Using secure websockets with Basic Station

Hi,
I’m attempting to test a gateway against the latest Chirpstack server package via Semtech Basic Station.

My bridge configuration file:

# See https://www.chirpstack.io/gateway-bridge/install/config/ for a full
# configuration example and documentation.
# Gateway backend configuration.
[backend]

# Backend type.
#
# Valid options are:
#   * semtech_udp
#   * basic_station
type="basic_station"

  [backend.basic_station]

  # ip:port to bind the Websocket listener to.
  bind="172.31.40.150:3001"

  # TLS certificate and key files.
  #
  # When set, the websocket listener will use TLS to secure the connections
  # between the gateways and ChirpStack Gateway Bridge (optional).
  tls_cert="/etc/chirpstack-gateway-bridge/certs/server.crt"
  tls_key="/etc/chirpstack-gateway-bridge/certs/server.key"
  #tls_cert="/etc/chirpstack-gateway-bridge/certs/cert.pem"
  #tls_key="/etc/chirpstack-gateway-bridge/certs/privkey.pem"
  #tls_cert=""
  #tls_key=""

  # TLS CA certificate.
  #
  # When configured, ChirpStack Gateway Bridge will validate that the client
  # certificate of the gateway has been signed by this CA certificate.
  #ca_cert="/etc/chirpstack-gateway-bridge/certs/fullchain.pem"
  ca_cert="/etc/chirpstack-gateway-bridge/certs/ca.crt"
  #ca_cert="/etc/chirpstack-gateway-bridge/certs/fullchain.pem"
  #ca_cert=""

  # Ping interval.
  ping_interval="1m0s"

  # Read timeout.
  #
  # This interval must be greater than the configured ping interval.
  read_timeout="1m5s"

  # Write timeout.
  write_timeout="1s"

  # Region.
  #
  # Please refer to the LoRaWAN Regional Parameters specification
  # for the complete list of common region names.
  region="AU_915_928"

  # Minimal frequency (Hz).
  frequency_min=915000000

  # Maximum frequency (Hz).
  frequency_max=928000000

   #Concentrator configuration.
  
  # This section contains the configuration for the SX1301 concentrator chips.
  # Example:
   [[backend.basic_station.concentrators]]
  
     # Multi-SF channel configuration.
     [backend.basic_station.concentrators.multi_sf]
     # 916.8, 917.0, 917.2, 917.4,   917.6, 917.8, 918.0, 918.2 - 917.5  
     # Frequencies (Hz).
     frequencies=[
       916800000,
       917000000,
       917200000,
       917400000,
       917600000,
       917800000,
       918000000,
       918200000,
     ]
  
     # LoRa STD channel.
     [backend.basic_station.concentrators.lora_std]
  
     # Frequency (Hz).
     frequency=917500000
  
     # Bandwidth (Hz).
     bandwidth=500000
  
     # Spreading factor.
     spreading_factor=7
  
     # FSK channel.
    # [backend.basic_station.concentrators.fsk]
  
     # Frequency (Hz).
     #frequency=868800000
[integration.mqtt.auth.generic]
server="tcp://127.0.0.1:1883"
username="chirpstack_gw"
password="chirpstack_gw"

I have been able to get SBS working fine in unsecured mode - i.e.
tls_cert=""
tls_key=""
ca_cert=""

However, when I try to use certs, I get output like this (note the router_uri is Null)

gatewaybridge@ip-172-31-40-150:~$ /usr/bin/bridge --log-level 5
INFO[0000] starting ChirpStack Gateway Bridge docs=“https://www.chirpstack.io/gateway-bridge/” version=3.6.0
INFO[0000] filters: NetID filter configured net_id=000000
INFO[0000] filters: JoinEUI range configured join_eui_from=0000000000000000 join_eui_to=ffffffffffffffff
INFO[0000] backend/basicstation: starting websocket listener bind=“172.31.40.150:3001” ca_cert=/etc/chirpstack-gateway-bridge/certs/ca.crt tls_cert=/etc/chirpstack-gateway-bridge/certs/server.crt tls_key=/etc/chirpstack-gateway-bridge/certs/server.key
INFO[0000] integration/mqtt: connected to mqtt broker
2020/01/16 16:02:56 http: TLS handshake error from 12.219.245.220:59758: EOF
INFO[0012] backend/basicstation: router-info request received gateway_id=c0ee40fffe2963d1 remote_addr=“12.219.245.220:59762” router_uri=

I originally tried using my Let’s Encrypt certs - copied to a directory and with permissions so the “gatewaybridge” user can access them.

This didn’t work - so as a last resort, I created a set of self-signed certs and tried those.
Same result - the router_uri is always null - which causes the SBS packet forwarder on the gateway to complain and restart.

Increasing the log level of the bridge didn’t help.

Note - since I couldn’t figure out how to keep the bridge from respawning after I killed it off, I copied it to /usr/bin/bridge and then chmod’d the original to -X to keep it from respawning automatically.

That allowed me to run the copy of the bridge binary manually.

Any help is appreciated.

thanks!

Jim

Are you sure the TLS configuration is correct? Is the BasicStation configured to use TLS?

Yes.

Here is the log for one attempt from my gateway:

Jan 16 11:13:03 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:03.336 [any:INFO] cert. version     : 3
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: serial number     : 04:5D:1F:98:F8:8E:DB:E5:B4:F3:53:23:48:74:A3:0A:DE:B7
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: subject name      : CN=[REDACTED]
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: issued  on        : 2020-01-15 17:35:48
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: expires on        : 2020-04-14 17:35:48
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: signed using      : RSA with SHA-256
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: RSA key size      : 2048 bits
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: basic constraints : CA=false
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: subject alt name  : [REDACTED]
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: key usage         : Digital Signature, Key Encip
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: serial number     : 04:5D:1F:98:F8:8E:DB:E5:B4:F3:53:23:48:74:A3:0A:DE:B7
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: subject name      : CN=[REDACTED]
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: issued  on        : 2020-01-15 17:35:48
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: expires on        : 2020-04-14 17:35:48
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: signed using      : RSA with SHA-256
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: RSA key size      : 2048 bits
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: basic constraints : CA=false
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: subject alt name  : [REDACTED]
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: key usage         : Digital Signature, Key Encip
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:03.464 [AIO:XDEB] [6] ws_connecting state=1
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:03.465 [TCE:INFO] Connecting to INFOS: wss://[REDACTED]:3001
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: Killing process 12390
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.864 [SYS:INFO] Logging     : stderr (maxsize=10000000, rotate=3)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] Station Ver : 2.0.3(laird/std) 2020-01-09 23:47:13
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] Package Ver : (null)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] proto EUI   : 0:c0ee:4029:63d1 (/sys/class/net/eth0/addres
s)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] prefix EUI  : ::1      (builtin)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] Station EUI : c0ee:40ff:fe29:63d1
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] Station home: /opt/lora/basicstation/  (--home)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] Station temp: /var/tmp/        (builtin)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:WARN] Station in NO-CUPS mode
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:07.074 [TCE:INFO] Starting TC engine
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:07.080 [any:INFO] cert. version     : 3
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: serial number     : 04:5D:1F:98:F8:8E:DB:E5:B4:F3:53:23:48:74:A3:0A:DE:B7
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: subject name      : CN=[REDACTED]
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: issued  on        : 2020-01-15 17:35:48
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: expires on        : 2020-04-14 17:35:48
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: signed using      : RSA with SHA-256
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: RSA key size      : 2048 bits
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: basic constraints : CA=false
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: subject alt name  : [REDACTED]
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: key usage         : Digital Signature, Key Encip
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: serial number     : 04:5D:1F:98:F8:8E:DB:E5:B4:F3:53:23:48:74:A3:0A:DE:B7
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: subject name      : CN=[REDACTED]
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: issued  on        : 2020-01-15 17:35:48
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: expires on        : 2020-04-14 17:35:48
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: signed using      : RSA with SHA-256
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: RSA key size      : 2048 bits
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: basic constraints : CA=false
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: subject alt name  : [REDACTED]
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: key usage         : Digital Signature, Key Encip
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:07.192 [AIO:XDEB] [6] ws_connecting state=1
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:07.193 [TCE:INFO] Connecting to INFOS: wss://[REDACTED]:3001
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:07.219 [AIO:XDEB] [6] ws_connecting state=1
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.671 [AIO:XDEB] [6] ws_connecting state=1
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.672 [AIO:XDEB] [6] ws_connecting state=2
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.694 [AIO:XDEB] [6] ws_connecting state=3
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.695 [AIO:XDEB] [6] ws_connected_r state=4
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.695 [AIO:XDEB] [6] ws_connected_w state=4
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.717 [AIO:XDEB] [6] ws_connected_r state=4
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.717 [TCE:ERRO] Muxs URI must be ws://.. or wss://..: 
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.717 [AIO:DEBU] [6] ws_close reason=1000
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.718 [AIO:ERRO] Recv failed: SSL - The peer notified us that the connectio
n is going to be closed
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.718 [AIO:DEBU] [6] WS connection shutdown...
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.719 [TCE:INFO] INFOS reconnect backoff 0s (retry 0)

The same gateway works against The Things Network - albeit with different certs.

I’m assuming I have a cert config issue on Chirpstack - I tried both my Let’s Encrypt Certs (as shown above) and I created some self signed ones.

Neither worked.

I have just done some testing with the configuration below, which works fine using a Letsencrypt certificate:

chirpstack-gateway-bridge.toml:

[backend]
type="basic_station"

  [backend.basic_station]
  bind=":3001"
  tls_cert="/etc/letsencrypt/live/example.com/fullchain.pem"
  tls_key="/etc/letsencrypt/live/example.com/privkey.pem"
  ca_cert=""
  ping_interval="1m0s"
  read_timeout="1m5s"
  write_timeout="1s"
  region="EU868"
  frequency_min=863000000
  frequency_max=870000000

  [[backend.basic_station.concentrators]]
  
    # Multi-SF channel configuration.
    [backend.basic_station.concentrators.multi_sf]
 
    # Frequencies (Hz).
    frequencies=[
      868100000,
      868300000,
      868500000,
      867100000,
      867300000,
      867500000,
      867700000,
      867900000,
    ]
 
    # LoRa STD channel.
    [backend.basic_station.concentrators.lora_std]
 
    # Frequency (Hz).
    frequency=868300000
 
    # Bandwidth (Hz).
    bandwidth=250000
 
    # Spreading factor.
    spreading_factor=7
 
    # FSK channel.
    [backend.basic_station.concentrators.fsk]
 
    # Frequency (Hz).
    frequency=868800000

[integration]
marshaler="json"

  [integration.mqtt]
  event_topic_template="eu868/gateway/{{ .GatewayID }}/event/{{ .EventType }}"
  command_topic_template="eu868/gateway/{{ .GatewayID }}/command/#"

    [integration.mqtt.auth.generic]
    server="tcp://127.0.0.1:1883"

Simulator config

tc.uri:

wss://example.com:3001

tc.trust:

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

This comes from https://letsencrypt.org/certificates/, I took Let’s Encrypt Authority X3 (IdenTrust cross-signed).


With the above configuration the Basic Station (simulator) connects fine and I’m receiving data at the ChirpStack Gateway Bridge side :slight_smile:

INFO[0000] starting ChirpStack Gateway Bridge            docs="https://www.chirpstack.io/gateway-bridge/" version=3.6.0-10-gfaac69c
INFO[0000] backend/basicstation: starting websocket listener  bind="[::]:3001" ca_cert= tls_cert=/etc/letsencrypt/live/example.com/fullchain.pem tls_key=/etc/letsencrypt/live/example.com/privkey.pem
INFO[0000] integration/mqtt: connected to mqtt broker   
INFO[0000] backend/basicstation: gateway connected       gateway_id=0000000000000001 remote_addr="123.123.123.123:60070"
INFO[0000] integration/mqtt: subscribing to topic        qos=0 topic="eu868/gateway/0000000000000001/command/#"
INFO[0000] backend/basicstation: gateway version received  firmware= gateway_id=0000000000000001 model=linux package= protocol=2 station="2.0.3(linux/testsim)"
INFO[0000] backend/basicstation: router-config message sent to gateway  gateway_id=0000000000000001
INFO[0000] backend/basicstation: uplink frame received   gateway_id=0000000000000001 uplink_id=797bad06-368f-4897-92b6-ddd7c0128813
INFO[0000] integration/mqtt: publishing event            event=up qos=0 topic=eu868/gateway/0000000000000001/event/up uplink_id=797bad06-368f-4897-92b6-ddd7c0128813

Ah.
I was so close. The key was to use the cert you grabbed from let’s encrypt for use as the trust - AND to not fill in the ca_cert= in the server config.

I did have to adjust the permissions for the server let’s encrypt certs so the gatewaybridge user can read them - but it works!

Thanks!

1 Like

Hi @brocaar,

Can i ask you, why you when we specify the path of CA in the Gateway-bridge.toml, the basicstation, can’t connect, i now it’s just self signed certificat, but there way to let basic station check the CA of bridge ?

You specify this when you want to validate that the BasicStation client-certificate is signed by the configured CA certificate. Without this, any connection is accepted.

OK ! since we use the same CA to generate the certificate and key for the GT BRIDGE and BASICSTATION with chirpstack-certificates, why when I define the path of the CA on the gatewaybridge.toml, basicstation can’t connect to bridge ?