jon/chirpstack-tutorial
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
chirpstack-tutorial/doc/0-chirpstack/2-mosquitto-tls.md

66 lines
2.2 KiB
Markdown
Raw Blame History

# Mosquitto TLS Setup
Ref: <https://www.chirpstack.io/docs/guides/mosquitto-tls-configuration.html>
You generate a certificate authority which has the following purposes:
- Generate a Mosquitto server certificate so gateways can connect to it via TLS
- Generate client certificates for gateways so they can prove their identity to the Mosquitto server
When you create the CA, three files are generated:
- `ca.csr`
- `ca.pem`
- `ca-key.pem`
Then when you create the MQTT cert, three more files are generated:
- `mqtt-server.csr`
- `mqtt-server.pem`
- `mqtt-server-key.pem`
Then you add the CA (with its key) to the ChirpStack config. Make sure to change ownership to `chirpstack` when copying certs to `/etc/chirpstack/certs`.
Then create a folder for MQTT cert and copy files.
Set ownership and permission on the key:
```sh
chown root:mosquitto /etc/mosquitto/certs/mqtt-server-key.pem
chmod 640 /etc/mosquitto/certs/mqtt-server-key.pem
```
Once set up, you can create a Gateway in ChirpStack and generate a TLS certificate. It is only shown after being created; clicking the TLS tab again later will not show the cert but will let you generate a new one. Certs don't seem to be stored anywhere.
Don't forget to allow `8883` in the firewall.
## Gateway Bridge Config
Create `/etc/chirpstack-gateway-bridge/certs` folder and copy certs in. Make everything owned by `gatewaybridge`. Set permission to `640`.
Modify the config, ref: <https://www.chirpstack.io/docs/chirpstack-gateway-bridge/configuration.html>
Don't forget to change `tcp` to `ssl` in the server list.
Check `journalctl` on both the bridge and Mosquitto to see that the connection is established.
Be sure to set the Gateway ID in both the `chirpstack-gateway-bridge` and `packet-forwarder` configs (though this doesn't seem to matter? Need to experiment). Also be sure the UDP port matches between the two.
## Troubleshooting
Install `mosquitto-clients` on the Gateway.
Send a message to the `test` topic:
```sh
mosquitto_pub \
-h chirpstack.roeber.dev \
-p 8883 \
--cafile /etc/chirpstack-gateway-bridge/certs/ca.crt \
--cert /etc/chirpstack-gateway-bridge/certs/cert.crt \
--key /etc/chirpstack-gateway-bridge/certs/cert.key \
-t "test" \
-d \
-m "hello"
```
Reference in New Issue View Git Blame Copy Permalink