How configure TLS in gateway bridge => network-server


#1

Hi,

I just managed to configure a communication between the network server, the APP server and the join server thanks to the script in lora-server-certification, and now i want also to configure the encrypted communication between the "network server and lora-gateway-bridge " .

I suppose i should use the same script to generated all certificate and key ( client and server side ) and put them int “loraserver.toml” and “lora-gateway-bridge.toml”.
But i’m not really sur to know how to proceed, How i can generated all nedd for lora-gateway-bridge without modifying all other components by excecuting “make”.
can you help me to make every step to do this ? thanks guy !

Jawad


#2

The gateway bridge and loraserver communicate through mqtt, so you need to secure mosquitto (or whatever other broker you are using) by using tls. As an example, here’s a tutorial from a quick search on how to secure mosquitto with a self-signed certificate: http://www.steves-internet-guide.com/mosquitto-tls/. In this case, be sure to provide ca_cert, tls_cert and tls_key parameters in the bridge’s and loraserver’s configurations.


#3

Thanks @iegomez , i understand the logic !

But what is the usefulness of this file :

i was thinking, i need juste to put :

  • the files of repertoire server in " lora-gateway-bridge.toml"
  • the files of repertoire client in " loraserver.toml"

And if i secure the mqtt broker like it’s explained in tutoriel http://www.steves-internet-guide.com/mosquitto-tls/, Do I have to secure all the elements that use mosquitto? because I have a php web application that controls C class ends device.
My app publishes a topic concerning the end device, and the " lora-app-server" subscribe, i imagine i will also secure this part, because it’s use mqtt ?

Jawad


#4

You are looking at files for the basic station which is included in the test 3.0.0 version (see [announcement] LoRa Gateway Bridge v3.0.0 - test release).

And no, it’s not necessary (though preferable) that every client connects over tls to mosquitto, you may have it run through different protocols in different ports. For example, this would allow local tcp connections at port 1883, a secure tls connection at port 8883 and a secure websocket connection through 8083:

listener 1883 localhost

listener 8883
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

listener 8083
protocol websockets
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

#5

Ok, i perfectly understood, thanks for the clarification, i will test this and i’ll let you know :slight_smile:


#6

Hi @iegomez,

After configuring all the certificates and keys for the broker and client(network server & gateway bridge)

I try test to check if it’s working :

 mosquitto_pub -p 8883 --cafile ../ca/ca.crt --cert client.crt --key client.key -h localhost -m hello -t /world

Result => mosquitto log :

then i test the lora-network-serverserver and lora-gateway-bridge.

Loraserver.toml :

   # MQTT server (e.g. scheme://host:port where scheme is tcp, ssl or ws)
   #server="tcp://localhost:1883"
   server="ssl://localhost:8883"
   #server="tcp://172.16.105.158:1883"
   #server="ssl://172.16.105.158:8883"

   # on the server (e.g. when self generated).
   ca_cert="/etc/mosquitto/certs/ca/ca.crt"

   # TLS certificate file (optional)
   tls_cert="/etc/mosquitto/certs/client/client.crt"

   # TLS key file (optional)
   tls_key="/etc/mosquitto/certs/client/client.key"

Lora-gateway-bridge.toml :

    # MQTT server (e.g. scheme://host:port where scheme is tcp, ssl or ws)
    #server="tcp://localhost:1883"
    server="ssl://localhost:8883"
    #server="tcp://172.16.105.158:1883"
    #server="ssl://172.16.105.158:8883"

    # on the server (e.g. when self generated).
    ca_cert="/etc/mosquitto/certs/ca/ca.crt"

    # TLS certificate file (optional)
    tls_cert="/etc/mosquitto/certs/client/client.crt"

    # TLS key file (optional)
    tls_key="/etc/mosquitto/certs/client/client.key"

Then i restart loraserver and the gateway-bridge, and all working fine ! for who want more details i will reply for :wink:
it’s damage that we can’t secure the communication between the gateway bridge and the package forwarder (udp link) , but it’s another topic hahaha
thanks again