Remove default CA and MQTT cert gen. on install.

In case of mult-server deployments, this can be confusing as each VM
generates different certificate files by default, where all instances
must share the same certificate (or at least CA certificate + key).
The other issue is that the MQTT broker certificate must contain the
correct hostname, which can (most of the times) not automatically be
retrieved. Documentation to generate these certificates can be found
here:

https://www.chirpstack.io/docs/guides/mosquitto-tls-configuration.html
This commit is contained in:
Orne Brocaar 2022-08-21 19:48:01 +01:00
parent 424306ab41
commit e917f8ea49
8 changed files with 2 additions and 73 deletions

6
.gitignore vendored
View File

@ -13,11 +13,7 @@
**/target
# Certificates
/chirpstack/configuration/certs/*.crt
/chirpstack/configuration/certs/*.key
/chirpstack/configuration/certs/*.trust
/chirpstack/configuration/certs/*.pem
/chirpstack/configuration/certs/*.csr
/chirpstack/configuration/certs/*
/chirpstack/configuration/private_*.toml
# UI

View File

@ -120,13 +120,9 @@ bytes = "1.1"
assets = [
["target/release/chirpstack", "usr/bin/", "755"],
["configuration/*.toml", "etc/chirpstack/", "640"],
["configuration/certs/*.json", "etc/chirpstack/certs", "640"],
["debian/environment.conf", "etc/systemd/system/chirpstack.service.d/environment.conf", "640"],
]
conf-files = [
"/etc/chirpstack/certs/ca-config.json",
"/etc/chirpstack/certs/ca-csr.json",
"/etc/chirpstack/certs/mqtt-server.json",
"/etc/chirpstack/chirpstack.toml",
"/etc/chirpstack/region_as923.toml",
"/etc/chirpstack/region_as923_2.toml",
@ -156,7 +152,6 @@ conf-files = [
"/etc/chirpstack/region_us915_6.toml",
"/etc/chirpstack/region_us915_7.toml",
]
depends = "$auto, golang-cfssl"
suggests = "postgresql, mosquitto, redis"
maintainer-scripts = "debian/"
systemd-units = { enable = true }

View File

@ -111,14 +111,8 @@ test:
test-lrwn:
cd ../lrwn && make test
test-server: debug-amd64 configuration/certs/ca.pem
test-server: debug-amd64
../target/debug/chirpstack -c ./configuration
dbshell:
psql -h postgres -U chirpstack chirpstack
configuration/certs/ca.pem:
cfssl gencert -initca configuration/certs/ca-csr.json | cfssljson -bare configuration/certs/ca
configuration/certs/mqtt-server.pem: configuration/certs/ca.pem
cfssl gencert -ca configuration/certs/ca.pem -ca-key configuration/certs/ca-key.pem -config configuration/certs/ca-config.json -profile server configuration/certs/mqtt-server.json | cfssljson -bare configuration/certs/mqtt-server

View File

@ -1,17 +0,0 @@
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"server": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
}
}
}
}

View File

@ -1,7 +0,0 @@
{
"CN": "ChirpStack CA",
"key": {
"algo": "rsa",
"size": 4096
}
}

View File

@ -1,10 +0,0 @@
{
"CN": "mqtt-broker",
"hosts": [
"*"
],
"key": {
"algo": "rsa",
"size": 4096
}
}

View File

@ -97,19 +97,9 @@
secret="you-must-replace-this"
[gateway]
client_cert_lifetime="365days"
ca_cert="configuration/certs/ca.pem"
ca_key="configuration/certs/ca-key.pem"
[integration]
enabled=["mqtt"]
[integration.mqtt]
server="tcp://$MQTT_BROKER_HOST:1883/"
json=true
[integration.mqtt.client]
client_cert_lifetime="365days"
ca_cert="configuration/certs/ca.pem"
ca_key="configuration/certs/ca-key.pem"

View File

@ -3,18 +3,6 @@
# Set config-file permissions
chown -R chirpstack:chirpstack /etc/chirpstack
chmod 750 /etc/chirpstack
chmod 750 /etc/chirpstack/certs
chmod 640 /etc/chirpstack/*.toml
# Generate certificates
CERTROOT=/etc/chirpstack/certs
if [ ! -f $CERTROOT/ca.pem ]; then
cfssl gencert -initca $CERTROOT/ca-csr.json | cfssljson -bare $CERTROOT/ca
fi
if [ ! -f $CERTROOT/mqtt-server.pem ]; then
cfssl gencert -ca $CERTROOT/ca.pem -ca-key $CERTROOT/ca-key.pem -config $CERTROOT/ca-config.json -profile server $CERTROOT/mqtt-server.json | cfssljson -bare $CERTROOT/mqtt-server
fi
#DEBHELPER#