Deploy Chirpstack V3 with certificate

Prerequisites: download docker file

The size of the attachment exceeds the limit, if necessary, please contact from the background

1. docker-compose.yml Configuration explanation

mosquitto:
image: eclipse-mosquitto:latest
restart: unless-stopped
volumes:
- ./config/certs:/etc/certs # map absolute path
- ./config/mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf
ports:
- 7883:8883 # public port/docker internal port
networks:
private_net:
ipv4_address: 192.168.68.146 # docker internal ip
## The configuration of other servers is the same.

2. Apply for a digital signature certificate

2.1 Create a new folder to store the certificate. /opt/chirpstack3_us915/config/certs
2.2 cd /opt/chirpstack3_us915/config/certs - The path here is very important because the certificate path mapped in the docker file is this
2.3 Create a new file v3.ext, and store the following content, Fill in your server ip

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = xianlab
DNS.2 = xianlab.local
DNS.3 = xianlab.local.core-mosquitto
DNS.4 = xianlab.core-mosquitto
DNS.5 = duckdns.org
DNS.6 = xianlab.duckdns.org
DNS.7 = <your server ip>
DNS.8 = xianlab.local
DNS.9 = xianlab.local.core-mosquitto
DNS.10 = xianlab.core-mosquitto
IP = <your server ip>

2.4 Apply for ca.key. (There is no format requirement for the password here, it will be used later, just set an easy to remember)

root@ip-172-31-29-27:/opt/chirpstack3_us915/config/certs# openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
........................................+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:123456
Verifying - Enter pass phrase for ca.key:123456

2.5 Apply for ca.crt

root@ip-172-31-29-27:/opt/chirpstack3_us915/config/certs# openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:shaanxi
Locality Name (eg, city) []:xian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aaa
Organizational Unit Name (eg, section) []:aaa
Common Name (e.g. server FQDN or YOUR name) []:ca
Email Address []:ca@wirelss.com

2.6 Apply for server.key

root@ip-172-31-29-27:/opt/chirpstack3_us915/config/certs# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.+++++
.+++++
e is 65537 (0x010001)

2.7 Apply for server.csr

root@ip-172-31-29-27:/opt/chirpstack3_us915/config/certs# openssl req -new -out server.csr -key server.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:shaanxi
Locality Name (eg, city) []:xian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aaa
Organizational Unit Name (eg, section) []:aaa
Common Name (e.g. server FQDN or YOUR name) []:server
Email Address []:server@wireless.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:rak

2.8 Apply for server.crt

root@ip-172-31-29-27:/opt/chirpstack3_us915/config/certs# openssl x509 -req -in server.csr -CA ca.crt -extfile v3.ext -CAkey ca.key -CAcreateserial -out server.crt -days 720
Signature ok
subject=C = cn, ST = shaanxi, L = xian, O = rak, OU = rak, CN = server, emailAddress = server@wireless.com
Getting CA Private Key
Enter pass phrase for ca.key:123456

2.9 Apply for client.key

root@ip-172-31-29-27:/opt/chirpstack3_us915/config/certs# openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................+++++
...........................................................+++++
e is 65537 (0x010001)

2.10 Apply for client.csr

root@ip-172-31-29-27:/opt/chirpstack3_us915/config/certs# openssl req -new -out client.csr -key client.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:shaanxi
Locality Name (eg, city) []:xian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aaa
Organizational Unit Name (eg, section) []:aaa
Common Name (e.g. server FQDN or YOUR name) []:client
Email Address []:client@wireless.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:rak

2.11 Apply for client.crt

root@ip-172-31-29-27:/opt/chirpstack3_us915/config/certs# openssl x509 -req -in client.csr -CA ca.crt -extfile v3.ext -CAkey ca.key -CAcreateserial -out client.crt -days 720
Signature ok
subject=C = cn, ST = shaanxi, L = xian, O = rak, OU = rak, CN = client, emailAddress = client@wireless.com
Getting CA Private Key
Enter pass phrase for ca.key:123456

3. Modify the configuration file

3.1 vim /opt/chirpstack3_us915/config/chirpstack-network-server/chirpstack-network-server.toml

[network_server.gateway.backend]
type="mqtt"
...
server="ssl://<your server ip>:7883" # The port here should correspond to the port on the left side of the port under mosquitto in docker-compose.yml
ca_cert="/etc/certs/ca.crt"
tls_cert="/etc/certs/client.crt"
tls_key="/etc/certs/client.key"

3.2 vim /opt/chirpstack3_us915/config/chirpstack-gateway-bridge/chirpstack-gateway-bridge.toml

[integration]
...
[integration.mqtt.auth]
...
server="ssl://<your server ip>:7883" # The port here should correspond to the port on the left side of the port under mosquitto in docker-compose.yml
ca_cert="/etc/certs/ca.crt"
tls_cert="/etc/certs/client.crt"
tls_key="/etc/certs/client.key"

3.3 vim /opt/chirpstack3_us915/config/chirpstack-application-server/chirpstack-application-server.toml

[application_server]
...
[application_server.integration.mqtt]
...
server="ssl://<your server ip>:7883" # The port here should correspond to the port on the left side of the port under mosquitto in docker-compose.yml
ca_cert="/etc/certs/ca.crt"
tls_cert="/etc/certs/client.crt"
tls_key="/etc/certs/client.key"

4. Start the chirpstack service

cd /opt/chirpstack3_us915

docker-compose up -d

Please verify the function of the gateway connecting chirpstack through the certificate

5. Quickly verify mqtt service with certificate

# windows 1
cd /opt/chirpstack3_us915/config/certs

mosquitto_sub -h <your server ip> -p 7883 -t "#" --cafile ca.crt --cert client.crt --key client.key

Open another window and issue the pub command

# windows 2
cd /opt/chirpstack3_us915/config/certs
mosquitto_pub --cafile ca.crt --cert client.crt --key client.key -h <your server ip> -p 7883 -t topic -m "message"

> If you can see the message in the window 1, it means that the mqtt service with certificate is normal

eg.

root@ip-172-31-19-81:/opt/chirpstack3_us915/config/certs# mosquitto_sub -h <your server ip> -p 7883 -t "#" --cafile ca.crt --cert client.crt --key client.key
message
message
message
message

posted @ 2023-07-05 18:32 enthusiastic666 阅读(117) 评论(0) 收藏举报

刷新页面返回顶部

enthusiastic666

Deploy Chirpstack V3 with certificate

公告