Using secure websockets with Basic Station

ChirpStack Gateway Bridge
1

Hi,
I’m attempting to test a gateway against the latest Chirpstack server package via Semtech Basic Station.

My bridge configuration file:

# See https://www.chirpstack.io/gateway-bridge/install/config/ for a full
# configuration example and documentation.
# Gateway backend configuration.
[backend]

# Backend type.
#
# Valid options are:
#   * semtech_udp
#   * basic_station
type="basic_station"

  [backend.basic_station]

  # ip:port to bind the Websocket listener to.
  bind="172.31.40.150:3001"

  # TLS certificate and key files.
  #
  # When set, the websocket listener will use TLS to secure the connections
  # between the gateways and ChirpStack Gateway Bridge (optional).
  tls_cert="/etc/chirpstack-gateway-bridge/certs/server.crt"
  tls_key="/etc/chirpstack-gateway-bridge/certs/server.key"
  #tls_cert="/etc/chirpstack-gateway-bridge/certs/cert.pem"
  #tls_key="/etc/chirpstack-gateway-bridge/certs/privkey.pem"
  #tls_cert=""
  #tls_key=""

  # TLS CA certificate.
  #
  # When configured, ChirpStack Gateway Bridge will validate that the client
  # certificate of the gateway has been signed by this CA certificate.
  #ca_cert="/etc/chirpstack-gateway-bridge/certs/fullchain.pem"
  ca_cert="/etc/chirpstack-gateway-bridge/certs/ca.crt"
  #ca_cert="/etc/chirpstack-gateway-bridge/certs/fullchain.pem"
  #ca_cert=""

  # Ping interval.
  ping_interval="1m0s"

  # Read timeout.
  #
  # This interval must be greater than the configured ping interval.
  read_timeout="1m5s"

  # Write timeout.
  write_timeout="1s"

  # Region.
  #
  # Please refer to the LoRaWAN Regional Parameters specification
  # for the complete list of common region names.
  region="AU_915_928"

  # Minimal frequency (Hz).
  frequency_min=915000000

  # Maximum frequency (Hz).
  frequency_max=928000000

   #Concentrator configuration.
  
  # This section contains the configuration for the SX1301 concentrator chips.
  # Example:
   [[backend.basic_station.concentrators]]
  
     # Multi-SF channel configuration.
     [backend.basic_station.concentrators.multi_sf]
     # 916.8, 917.0, 917.2, 917.4,   917.6, 917.8, 918.0, 918.2 - 917.5  
     # Frequencies (Hz).
     frequencies=[
       916800000,
       917000000,
       917200000,
       917400000,
       917600000,
       917800000,
       918000000,
       918200000,
     ]
  
     # LoRa STD channel.
     [backend.basic_station.concentrators.lora_std]
  
     # Frequency (Hz).
     frequency=917500000
  
     # Bandwidth (Hz).
     bandwidth=500000
  
     # Spreading factor.
     spreading_factor=7
  
     # FSK channel.
    # [backend.basic_station.concentrators.fsk]
  
     # Frequency (Hz).
     #frequency=868800000
[integration.mqtt.auth.generic]
server="tcp://127.0.0.1:1883"
username="chirpstack_gw"
password="chirpstack_gw"

I have been able to get SBS working fine in unsecured mode - i.e.
tls_cert=""
tls_key=""
ca_cert=""

However, when I try to use certs, I get output like this (note the router_uri is Null)

gatewaybridge@ip-172-31-40-150:~$ /usr/bin/bridge --log-level 5
INFO[0000] starting ChirpStack Gateway Bridge docs=“https://www.chirpstack.io/gateway-bridge/” version=3.6.0
INFO[0000] filters: NetID filter configured net_id=000000
INFO[0000] filters: JoinEUI range configured join_eui_from=0000000000000000 join_eui_to=ffffffffffffffff
INFO[0000] backend/basicstation: starting websocket listener bind=“172.31.40.150:3001” ca_cert=/etc/chirpstack-gateway-bridge/certs/ca.crt tls_cert=/etc/chirpstack-gateway-bridge/certs/server.crt tls_key=/etc/chirpstack-gateway-bridge/certs/server.key
INFO[0000] integration/mqtt: connected to mqtt broker
2020/01/16 16:02:56 http: TLS handshake error from 12.219.245.220:59758: EOF
INFO[0012] backend/basicstation: router-info request received gateway_id=c0ee40fffe2963d1 remote_addr=“12.219.245.220:59762” router_uri=

I originally tried using my Let’s Encrypt certs - copied to a directory and with permissions so the “gatewaybridge” user can access them.

This didn’t work - so as a last resort, I created a set of self-signed certs and tried those.
Same result - the router_uri is always null - which causes the SBS packet forwarder on the gateway to complain and restart.

Increasing the log level of the bridge didn’t help.

Note - since I couldn’t figure out how to keep the bridge from respawning after I killed it off, I copied it to /usr/bin/bridge and then chmod’d the original to -X to keep it from respawning automatically.

That allowed me to run the copy of the bridge binary manually.

Any help is appreciated.

thanks!

Jim

2

Are you sure the TLS configuration is correct? Is the BasicStation configured to use TLS?

3

Yes.

Here is the log for one attempt from my gateway:

Jan 16 11:13:03 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:03.336 [any:INFO] cert. version     : 3
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: serial number     : 04:5D:1F:98:F8:8E:DB:E5:B4:F3:53:23:48:74:A3:0A:DE:B7
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: subject name      : CN=[REDACTED]
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: issued  on        : 2020-01-15 17:35:48
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: expires on        : 2020-04-14 17:35:48
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: signed using      : RSA with SHA-256
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: RSA key size      : 2048 bits
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: basic constraints : CA=false
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: subject alt name  : [REDACTED]
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: key usage         : Digital Signature, Key Encip
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: serial number     : 04:5D:1F:98:F8:8E:DB:E5:B4:F3:53:23:48:74:A3:0A:DE:B7
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: subject name      : CN=[REDACTED]
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: issued  on        : 2020-01-15 17:35:48
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: expires on        : 2020-04-14 17:35:48
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: signed using      : RSA with SHA-256
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: RSA key size      : 2048 bits
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: basic constraints : CA=false
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: subject alt name  : [REDACTED]
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: key usage         : Digital Signature, Key Encip
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:03.464 [AIO:XDEB] [6] ws_connecting state=1
Jan 16 11:13:03 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:03.465 [TCE:INFO] Connecting to INFOS: wss://[REDACTED]:3001
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: Killing process 12390
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.864 [SYS:INFO] Logging     : stderr (maxsize=10000000, rotate=3)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] Station Ver : 2.0.3(laird/std) 2020-01-09 23:47:13
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] Package Ver : (null)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] proto EUI   : 0:c0ee:4029:63d1 (/sys/class/net/eth0/addres
s)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] prefix EUI  : ::1      (builtin)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] Station EUI : c0ee:40ff:fe29:63d1
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] Station home: /opt/lora/basicstation/  (--home)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:INFO] Station temp: /var/tmp/        (builtin)
Jan 16 11:13:06 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:06.865 [SYS:WARN] Station in NO-CUPS mode
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:07.074 [TCE:INFO] Starting TC engine
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:07.080 [any:INFO] cert. version     : 3
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: serial number     : 04:5D:1F:98:F8:8E:DB:E5:B4:F3:53:23:48:74:A3:0A:DE:B7
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: subject name      : CN=[REDACTED]
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: issued  on        : 2020-01-15 17:35:48
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: expires on        : 2020-04-14 17:35:48
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: signed using      : RSA with SHA-256
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: RSA key size      : 2048 bits
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: basic constraints : CA=false
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: subject alt name  : [REDACTED]
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: key usage         : Digital Signature, Key Encip
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: serial number     : 04:5D:1F:98:F8:8E:DB:E5:B4:F3:53:23:48:74:A3:0A:DE:B7
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: subject name      : CN=[REDACTED]
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: issued  on        : 2020-01-15 17:35:48
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: expires on        : 2020-04-14 17:35:48
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: signed using      : RSA with SHA-256
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: RSA key size      : 2048 bits
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: basic constraints : CA=false
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: subject alt name  : [REDACTED]
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: key usage         : Digital Signature, Key Encip
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:07.192 [AIO:XDEB] [6] ws_connecting state=1
Jan 16 11:13:07 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:07.193 [TCE:INFO] Connecting to INFOS: wss://[REDACTED]:3001
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:07.219 [AIO:XDEB] [6] ws_connecting state=1
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.671 [AIO:XDEB] [6] ws_connecting state=1
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.672 [AIO:XDEB] [6] ws_connecting state=2
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.694 [AIO:XDEB] [6] ws_connecting state=3
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.695 [AIO:XDEB] [6] ws_connected_r state=4
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.695 [AIO:XDEB] [6] ws_connected_w state=4
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.717 [AIO:XDEB] [6] ws_connected_r state=4
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.717 [TCE:ERRO] Muxs URI must be ws://.. or wss://..: 
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.717 [AIO:DEBU] [6] ws_close reason=1000
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.718 [AIO:ERRO] Recv failed: SSL - The peer notified us that the connectio
n is going to be closed
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.718 [AIO:DEBU] [6] WS connection shutdown...
Jan 16 11:13:08 RG1xx2963D1 user.notice lora: 2020-01-16 11:13:08.719 [TCE:INFO] INFOS reconnect backoff 0s (retry 0)
4

The same gateway works against The Things Network - albeit with different certs.

I’m assuming I have a cert config issue on Chirpstack - I tried both my Let’s Encrypt Certs (as shown above) and I created some self signed ones.

Neither worked.

5

I have just done some testing with the configuration below, which works fine using a Letsencrypt certificate:

chirpstack-gateway-bridge.toml:

[backend]
type="basic_station"

  [backend.basic_station]
  bind=":3001"
  tls_cert="/etc/letsencrypt/live/example.com/fullchain.pem"
  tls_key="/etc/letsencrypt/live/example.com/privkey.pem"
  ca_cert=""
  ping_interval="1m0s"
  read_timeout="1m5s"
  write_timeout="1s"
  region="EU868"
  frequency_min=863000000
  frequency_max=870000000

  [[backend.basic_station.concentrators]]
  
    # Multi-SF channel configuration.
    [backend.basic_station.concentrators.multi_sf]
 
    # Frequencies (Hz).
    frequencies=[
      868100000,
      868300000,
      868500000,
      867100000,
      867300000,
      867500000,
      867700000,
      867900000,
    ]
 
    # LoRa STD channel.
    [backend.basic_station.concentrators.lora_std]
 
    # Frequency (Hz).
    frequency=868300000
 
    # Bandwidth (Hz).
    bandwidth=250000
 
    # Spreading factor.
    spreading_factor=7
 
    # FSK channel.
    [backend.basic_station.concentrators.fsk]
 
    # Frequency (Hz).
    frequency=868800000

[integration]
marshaler="json"

  [integration.mqtt]
  event_topic_template="eu868/gateway/{{ .GatewayID }}/event/{{ .EventType }}"
  command_topic_template="eu868/gateway/{{ .GatewayID }}/command/#"

    [integration.mqtt.auth.generic]
    server="tcp://127.0.0.1:1883"

Simulator config

tc.uri:

wss://example.com:3001

tc.trust:

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

This comes from https://letsencrypt.org/certificates/, I took Let’s Encrypt Authority X3 (IdenTrust cross-signed).

With the above configuration the Basic Station (simulator) connects fine and I’m receiving data at the ChirpStack Gateway Bridge side :slight_smile:

INFO[0000] starting ChirpStack Gateway Bridge            docs="https://www.chirpstack.io/gateway-bridge/" version=3.6.0-10-gfaac69c
INFO[0000] backend/basicstation: starting websocket listener  bind="[::]:3001" ca_cert= tls_cert=/etc/letsencrypt/live/example.com/fullchain.pem tls_key=/etc/letsencrypt/live/example.com/privkey.pem
INFO[0000] integration/mqtt: connected to mqtt broker   
INFO[0000] backend/basicstation: gateway connected       gateway_id=0000000000000001 remote_addr="123.123.123.123:60070"
INFO[0000] integration/mqtt: subscribing to topic        qos=0 topic="eu868/gateway/0000000000000001/command/#"
INFO[0000] backend/basicstation: gateway version received  firmware= gateway_id=0000000000000001 model=linux package= protocol=2 station="2.0.3(linux/testsim)"
INFO[0000] backend/basicstation: router-config message sent to gateway  gateway_id=0000000000000001
INFO[0000] backend/basicstation: uplink frame received   gateway_id=0000000000000001 uplink_id=797bad06-368f-4897-92b6-ddd7c0128813
INFO[0000] integration/mqtt: publishing event            event=up qos=0 topic=eu868/gateway/0000000000000001/event/up uplink_id=797bad06-368f-4897-92b6-ddd7c0128813
6

Ah.
I was so close. The key was to use the cert you grabbed from let’s encrypt for use as the trust - AND to not fill in the ca_cert= in the server config.

I did have to adjust the permissions for the server let’s encrypt certs so the gatewaybridge user can read them - but it works!

Thanks!

1 Like
7

Hi @brocaar,

Can i ask you, why you when we specify the path of CA in the Gateway-bridge.toml, the basicstation, can’t connect, i now it’s just self signed certificat, but there way to let basic station check the CA of bridge ?

8

You specify this when you want to validate that the BasicStation client-certificate is signed by the configured CA certificate. Without this, any connection is accepted.

9

OK ! since we use the same CA to generate the certificate and key for the GT BRIDGE and BASICSTATION with chirpstack-certificates, why when I define the path of the CA on the gatewaybridge.toml, basicstation can’t connect to bridge ?

10

@brocaar @Jim @jawad_didouh

How can I use the Let’s Encrypt ISRG Root X1 certificate for the basic station?

ssl - Adding a self-signed certificate to the “trusted list” - Unix & Linux Stack Exchange (letsencrypt.org)

11

@Jim I am trying to connect multitech conduit using basic station…(US915 )…I have configured gateway-bridge file but still unable to see the join request from the end device.Can you please tell what else needs to be changed?..Please find the multitech logs in the below link

12

@brocaar @jawad_didouh @Jim

I am getting the below error while configuring the SSL/TLS certificate in the basic-station

2021-02-08 11:35:23.958 [CUP:INFO] Connecting to CUPS-boot ... https://127.0.0.1:3001 (try #107)
2021-02-08 11:35:23.958 [AIO:ERRO] cups URI requires TLS but no trust configured
2021-02-08 11:35:23.958 [CUP:INFO] Interaction with CUPS failed - retrying in 1m
2021-02-08 11:35:55.045 [any:INFO] ./tc.trust:
cert. version     : 3
serial number     : 3C:42:12:02:01:D2:63:C3:1D:E6:50:FD:84:77:DF:F3:1C:CB:2F:9F
issuer name       : CN=ChirpStack CA
subject name      : CN=ChirpStack CA
issued  on        : 2021-02-08 09:57:00
expires on        : 2026-02-07 09:57:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign
2021-02-08 11:35:55.154 [any:INFO] ./tc.crt:
cert. version     : 3
serial number     : 69:F9:D2:19:E7:26:35:B0:A0:E6:92:5B:18:8F:A8:8A:C9:88:08:91
issuer name       : CN=ChirpStack CA
subject name      : CN=0011223344556677
issued  on        : 2021-02-08 09:57:00
expires on        : 2022-02-08 09:57:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  :
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Clien2021-02-08 11:35:55.154 [AIO:INFO]
2021-02-08 11:35:55.156 [TCE:INFO] Connecting to INFOS: wss://https://127.0.0.1:3001
2021-02-08 11:35:55.180 [AIO:INFO] TLS server certificate verification failed: The certificate Common Name (CN) does not match with the expected CN
2021-02-08 11:35:55.180 [AIO:DEBU] [4] WS connection shutdown...
2021-02-08 11:35:55.194 [TCE:INFO] INFOS reconnect backoff 60s (retry 7)

I have generate SSL certificates using chirpstack-certificates.

chirpstack-gateway-bridge configuration

# TLS certificate and key files.
#
# When set, the websocket listener will use TLS to secure the connections
# between the gateways and ChirpStack Gateway Bridge (optional).
tls_cert = "cert/basicstation-server.pem"
tls_key = "cert/basicstation-server-key.pem"

# TLS CA certificate.
#
# When configured, ChirpStack Gateway Bridge will validate that the client
# certificate of the gateway has been signed by this CA certificate.
ca_cert = "cert/ca.pem"
13

The client certificate contains this as CA:

issuer name       : CN=ChirpStack CA
subject name      : CN=0011223344556677

But it looks like BasicStation uses a different Gateway ID than 0011223344556677, so the connection is rejected as the CN does not match the real Gateway ID.

14

i got same error “TLS server certificate verification failed: The certificate Common Name (CN) does not match with the expected CN”

so generate gateway certificate works, in chirpstack-network-server.toml:
[network_server.gateway]
ca_cert="/home/foobar/src/chirpstack-certificates/certs/ca/ca.pem"
ca_key="/home/foobar/src/chirpstack-certificates/certs/ca/ca-key.pem"

in chirpstack-gateway-bridge.toml:
[backend.basic_station]
bind=":3001"
tls_cert="/home/foobar/src/chirpstack-certificates/certs/chirpstack-gateway-bridge/basicstation/server/basicstation-server.pem"
tls_key="/home/foobar/src/chirpstack-certificates/certs/chirpstack-gateway-bridge/basicstation/server/basicstation-server-key.pem" ca_cert=""
ca_cert=""

$ openssl x509  -text -noout -in /home/foobar/src/chirpstack-certificates/certs/ca/ca.pem |grep CN
        Issuer: CN = ChirpStack CA
        Subject: CN = ChirpStack CA

$ openssl x509  -text -noout -in /home/foobar/src/chirpstack-certificates/certs/chirpstack-gateway-bridge/basicstation/server/basicstation-server.pem |grep CN
        Issuer: CN = ChirpStack CA
        Subject: CN = chirpstack-gateway-bridge

on gateway (with basic station):

2021-02-18 18:30:39.218 [SYS:INFO] Logging     : stderr (maxsize=10000000, rotate=3)
2021-02-18 18:30:39.218 [SYS:INFO] Station Ver : 2.0.5(rpi/std) 2021-02-12 16:48:30
2021-02-18 18:30:39.219 [SYS:INFO] Package Ver : (null)
2021-02-18 18:30:39.219 [SYS:INFO] proto EUI   : 0:b827:eb3b:ba56       (/sys/class/net/eth0/address)   
2021-02-18 18:30:39.219 [SYS:INFO] prefix EUI  : ::1    (builtin)
2021-02-18 18:30:39.219 [SYS:INFO] Station EUI : b827:ebff:fe3b:ba56
2021-02-18 18:30:39.219 [SYS:INFO] Station home: ./     (builtin)
2021-02-18 18:30:39.219 [SYS:INFO] Station temp: /var/tmp/      (builtin)
2021-02-18 18:30:39.219 [SYS:WARN] Station in NO-CUPS mode
2021-02-18 18:30:39.421 [TCE:INFO] Starting TC engine
2021-02-18 18:30:39.423 [any:INFO] ./tc.trust:
cert. version     : 3
serial number     : 28:1C:CB:97:F6:AB:CB:A3:6D:1E:FA:FD:E1:0F:C3:28:3D:BE:A7:F5
issuer name       : CN=ChirpStack CA
subject name      : CN=ChirpStack CA
issued  on        : 2021-02-17 22:50:00
expires on        : 2026-02-16 22:50:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign
2021-02-18 18:30:39.475 [any:INFO] ./tc.crt:
cert. version     : 3
serial number     : 9A:01:B1:DE:F5:71:54:EA:B5:D0:5C:EC:1D:5E:B2:34
issuer name       : CN=ChirpStack CA
subject name      : CN=b827ebfffe3bba56
issued  on        : 2021-02-18 01:52:06
expires on        : 2022-02-18 01:52:06
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
key usage         : Digital Signature
ext key usage     : TLS Web Client Authentication
2021-02-18 18:30:39.475 [AIO:INFO]
2021-02-18 18:30:39.477 [TCE:INFO] Connecting to INFOS: wss://192.168.1.141:3001
2021-02-18 18:30:39.524 [AIO:INFO] TLS server certificate verification failed: The certificate Common Name (CN) does not match with the expected CN
2021-02-18 18:30:39.524 [AIO:DEBU] [3] WS connection shutdown...
2021-02-18 18:30:39.525 [TCE:INFO] INFOS reconnect backoff 0s (retry 0)
2021-02-18 18:30:39.525 [any:INFO] ./tc.trust:
cert. version     : 3
serial number     : 28:1C:CB:97:F6:AB:CB:A3:6D:1E:FA:FD:E1:0F:C3:28:3D:BE:A7:F5
issuer name       : CN=ChirpStack CA
subject name      : CN=ChirpStack CA
issued  on        : 2021-02-17 22:50:00
expires on        : 2026-02-16 22:50:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign
2021-02-18 18:30:39.578 [any:INFO] ./tc.crt:
cert. version     : 3
serial number     : 9A:01:B1:DE:F5:71:54:EA:B5:D0:5C:EC:1D:5E:B2:34
issuer name       : CN=ChirpStack CA
subject name      : CN=b827ebfffe3bba56
issued  on        : 2021-02-18 01:52:06
expires on        : 2022-02-18 01:52:06
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
key usage         : Digital Signature
ext key usage     : TLS Web Client Authentication
2021-02-18 18:30:39.578 [AIO:INFO]
2021-02-18 18:30:39.579 [TCE:INFO] Connecting to INFOS: wss://192.168.1.141:3001
2021-02-18 18:30:39.631 [AIO:INFO] TLS server certificate verification failed: The certificate Common Name (CN) does not match with the expected CN
2021-02-18 18:30:39.631 [AIO:DEBU] [3] WS connection shutdown...
2021-02-18 18:30:39.631 [TCE:INFO] INFOS reconnect backoff 10s (retry 1)

chirpstack gateway bridge logs:
Feb 18 10:08:56 bazquux chirpstack-gateway-bridge[426039]: time=“2021-02-18T10:08:56-08:00” level=info msg=“starting ChirpStack Gateway Bridge” docs=“https://www.chirpstack.io/gateway-bridge/” version=3.10.0
Feb 18 10:08:56 bazquux chirpstack-gateway-bridge[426039]: time=“2021-02-18T10:08:56-08:00” level=info msg=“integration/mqtt: connected to mqtt broker”
Feb 18 10:08:56 bazquux chirpstack-gateway-bridge[426039]: time=“2021-02-18T10:08:56-08:00” level=warning msg="[store] memorystore wiped" module=mqtt
Feb 18 10:08:56 bazquux chirpstack-gateway-bridge[426039]: time=“2021-02-18T10:08:56-08:00” level=info msg=“backend/basicstation: starting websocket listener” bind="[::]:3001" ca_cert= tls_cert=/home/foobar/src/chirpstack-certificates/certs/chirpstack-gateway-bridge/basicstation/server/basicstation-server.pem tls_key=/home/foobar/src/chirpstack-certificates/certs/chirpstack-gateway-bridge/basicstation/server/basicstation-server-key.pem
Feb 18 10:14:21 bazquux chirpstack-gateway-bridge[426039]: 2021/02/18 10:14:21 http: TLS handshake error from 192.168.1.242:34588: remote error: tls: bad certificate
Feb 18 10:14:21 bazquux chirpstack-gateway-bridge[426039]: 2021/02/18 10:14:21 http: TLS handshake error from 192.168.1.242:34590: remote error: tls: bad certificate
Feb 18 10:30:39 bazquux chirpstack-gateway-bridge[426039]: 2021/02/18 10:30:39 http: TLS handshake error from 192.168.1.242:34592: remote error: tls: bad certificate
Feb 18 10:30:39 bazquux chirpstack-gateway-bridge[426039]: 2021/02/18 10:30:39 http: TLS handshake error from 192.168.1.242:34594: remote error: tls: bad certificate

15

Some tips(Multitech + Basic Station):

  1. Generate certficates with https://github.com/brocaar/chirpstack-certificates

  2. Remember to add your host to config/chirpstack-gateway-bridge/basicstation/server/certificate.json “hosts” keys. It should match your LNS URI host.

  3. chirpstack-gateway-bridge.toml:

    tls_cert="/etc/lora-certs/chirpstack-gateway-bridge/basicstation/server/basicstation-server.pem"
    tls_key=“etc/lora-certs/chirpstack-gateway-bridge/basicstation/server/basicstation-server-key.pem”
    ca_cert="/etc/lora-certs/ca/ca.pem"

  4. chirpstack-network-server.toml

    ca_cert="/etc/lora-certs/ca/ca.pem"
    ca_key="/etc/lora-certs/ca/ca-key.pem"

  5. Set TC_TIMEOUT to 360s (360s is TTN default setting, Multitech default setting is 2s) Multitech Basic Station settings.

  6. Copy server cert, gateway cert, gateway key from the Chirpstack UI to your Multitech Basic Station settings. chirpstack-network-server must be configured with you CA cert and key!

1 Like
16

i’m not sure which CN is mismatching which CN, but it appears to be simple to put chirpstack-gateway-bridge on the same machine as running basic-station. In other words, run bridge on gateway. And just use unencrypted websocket between basic-station and bridge, because its over localhost.

Apparently the requirement for encrypted connection between chirpstack-gateway-bridge and chirpstack-network-server is to make the ca_cert , tls_cert , tls_key use the same files for [network_server.gateway.backend.mqtt] in chirpstack-network-server.toml as that are used for [integration.mqtt.auth.generic] in chirpstack-gateway-bridge.toml

ca_cert=“chirpstack-certificates/certs/ca/ca.pem”
tls_cert=“chirpstack-certificates/certs/mqtt/server/mqtt-server.pem”
tls_key=“chirpstack-certificates/certs/mqtt/server/mqtt-server-key.pem”

but the first step before generating those files is to set the hosts in chirpstack-certificates/config/mqtt/server/certificate.json to IP address or hostname that chirpstack-network-server runs on.

Alternately, it would still be useful to know which CN is mismatched when basic-station cant connect to bridge, since there are probably cases where bridge cant run on gateway. Its probably an mbedTLS thing.