# Mosquitto TLS Setup

Ref: <https://www.chirpstack.io/docs/guides/mosquitto-tls-configuration.html>

You generate a certificate authority which has the following purposes:

- Generate a Mosquitto server certificate so gateways can connect to it via TLS
- Generate client certificates for gateways so they can prove their identity to the Mosquitto server

When you create the CA, three files are generated:

- `ca.csr`
- `ca.pem`
- `ca-key.pem`

Then when you create the MQTT cert, three more files are generated:

- `mqtt-server.csr`
- `mqtt-server.pem`
- `mqtt-server-key.pem`

Then you add the CA (with its key) to the ChirpStack config. Make sure to change ownership to `chirpstack` when copying certs to `/etc/chirpstack/certs`.

Then create a folder for MQTT cert and copy files.

Set ownership and permission on the key:

```sh
chown root:mosquitto /etc/mosquitto/certs/mqtt-server-key.pem
chmod 640 /etc/mosquitto/certs/mqtt-server-key.pem
```

Once set up, you can create a Gateway in ChirpStack and generate a TLS certificate. It is only shown after being created; clicking the TLS tab again later will not show the cert but will let you generate a new one. Certs don't seem to be stored anywhere.

Don't forget to allow `8883` in the firewall.

## Gateway Bridge Config

Create `/etc/chirpstack-gateway-bridge/certs` folder and copy certs in. Make everything owned by `gatewaybridge`. Set permission to `640`.

Modify the config, ref: <https://www.chirpstack.io/docs/chirpstack-gateway-bridge/configuration.html>

Don't forget to change `tcp` to `ssl` in the server list.

Check `journalctl` on both the bridge and Mosquitto to see that the connection is established.

Be sure to set the Gateway ID in both the `chirpstack-gateway-bridge` and `packet-forwarder` configs (though this doesn't seem to matter? Need to experiment). Also be sure the UDP port matches between the two.

## Troubleshooting

Install `mosquitto-clients` on the Gateway.

Send a message to the `test` topic:

```sh
mosquitto_pub \
  -h chirpstack.roeber.dev \
  -p 8883 \
  --cafile /etc/chirpstack-gateway-bridge/certs/ca.crt \
  --cert /etc/chirpstack-gateway-bridge/certs/cert.crt \
  --key /etc/chirpstack-gateway-bridge/certs/cert.key \
  -t "test" \
  -d \
  -m "hello"
```