jon/chirpstack-tutorial
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
chirpstack-tutorial/doc/5-mosquitto-tls.md

2.2 KiB
Raw Blame History

Mosquitto TLS Setup

Ref: https://www.chirpstack.io/docs/guides/mosquitto-tls-configuration.html

You generate a certificate authority which has the following purposes:

  • Generate a Mosquitto server certificate so gateways can connect to it via TLS
  • Generate client certificates for gateways so they can prove their identity to the Mosquitto server

When you create the CA, three files are generated:

  • ca.csr
  • ca.pem
  • ca-key.pem

Then when you create the MQTT cert, three more files are generated:

  • mqtt-server.csr
  • mqtt-server.pem
  • mqtt-server-key.pem

Then you add the CA (with its key) to the ChirpStack config. Make sure to change ownership to chirpstack when copying certs to /etc/chirpstack/certs.

Then create a folder for MQTT cert and copy files.

Set ownership and permission on the key:

chown root:mosquitto /etc/mosquitto/certs/mqtt-server-key.pem
chmod 640 /etc/mosquitto/certs/mqtt-server-key.pem

Once set up, you can create a Gateway in ChirpStack and generate a TLS certificate. It is only shown after being created; clicking the TLS tab again later will not show the cert but will let you generate a new one. Certs don't seem to be stored anywhere.

Don't forget to allow 8883 in the firewall.

Gateway Bridge Config

Create /etc/chirpstack-gateway-bridge/certs folder and copy certs in. Make everything owned by gatewaybridge. Set permission to 640.

Modify the config, ref: https://www.chirpstack.io/docs/chirpstack-gateway-bridge/configuration.html

Don't forget to change tcp to ssl in the server list.

Check journalctl on both the bridge and Mosquitto to see that the connection is established.

Be sure to set the Gateway ID in both the chirpstack-gateway-bridge and packet-forwarder configs (though this doesn't seem to matter? Need to experiment). Also be sure the UDP port matches between the two.

Troubleshooting

Install mosquitto-clients on the Gateway.

Send a message to the test topic:

mosquitto_pub \
  -h chirpstack.roeber.dev \
  -p 8883 \
  --cafile /etc/chirpstack-gateway-bridge/certs/ca.crt \
  --cert /etc/chirpstack-gateway-bridge/certs/cert.crt \
  --key /etc/chirpstack-gateway-bridge/certs/cert.key \
  -t "test" \
  -d \
  -m "hello"