TLS certificates for LoRa Server components

Hello,

I opening this post to better understand the roles of TLS certificats in LoRaServer project.

Right about https://en.wikipedia.org/wiki/Transport_Layer_Security

So if I well understood the role in this project and considering only one network server, TLS certificate authorize and encrypt the communication between the lora server and the lora-app-server ?

From this starting point I wish to use set of scripts provided by @brocaar to generate such certificates.

https://github.com/brocaar/loraserver-certificates

Currently I think I have installed all the necessary tools to be able to use the scripts to generate the certificates:

Go
cfssl
git

Now I have to retrieve the clone of the github project loraserver-certificates.

@brocaar you said “Simply run make to generate all certificates.” if I make a checkout of your github project in my home directory then only a make command will be necessary to generate certificates?

Thank you for your help.

The role is to add encryption, but also to add authentication.

The first step that my script is doing is generating a CA certificate + key. This is then used to sign the other certificates.

When TLS is enabled, LoRa (App) Server will validate on an incoming connection if the client certificate was signed by the configured CA certificate, if not then the connection is dropped :slight_smile:

When you are in the root of the git repository, then you need to call make to start generating the certificates :slight_smile:

Thank you for your reply.

I did git clone https://github.com/brocaar/loraserver-certificates.git to get the repository then I did a make command as you advise me.

After make command I got three new directory under ~/loraserver-certificates/certs/

image

Everything seems to be ok I continue to follow the lora server certificate project.

Thank you

1 Like

Did I miss something, I’m trying to debug hereinafter my loraserver log (sorry the logs are truncated)

It’s clear permisson denied… the right or something else?

chmod 744 loraserver-api-server-key.pem to solve this conflict but now I have a problem with lora-app-server.

chmod 744 lora-app-server-api-server-key.pem to solve this conflict too

How can I confirm that the certificats are well installed?

Only through the logs?

According your comment in TLS certificates section available from network-server managment you have written all Certificates for LoRa App Server to LoRa Server connection and Certificates for LoRa Server to LoRa App Server connection fields are totally blank.

Note that for security reasons, the TLS key content is not displayed when editing an existing network-server. Re-submitting does not clear the stored TLS key when left blank! The TLS key content will only be cleared internally when submitting a form with an empty TLS certificate value

Something is still wrong tomorrow I will continu to display all logs…

I see the last error is on the MQTT certificate, the script does not generate MQTT certificates.

Please note that you have to copy & paste the client certificates in the web interface. In the loraserver.toml and lora-app-server.toml you set the server certificates, in the web-interface when registering a network-server you enter the client certificates.

(note I see that https://github.com/brocaar/loraserver-certificates still refers to the cli arguments, these have been deprecated, I’ll update the readme)

I did it:

I fill the content of:

here :


I didn’t understand this ==> Important: the CN of the client certificate must match the --as-public-id of the LoRa App Server using the certificate.

and I fill the content of:

here:


I didn’t understand this ==>Important: the CN of the client certificate must match the --net-id of the LoRa Server instance using the certificate.

Sorry but I need help to debug this certificat part, there is something I did not do well!

I’m starting by debug loraserver:

my loraserver log:

Jun 30 18:48:42 Debian02 systemd[1]: Starting LoRa Server...
Jun 30 18:48:42 Debian02 systemd[1]: Started LoRa Server.
Jun 30 18:48:47 Debian02 loraserver[468]: time="2018-06-30T18:48:47+01:00" level=info msg="starting LoRa Server" band=EU_863_870 docs="https://docs.loraserver.io/" net_id=010203 version=1.0.0
Jun 30 18:48:47 Debian02 loraserver[468]: time="2018-06-30T18:48:47+01:00" level=info msg="setup redis connection pool" url="redis://localhost:6379"
Jun 30 18:48:47 Debian02 loraserver[468]: time="2018-06-30T18:48:47+01:00" level=info msg="connecting to postgresql"
Jun 30 18:48:47 Debian02 loraserver[468]: time="2018-06-30T18:48:47+01:00" level=error msg="ping database error, will retry in 2s: dial tcp [::1]:5432: connect: connection refused"
Jun 30 18:48:49 Debian02 loraserver[468]: time="2018-06-30T18:48:49+01:00" level=error msg="ping database error, will retry in 2s: dial tcp [::1]:5432: connect: connection refused"
Jun 30 18:48:51 Debian02 loraserver[468]: time="2018-06-30T18:48:51+01:00" level=error msg="ping database error, will retry in 2s: dial tcp [::1]:5432: connect: connection refused"
Jun 30 18:48:54 Debian02 loraserver[468]: time="2018-06-30T18:48:54+01:00" level=info msg="backend/gateway: TLS config is empty"
Jun 30 18:48:54 Debian02 loraserver[468]: time="2018-06-30T18:48:54+01:00" level=info msg="backend/gateway: connecting to mqtt broker" server="tcp://localhost:1883"
Jun 30 18:48:54 Debian02 loraserver[468]: time="2018-06-30T18:48:54+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:48:56 Debian02 loraserver[468]: time="2018-06-30T18:48:56+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:48:58 Debian02 loraserver[468]: time="2018-06-30T18:48:58+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:00 Debian02 loraserver[468]: time="2018-06-30T18:49:00+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:02 Debian02 loraserver[468]: time="2018-06-30T18:49:02+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:04 Debian02 loraserver[468]: time="2018-06-30T18:49:04+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:06 Debian02 loraserver[468]: time="2018-06-30T18:49:06+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:08 Debian02 loraserver[468]: time="2018-06-30T18:49:08+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:10 Debian02 loraserver[468]: time="2018-06-30T18:49:10+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:12 Debian02 loraserver[468]: time="2018-06-30T18:49:12+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:14 Debian02 loraserver[468]: time="2018-06-30T18:49:14+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:16 Debian02 loraserver[468]: time="2018-06-30T18:49:16+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:18 Debian02 loraserver[468]: time="2018-06-30T18:49:18+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:20 Debian02 loraserver[468]: time="2018-06-30T18:49:20+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:22 Debian02 loraserver[468]: time="2018-06-30T18:49:22+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:24 Debian02 loraserver[468]: time="2018-06-30T18:49:24+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:26 Debian02 loraserver[468]: time="2018-06-30T18:49:26+01:00" level=error msg="backend/gateway: connecting to mqtt broker failed, will retry in 2s: Network Error : dial tcp [::1]:1883: connect: connection refused"
Jun 30 18:49:28 Debian02 loraserver[468]: time="2018-06-30T18:49:28+01:00" level=info msg="configuring join-server client" ca_cert=/etc/loraserver-certificates/certs/ca/ca.pem server="http://localhost:8003" tls_cert=/etc/loraserver-certi
Jun 30 18:49:28 Debian02 loraserver[468]: time="2018-06-30T18:49:28+01:00" level=info msg="backend/gateway: connected to mqtt server"
Jun 30 18:49:28 Debian02 loraserver[468]: time="2018-06-30T18:49:28+01:00" level=info msg="backend/gateway: subscribing to rx topic" qos=0 topic=gateway/+/rx
Jun 30 18:49:28 Debian02 loraserver[468]: time="2018-06-30T18:49:28+01:00" level=info msg="no network-controller configured"
Jun 30 18:49:28 Debian02 loraserver[468]: time="2018-06-30T18:49:28+01:00" level=info msg="applying database migrations"
Jun 30 18:49:28 Debian02 loraserver[468]: time="2018-06-30T18:49:28+01:00" level=info msg="backend/gateway: subscribing to stats topic" qos=0 topic=gateway/+/stats
Jun 30 18:49:28 Debian02 loraserver[468]: time="2018-06-30T18:49:28+01:00" level=info msg="migrations applied" count=0
Jun 30 18:49:28 Debian02 loraserver[468]: time="2018-06-30T18:49:28+01:00" level=info msg="starting api server" bind="0.0.0.0:8000" ca-cert=/etc/loraserver-certificates/certs/ca/ca.pem tls-cert=/etc/loraserver-certificates/certs/loraserv
Jun 30 18:49:28 Debian02 loraserver[468]: time="2018-06-30T18:49:28+01:00" level=info msg="starting downlink device-queue scheduler"
Jun 30 18:50:09 Debian02 loraserver[468]: time="2018-06-30T18:50:09+01:00" level=warning msg="grpc: Server.Serve failed to complete security handshake from \"[::1]:38242\": tls: first record does not look like a TLS handshake"
Jun 30 18:50:10 Debian02 loraserver[468]: time="2018-06-30T18:50:10+01:00" level=warning msg="grpc: Server.Serve failed to complete security handshake from \"[::1]:38243\": tls: first record does not look like a TLS handshake"
Jun 30 18:50:11 Debian02 loraserver[468]: time="2018-06-30T18:50:11+01:00" level=warning msg="grpc: Server.Serve failed to complete security handshake from \"[::1]:38244\": tls: first record does not look like a TLS handshake"
Jun 30 18:50:14 Debian02 loraserver[468]: time="2018-06-30T18:50:14+01:00" level=warning msg="grpc: Server.Serve failed to complete security handshake from \"[::1]:38245\": tls: first record does not look like a TLS handshake"
Jun 30 18:50:19 Debian02 loraserver[468]: time="2018-06-30T18:50:19+01:00" level=warning msg="grpc: Server.Serve failed to complete security handshake from \"[::1]:38246\": tls: first record does not look like a TLS handshake"
Jun 30 18:50:25 Debian02 loraserver[468]: time="2018-06-30T18:50:25+01:00" level=warning msg="grpc: Server.Serve failed to complete security handshake from \"[::1]:38247\": tls: first record does not look like a TLS handshake"
Jun 30 18:50:35 Debian02 loraserver[468]: time="2018-06-30T18:50:35+01:00" level=warning msg="grpc: Server.Serve failed to complete security handshake from \"[::1]:38248\": tls: first record does not look like a TLS handshake"
Jun 30 18:50:53 Debian02 loraserver[468]: time="2018-06-30T18:50:53+01:00" level=warning msg="grpc: Server.Serve failed to complete security handshake from \"[::1]:38249\": tls: first record does not look like a TLS handshake"

Here the related part of loraserver.toml:

  # Network-server API
  #
  # This is the network-server API that is used by LoRa App Server or other
  # custom components interacting with LoRa Server.
  [network_server.api]
  # ip:port to bind the api server
  bind="0.0.0.0:8000"

  # ca certificate used by the api server (optional)
  ca_cert="/etc/loraserver-certificates/certs/ca/ca.pem"

  # tls certificate used by the api server (optional)
  tls_cert="/etc/loraserver-certificates/certs/loraserver/api/server/loraserver-api-server.pem"

  # tls key used by the api server (optional)
  tls_key="/etc/loraserver-certificates/certs/loraserver/api/server/loraserver-api-server-key.pem"


and

# Default join-server settings.
[join_server.default]
# hostname:port of the default join-server
#
# This API is provided by LoRa App Server.
server="http://localhost:8003"

# ca certificate used by the default join-server client (optional)
ca_cert="/etc/loraserver-certificates/certs/ca/ca.pem"

# tls certificate used by the default join-server client (optional)
tls_cert="/etc/loraserver-certificates/certs/lora-app-server/join-api/client/lora-app-server-join-api-client.pem"

# tls key used by the default join-server client (optional)
tls_key="/etc/loraserver-certificates/certs/lora-app-server/join-api/client/lora-app-server-join-api-client-key.pem"

Sorry it’s long post…

Ok, I found the hassles,

In the beginning certainly some confusion between client/server in loraserver.toml and lora-app-server.toml

One point I do not know if it’s important in loraserver.toml I changed server=http://localhost:8003 with server=https://localhost:8003 ==> unless I’m mistaken It’s not mentioned, I found in old post.

And last but not at least in web-interface in network-server configutation, TLS certificates fields I was doing a bad copy / paste that is to say I didn’t copy the header and the footer of all TLS files:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----RSA PRIVATE KEY-----
so on…

But now TLS certifcates work well goodish…

Thank you @brocaar

Next step MQTT authentification ==> https://github.com/jpmens/mosquitto-auth-plug

1 Like

Great! Also take a look at https://forum.loraserver.io/t/go-mosquitto-auth-plugin/448. I’ve had many issues with the mosquitto-auth-plug module which sometimes would cause the Mosquitto broker to crash on startup (when the db was not yet ready to accept connections).

1 Like

Ok thank you, previously I started to watch the project Go mosquitto auth plugin, so you advise me to perform this project instead https://github.com/jpmens/mosquitto-auth-plug.

Thank you for you help @brocaar and @iegomez I’m be back…

I decided to follow this link https://github.com/iegomez/mosquitto-go-auth/blob/master/LORASERVER.md this is the right way ?

Thank you for your help.

Hi. That’s the report from a particular user adding auth to mosquitto for his loraserver, so it should be helpful. Also, I think the best is to read carefully the official instructions (https://www.loraserver.io/install/mqtt-auth/) to grasp what needs securing, and then follow the readme at the repo for the wanted backends.

If you have any doubts or issues, just comment here and I’ll be happy to help.

Hello,

thank you for your help.

Here my status:

I created acls & auth.conf in order to only users allowed in ACL file could access this topic

Then regarding mosquitto-go-auth I did make requirement & make:

image

I have to create again some config for mosquitto and I can jump to configuration section.

I think https://forum.loraserver.io/t/go-mosquitto-auth-plugin/448 is a better topic to continue this discussion :slight_smile: