Upgrade 4.6 to 4.7, SSL Problem with MQTT Integration

Today i upgraded a Chirpstack Server (Debian based) from Chirpstack Version 4.6 to 4.7. The MQTT Integration is working with MQTT Mosquitto Broker in the same Subnet over SSL. Since the update I get the following error message when starting the Chirpstack server:

Configuring client with TLS certificate, ca_cert: /etc/chirpstack/certs/ca.pem, tls_cert: /etc/chirpstack/certs/mqtt-broker.pem, tls_key: /etc/chirpstack/certs/mqtt-broker-key.pem
chirpstack[4306]: Error: Setup MQTT integration
chirpstack[4306]: Caused by:
chirpstack[4306]:     No private key found
systemd[1]: chirpstack.service: Main process exited, code=exited, status=1/FAILURE

I could not see any breaking changes in the changelog for version 4.7, except the switch from openssl to rustls.

Does Anybody have the same/similar problems?

It seems that the private keys should be now in PKCS#8 format. As this commit from @brocaar suggests: e96e828

They can be converted with openssl like this:

openssl pkcs8 -in mykey.pem -topk8 -nocrypt -out mykey-pkcs8.pem
1 Like

To add some context to this, ChirpStack v4.7 migrated from OpenSSL to Rustls. The big advantage is that it is no longer needed to (cross)compile OpenSSL such that ChirpStack can be linked against it.

Unfortunately, Rustls is more restrictive in the certificate formats that it accept than OpenSSL. As far as I understand PKCS#8 is in general the preferred method. For RSA private-keys, there is an easy fix and ChirpStack will automatically do the conversion to PKCS#8:

Unfortunate for EC keys I haven’t found an easy solution yet, see also: sec1: Trait DecodeEcPrivateKey not implemented for EcPrivateKey · Issue #747 · RustCrypto/formats · GitHub

Contributions are welcome :slight_smile:

Thanks for the additional context and the explanations. I’m not very familiar with Rust, nor with PKCS#8 Key format. I’m a bit confused, because the failing key is a RSA key, generated with the tools from the chirpstack-certificates repository:

chirpstack-4:/etc/chirpstack/certs# file mqtt-broker-key.pem mqtt-broker-key.pem: PEM RSA private key

After conversion it is “just” ASCII Text:

chirpstack-4:/etc/chirpstack/certs# file mqtt-broker-key-pkcs8.pem mqtt-broker-key-pkcs8.pem: ASCII text

The RSA Key does not work, the “ASCII Text” does.

How does the first line of the private-key look like? E.g.


It is a RSA Private Key:

chirpstack-4:/etc/chirpstack/certs# cat mqtt-broker-key.pem 

The ASCII Text one:

chirpstack-4:/etc/chirpstack/certs# cat mqtt-broker-key-pkcs8.pem 

Ah, I see… The auto-conversion to PKCS#8 was not used for all the private-key reads, the commit below fixes this:

This should fix your issue.


Thanks for your fast reaction and the fix!