Error tls: private key does not match public key (code: 2)

Hello everybody,

I’m installing on a raspberry pi 3 a LoRa network by following the tutorial https://www.loraserver.io/loraserver/overview/ . I’m currently stack at the step of the certificate and I don’t know why. I did all the forum and post I could find it helped me a lot but i’m now stuck.

I got the error message on the GUI of the lora-app-server : Error tls: private key does not match public key (code: 2) when i try to add a network server.

I created the certificats, declared them in loraserver.toml and lora-app-server.toml but I can’t have a proper hanshake and I don’t see where is my mistake.

Servers logs:


************ Loraserver logs ***************


Sep 05 10:46:28 raspberrypi systemd[1]: Starting LoRa Server…
Sep 05 10:46:28 raspberrypi systemd[1]: Started LoRa Server.
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“starting LoRa Server” band=EU_863_870 docs=“https://docs.loraserver.io/” net_id=010203 version=1.0.0
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“disabling all channels”
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“enabling channels” channels="[0 1 2]"
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“setup redis connection pool” url=“redis://localhost:6379”
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“connecting to postgresql”
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“backend/gateway: TLS config is empty”
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“backend/gateway: connecting to mqtt broker” server=“tcp://localhost:1883”
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“configuring join-server client” ca_cert= server=“http://localhost:8003” tls_cert= tls_key=
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“no network-controller configured”
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“applying database migrations”
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“backend/gateway: connected to mqtt server”
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“backend/gateway: subscribing to rx topic” qos=0 topic=gateway/+/rx
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“backend/gateway: subscribing to stats topic” qos=0 topic=gateway/+/stats
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“migrations applied” count=0
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“starting api server” bind=“0.0.0.0:8084” ca-cert=/etc/default/lora-certs/ca/ca.pem tls-cert=/etc/default/lora-certs/loraserver/api/server/loraserver-api-server.pem tls-key=/etc/default/lora-certs/loraserver/api/server/loraserver-api-server-key.pem
Sep 05 10:46:28 raspberrypi loraserver[3023]: time=“2018-09-05T10:46:28+02:00” level=info msg=“starting downlink device-queue scheduler”
Sep 05 10:47:33 raspberrypi loraserver[3023]: time=“2018-09-05T10:47:33+02:00” level=warning msg=“grpc: Server.Serve failed to complete security handshake from “[::1]:52302”: tls: first record does not look like a TLS handshake”


************ Lora-app-server logs ***************


Sep 05 14:02:12 raspberrypi systemd[1]: Starting LoRa App Server…
Sep 05 14:02:12 raspberrypi systemd[1]: Started LoRa App Server.
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“starting LoRa App Server” docs=“https://www.loraserver.io/” version=1.0.2
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“connecting to postgresql”
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“setup redis connection pool”
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“handler/mqtt: TLS config is empty”
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“handler/mqtt: connecting to mqtt broker” server=“tcp://localhost:1883”
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“applying database migrations”
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“handler/mqtt: connected to mqtt broker”
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“handler/mqtt: subscribing to tx topic” qos=0 topic=application/+/device/+/tx
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“migrations applied” count=0
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“starting application-server api” bind=“127.0.0.1:8001” ca-cert=/etc/default/lora-certs/ca/ca.pem tls-cert=/etc/default/lora-certs/lora-app-server/api/server/lora-app-server-api-server.pem tls-key=/etc/default/lora-certs/lora-app-server/api/server/lora-app-server-api-server-key.pem
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“starting join-server api” bind=“0.0.0.0:8003” ca_cert= tls_cert= tls_key=
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“starting client api server” bind=“0.0.0.0:8080” tls-cert=/etc/lora-app-server/certs/http.pem tls-key=/etc/lora-app-server/certs/http-key.pem
Sep 05 14:02:12 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:02:12+02:00” level=info msg=“registering rest api handler and documentation endpoint” path=/api
Sep 05 14:36:21 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:36:21+02:00” level=info msg=“finished unary call with code OK” grpc.code=OK grpc.method=Branding grpc.service=api.Internal grpc.start_time=“2018-09-05T14:36:21+02:00” grpc.time_ms=0.062 peer.address="[::1]:52312" span.kind=server system=grpc
Sep 05 14:36:21 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:36:21+02:00” level=info msg=“finished unary call with code OK” grpc.code=OK grpc.method=Profile grpc.service=api.Internal grpc.start_time=“2018-09-05T14:36:21+02:00” grpc.time_ms=43.057 peer.address="[::1]:52312" span.kind=server system=grpc
Sep 05 14:36:21 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:36:21+02:00” level=info msg=“finished unary call with code OK” grpc.code=OK grpc.method=List grpc.service=api.Organization grpc.start_time=“2018-09-05T14:36:21+02:00” grpc.time_ms=18.335 peer.address="[::1]:52320" span.kind=server system=grpc
Sep 05 14:36:26 raspberrypi lora-app-server[4223]: 2018/09/05 14:36:26 http: TLS handshake error from 192.168.0.102:62049: tls: first record does not look like a TLS handshake
Sep 05 14:36:26 raspberrypi lora-app-server[4223]: 2018/09/05 14:36:26 http: TLS handshake error from 192.168.0.102:62050: tls: first record does not look like a TLS handshake
Sep 05 14:36:31 raspberrypi lora-app-server[4223]: 2018/09/05 14:36:31 http: TLS handshake error from 192.168.0.102:62051: tls: first record does not look like a TLS handshake
Sep 05 14:36:37 raspberrypi lora-app-server[4223]: time=“2018-09-05T14:36:37+02:00” level=info msg=“finished unary call with code OK” grpc.code=OK grpc.method=Branding grpc.service=api.Internal grpc.start_time=“2018-09-05T14:36:37+02:00” grpc.time_ms=0.055 peer.address="[::1]:52312" span.kind=server system=grpc

Configuration of the servers:


************ Loraserver Config ***************


Network-server API

This is the network-server API that is used by LoRa App Server or other

custom components interacting with LoRa Server.

[network_server.api]

ip:port to bind the api server

bind=“0.0.0.0:8084”

ca certificate used by the api server (optional)

ca_cert="/etc/default/lora-certs/ca/ca.pem"

tls certificate used by the api server (optional)

tls_cert="/etc/default/lora-certs/loraserver/api/server/loraserver-api-server.pem"

tls key used by the api server (optional)

tls_key="/etc/default/lora-certs/loraserver/api/server/loraserver-api-server-key.pem"


************ Lora-App-server Config ***************


Settings for the “internal api”

This is the API used by LoRa Server to communicate with LoRa App Server

and should not be exposed to the end-user.

[application_server.api]

ip:port to bind the api server

bind=“127.0.0.1:8001”

ca certificate used by the api server (optional)

ca_cert="/etc/default/lora-certs/ca/ca.pem"

tls certificate used by the api server (optional)

tls_cert="/etc/lora-app-server/certs/http.pem"

tls_cert="/etc/default/lora-certs/lora-app-server/api/server/lora-app-server-api-server.pem"

tls key used by the api server (optional)

tls_key="/etc/lora-app-server/certs/http-key.pem"

tls_key="/etc/default/lora-certs/lora-app-server/api/server/lora-app-server-api-server-key.pem"

Does anyone know why ?

Thanks in advance,

Franck

Could you please format your post, that makes it easier to read for all of us :slight_smile:

Hello Brocaar,

Sorry, I didn’t know it will format that way. Hope it will be better that way:

************ Loraserver Config ***************

Network-server API

This is the network-server API that is used by LoRa App Server or other

custom components interacting with LoRa Server.

[network_server.api]

ip:port to bind the api server

bind=“0.0.0.0:8084”

ca certificate used by the api server (optional)

ca_cert=“/etc/default/lora-certs/ca/ca.pem”

tls certificate used by the api server (optional)

tls_cert=“/etc/default/lora-certs/loraserver/api/server/loraserver-api-server.pem”

tls key used by the api server (optional)

tls_key="/etc/default/lora-certs/loraserv

************ Lora-App-server Config ***************

Settings for the “internal api”

This is the API used by LoRa Server to communicate with LoRa App Server

and should not be exposed to the end-user.

[application_server.api]

ip:port to bind the api server

bind=“127.0.0.1:8001”

ca certificate used by the api server (optional)

ca_cert=“/etc/default/lora-certs/ca/ca.pem”

tls certificate used by the api server (optional)

tls_cert=“/etc/default/lora-certs/lora-app-server/api/server/lora-app-server-api-server.pem”

tls key used by the api server (optional)

tls_key=“/etc/default/lora-certs/lora-app-server/api/server/lora-app-server-api-server-key.pem”