Today i upgraded a Chirpstack Server (Debian based) from Chirpstack Version 4.6 to 4.7. The MQTT Integration is working with MQTT Mosquitto Broker in the same Subnet over SSL. Since the update I get the following error message when starting the Chirpstack server:
Configuring client with TLS certificate, ca_cert: /etc/chirpstack/certs/ca.pem, tls_cert: /etc/chirpstack/certs/mqtt-broker.pem, tls_key: /etc/chirpstack/certs/mqtt-broker-key.pem
chirpstack[4306]: Error: Setup MQTT integration
chirpstack[4306]: Caused by:
chirpstack[4306]: No private key found
systemd[1]: chirpstack.service: Main process exited, code=exited, status=1/FAILURE
I could not see any breaking changes in the changelog for version 4.7, except the switch from openssl to rustls.
To add some context to this, ChirpStack v4.7 migrated from OpenSSL to Rustls. The big advantage is that it is no longer needed to (cross)compile OpenSSL such that ChirpStack can be linked against it.
Unfortunately, Rustls is more restrictive in the certificate formats that it accept than OpenSSL. As far as I understand PKCS#8 is in general the preferred method. For RSA private-keys, there is an easy fix and ChirpStack will automatically do the conversion to PKCS#8:
Thanks for the additional context and the explanations. I’m not very familiar with Rust, nor with PKCS#8 Key format. I’m a bit confused, because the failing key is a RSA key, generated with the tools from the chirpstack-certificates repository: