So far I have been using a single NS and AS server for chirpstack, communicating directly on their own gRPC ports. But for HA I want to setup a gRPC capable load balancer on AWS for the network server.
Unfortunately AWS requires HTTPS encryption for any HTTP/2 based load balancing (so including gRPC), probably because browsers require it anyway, so they may as well (even if the HTTP/2 and gRPC standards don’t require it). So my question is how chirpstack AS trusts the CA of the grpc network server endpoint. In the network server setup in the AS ui, I can set a CA cert, TLS cert and TLS key. I don’t particularly want to use tls client side certificates if it’s not needed. I would be happy to only setup TLS certificates on the load balancer. That would only require the application server to trust the network server’s CA, without needing to specify it’s own certificates.
So is that possible, and if so, how is the CA trust determined? Is there an internal CA bundle that is used (from the major browser vendors?). Or does it use Linux’s internal trusted CA certificates from
/etc/ssl? Or is it mandatory to specify the CA cert, and also make TLS client certificate and keys in chirpstack if the network server is behind an HTTPS enabled load balancer?