Remove default CA and MQTT cert gen. on install.

In case of mult-server deployments, this can be confusing as each VM
generates different certificate files by default, where all instances
must share the same certificate (or at least CA certificate + key).
The other issue is that the MQTT broker certificate must contain the
correct hostname, which can (most of the times) not automatically be
retrieved. Documentation to generate these certificates can be found
here:

https://www.chirpstack.io/docs/guides/mosquitto-tls-configuration.html

.gitignore

@@ -13,11 +13,7 @@
 **/target
 
 # Certificates
-/chirpstack/configuration/certs/*.crt
-/chirpstack/configuration/certs/*.key
-/chirpstack/configuration/certs/*.trust
-/chirpstack/configuration/certs/*.pem
-/chirpstack/configuration/certs/*.csr
+/chirpstack/configuration/certs/*
 /chirpstack/configuration/private_*.toml
 
 # UI

chirpstack/Cargo.toml

@@ -120,13 +120,9 @@ bytes = "1.1"
 assets = [
 	["target/release/chirpstack", "usr/bin/", "755"],
 	["configuration/*.toml", "etc/chirpstack/", "640"],
-	["configuration/certs/*.json", "etc/chirpstack/certs", "640"],
 	["debian/environment.conf", "etc/systemd/system/chirpstack.service.d/environment.conf", "640"],
 ]
 conf-files = [
-	"/etc/chirpstack/certs/ca-config.json",
-	"/etc/chirpstack/certs/ca-csr.json",
-	"/etc/chirpstack/certs/mqtt-server.json",
 	"/etc/chirpstack/chirpstack.toml",
 	"/etc/chirpstack/region_as923.toml",
 	"/etc/chirpstack/region_as923_2.toml",
@@ -156,7 +152,6 @@ conf-files = [
 	"/etc/chirpstack/region_us915_6.toml",
 	"/etc/chirpstack/region_us915_7.toml",
 ]
-depends = "$auto, golang-cfssl"
 suggests = "postgresql, mosquitto, redis"
 maintainer-scripts = "debian/"
 systemd-units = { enable = true }

chirpstack/Makefile

@@ -111,14 +111,8 @@ test:
 test-lrwn:
 	cd ../lrwn && make test
 
-test-server: debug-amd64 configuration/certs/ca.pem
+test-server: debug-amd64
 	../target/debug/chirpstack -c ./configuration
 
 dbshell:
 	psql -h postgres -U chirpstack chirpstack
-
-configuration/certs/ca.pem:
-	cfssl gencert -initca configuration/certs/ca-csr.json | cfssljson -bare configuration/certs/ca
-
-configuration/certs/mqtt-server.pem: configuration/certs/ca.pem
-	cfssl gencert -ca configuration/certs/ca.pem -ca-key configuration/certs/ca-key.pem -config configuration/certs/ca-config.json -profile server configuration/certs/mqtt-server.json | cfssljson -bare configuration/certs/mqtt-server

chirpstack/configuration/certs/ca-config.json

@@ -1,17 +0,0 @@
-{
-  "signing": {
-    "default": {
-      "expiry": "8760h"
-    },
-    "profiles": {
-      "server": {
-        "expiry": "8760h",
-        "usages": [
-          "signing",
-          "key encipherment",
-          "server auth"
-        ]
-      }
-    }
-  }
-}

chirpstack/configuration/certs/ca-csr.json

@@ -1,7 +0,0 @@
-{
-  "CN": "ChirpStack CA",
-  "key": {
-    "algo": "rsa",
-    "size": 4096
-  }
-}

chirpstack/configuration/certs/mqtt-server.json

@@ -1,10 +0,0 @@
-{
-	"CN": "mqtt-broker",
-	"hosts": [
-		"*"
-	],
-	"key": {
-		"algo": "rsa",
-		"size": 4096
-	}
-}

chirpstack/configuration/chirpstack.toml

@@ -97,19 +97,9 @@
   secret="you-must-replace-this"
 
 
-[gateway]
-  client_cert_lifetime="365days"
-  ca_cert="configuration/certs/ca.pem"
-  ca_key="configuration/certs/ca-key.pem"
-
 [integration]
   enabled=["mqtt"]
 
   [integration.mqtt]
     server="tcp://$MQTT_BROKER_HOST:1883/"
     json=true
-
-    [integration.mqtt.client]
-      client_cert_lifetime="365days"
-      ca_cert="configuration/certs/ca.pem"
-      ca_key="configuration/certs/ca-key.pem"

chirpstack/debian/postinst

@@ -3,18 +3,6 @@
 # Set config-file permissions
 chown -R chirpstack:chirpstack /etc/chirpstack
 chmod 750 /etc/chirpstack
-chmod 750 /etc/chirpstack/certs
 chmod 640 /etc/chirpstack/*.toml
 
-# Generate certificates
-CERTROOT=/etc/chirpstack/certs
-
-if [ ! -f $CERTROOT/ca.pem ]; then
-	cfssl gencert -initca $CERTROOT/ca-csr.json | cfssljson -bare $CERTROOT/ca
-fi
-
-if [ ! -f $CERTROOT/mqtt-server.pem ]; then
-	cfssl gencert -ca $CERTROOT/ca.pem -ca-key $CERTROOT/ca-key.pem -config $CERTROOT/ca-config.json -profile server $CERTROOT/mqtt-server.json | cfssljson -bare $CERTROOT/mqtt-server
-fi
-
 #DEBHELPER#