mirror of
https://github.com/chirpstack/chirpstack.git
synced 2025-04-08 03:44:19 +00:00
Remove default CA and MQTT cert gen. on install.
In case of mult-server deployments, this can be confusing as each VM generates different certificate files by default, where all instances must share the same certificate (or at least CA certificate + key). The other issue is that the MQTT broker certificate must contain the correct hostname, which can (most of the times) not automatically be retrieved. Documentation to generate these certificates can be found here: https://www.chirpstack.io/docs/guides/mosquitto-tls-configuration.html
This commit is contained in:
parent
424306ab41
commit
e917f8ea49
6
.gitignore
vendored
6
.gitignore
vendored
@ -13,11 +13,7 @@
|
||||
**/target
|
||||
|
||||
# Certificates
|
||||
/chirpstack/configuration/certs/*.crt
|
||||
/chirpstack/configuration/certs/*.key
|
||||
/chirpstack/configuration/certs/*.trust
|
||||
/chirpstack/configuration/certs/*.pem
|
||||
/chirpstack/configuration/certs/*.csr
|
||||
/chirpstack/configuration/certs/*
|
||||
/chirpstack/configuration/private_*.toml
|
||||
|
||||
# UI
|
||||
|
@ -120,13 +120,9 @@ bytes = "1.1"
|
||||
assets = [
|
||||
["target/release/chirpstack", "usr/bin/", "755"],
|
||||
["configuration/*.toml", "etc/chirpstack/", "640"],
|
||||
["configuration/certs/*.json", "etc/chirpstack/certs", "640"],
|
||||
["debian/environment.conf", "etc/systemd/system/chirpstack.service.d/environment.conf", "640"],
|
||||
]
|
||||
conf-files = [
|
||||
"/etc/chirpstack/certs/ca-config.json",
|
||||
"/etc/chirpstack/certs/ca-csr.json",
|
||||
"/etc/chirpstack/certs/mqtt-server.json",
|
||||
"/etc/chirpstack/chirpstack.toml",
|
||||
"/etc/chirpstack/region_as923.toml",
|
||||
"/etc/chirpstack/region_as923_2.toml",
|
||||
@ -156,7 +152,6 @@ conf-files = [
|
||||
"/etc/chirpstack/region_us915_6.toml",
|
||||
"/etc/chirpstack/region_us915_7.toml",
|
||||
]
|
||||
depends = "$auto, golang-cfssl"
|
||||
suggests = "postgresql, mosquitto, redis"
|
||||
maintainer-scripts = "debian/"
|
||||
systemd-units = { enable = true }
|
||||
|
@ -111,14 +111,8 @@ test:
|
||||
test-lrwn:
|
||||
cd ../lrwn && make test
|
||||
|
||||
test-server: debug-amd64 configuration/certs/ca.pem
|
||||
test-server: debug-amd64
|
||||
../target/debug/chirpstack -c ./configuration
|
||||
|
||||
dbshell:
|
||||
psql -h postgres -U chirpstack chirpstack
|
||||
|
||||
configuration/certs/ca.pem:
|
||||
cfssl gencert -initca configuration/certs/ca-csr.json | cfssljson -bare configuration/certs/ca
|
||||
|
||||
configuration/certs/mqtt-server.pem: configuration/certs/ca.pem
|
||||
cfssl gencert -ca configuration/certs/ca.pem -ca-key configuration/certs/ca-key.pem -config configuration/certs/ca-config.json -profile server configuration/certs/mqtt-server.json | cfssljson -bare configuration/certs/mqtt-server
|
||||
|
@ -1,17 +0,0 @@
|
||||
{
|
||||
"signing": {
|
||||
"default": {
|
||||
"expiry": "8760h"
|
||||
},
|
||||
"profiles": {
|
||||
"server": {
|
||||
"expiry": "8760h",
|
||||
"usages": [
|
||||
"signing",
|
||||
"key encipherment",
|
||||
"server auth"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
{
|
||||
"CN": "ChirpStack CA",
|
||||
"key": {
|
||||
"algo": "rsa",
|
||||
"size": 4096
|
||||
}
|
||||
}
|
@ -1,10 +0,0 @@
|
||||
{
|
||||
"CN": "mqtt-broker",
|
||||
"hosts": [
|
||||
"*"
|
||||
],
|
||||
"key": {
|
||||
"algo": "rsa",
|
||||
"size": 4096
|
||||
}
|
||||
}
|
@ -97,19 +97,9 @@
|
||||
secret="you-must-replace-this"
|
||||
|
||||
|
||||
[gateway]
|
||||
client_cert_lifetime="365days"
|
||||
ca_cert="configuration/certs/ca.pem"
|
||||
ca_key="configuration/certs/ca-key.pem"
|
||||
|
||||
[integration]
|
||||
enabled=["mqtt"]
|
||||
|
||||
[integration.mqtt]
|
||||
server="tcp://$MQTT_BROKER_HOST:1883/"
|
||||
json=true
|
||||
|
||||
[integration.mqtt.client]
|
||||
client_cert_lifetime="365days"
|
||||
ca_cert="configuration/certs/ca.pem"
|
||||
ca_key="configuration/certs/ca-key.pem"
|
||||
|
@ -3,18 +3,6 @@
|
||||
# Set config-file permissions
|
||||
chown -R chirpstack:chirpstack /etc/chirpstack
|
||||
chmod 750 /etc/chirpstack
|
||||
chmod 750 /etc/chirpstack/certs
|
||||
chmod 640 /etc/chirpstack/*.toml
|
||||
|
||||
# Generate certificates
|
||||
CERTROOT=/etc/chirpstack/certs
|
||||
|
||||
if [ ! -f $CERTROOT/ca.pem ]; then
|
||||
cfssl gencert -initca $CERTROOT/ca-csr.json | cfssljson -bare $CERTROOT/ca
|
||||
fi
|
||||
|
||||
if [ ! -f $CERTROOT/mqtt-server.pem ]; then
|
||||
cfssl gencert -ca $CERTROOT/ca.pem -ca-key $CERTROOT/ca-key.pem -config $CERTROOT/ca-config.json -profile server $CERTROOT/mqtt-server.json | cfssljson -bare $CERTROOT/mqtt-server
|
||||
fi
|
||||
|
||||
#DEBHELPER#
|
||||
|
Loading…
x
Reference in New Issue
Block a user