easyrsa init-pki | generate new ca: sudo ./easyrsa build-ca

  3. not sure if this step is needed but I ran it as well: sudo ./easyrsa gen-dh

  4. delete existing ca: rm -rf EasyRSA*/ca.crt

  5. Import the existing chirpstack CA and key:

cd EasyRSA-3.1.6/
sudo cp /etc/chirpstack/certs/ca.pem ca.crt
sudo cp /etc/chirpstack/certs/ca-key.pem private/ca.key
  1. make sure file permissions on pki folders are back to your user: sudo chown user:user -R pki
  2. Generate a key to use in Thingsboard for the App you want to access (grab the appID from Chirpstack)
    image
./easyrsa build-client-full 2a6b5e96-9f16-46b3-941a-8bf284ed56fb nopass
  1. results are in pki/issued/2a6b5e96-9f16-46b3-941a-8bf284ed56fb.crt / pki/private/2a6b5e96-9f16-46b3-941a-8bf284ed56fb.key and pki/ca.crt
  2. setup MQTT integration in Thingsboard PE using PEM and port 8883

image
image1084×700 35.6 KB

Make sure to select the topic filter to the app you are accessing:

image
image1067×221 19.2 KB

  1. Testing

Manually created a downlink in CS, mqtt client recieved notification - :heavy_check_mark:
Created downlink using MQTT topic - :heavy_check_mark:
Receive uplinks from CS to TB : :heavy_check_mark:

good luck and thank me later :slight_smile:

1 Like
8

@brocaar thingsboard pushed a fix for 3.6.1 (next release)

so hopefully my lengthy workaround won’t be needed anymore.

regards

1 Like
9

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.