From e917f8ea49c1372e241d923086c871d039f6e9f2 Mon Sep 17 00:00:00 2001 From: Orne Brocaar Date: Sun, 21 Aug 2022 19:48:01 +0100 Subject: [PATCH] Remove default CA and MQTT cert gen. on install. In case of mult-server deployments, this can be confusing as each VM generates different certificate files by default, where all instances must share the same certificate (or at least CA certificate + key). The other issue is that the MQTT broker certificate must contain the correct hostname, which can (most of the times) not automatically be retrieved. Documentation to generate these certificates can be found here: https://www.chirpstack.io/docs/guides/mosquitto-tls-configuration.html --- .gitignore | 6 +----- chirpstack/Cargo.toml | 5 ----- chirpstack/Makefile | 8 +------- chirpstack/configuration/certs/ca-config.json | 17 ----------------- chirpstack/configuration/certs/ca-csr.json | 7 ------- chirpstack/configuration/certs/mqtt-server.json | 10 ---------- chirpstack/configuration/chirpstack.toml | 10 ---------- chirpstack/debian/postinst | 12 ------------ 8 files changed, 2 insertions(+), 73 deletions(-) delete mode 100644 chirpstack/configuration/certs/ca-config.json delete mode 100644 chirpstack/configuration/certs/ca-csr.json delete mode 100644 chirpstack/configuration/certs/mqtt-server.json diff --git a/.gitignore b/.gitignore index fab9aad1..4ea24f82 100644 --- a/.gitignore +++ b/.gitignore @@ -13,11 +13,7 @@ **/target # Certificates -/chirpstack/configuration/certs/*.crt -/chirpstack/configuration/certs/*.key -/chirpstack/configuration/certs/*.trust -/chirpstack/configuration/certs/*.pem -/chirpstack/configuration/certs/*.csr +/chirpstack/configuration/certs/* /chirpstack/configuration/private_*.toml # UI diff --git a/chirpstack/Cargo.toml b/chirpstack/Cargo.toml index 57775ff0..071757e7 100644 --- a/chirpstack/Cargo.toml +++ b/chirpstack/Cargo.toml @@ -120,13 +120,9 @@ bytes = "1.1" assets = [ ["target/release/chirpstack", "usr/bin/", "755"], ["configuration/*.toml", "etc/chirpstack/", "640"], - ["configuration/certs/*.json", "etc/chirpstack/certs", "640"], ["debian/environment.conf", "etc/systemd/system/chirpstack.service.d/environment.conf", "640"], ] conf-files = [ - "/etc/chirpstack/certs/ca-config.json", - "/etc/chirpstack/certs/ca-csr.json", - "/etc/chirpstack/certs/mqtt-server.json", "/etc/chirpstack/chirpstack.toml", "/etc/chirpstack/region_as923.toml", "/etc/chirpstack/region_as923_2.toml", @@ -156,7 +152,6 @@ conf-files = [ "/etc/chirpstack/region_us915_6.toml", "/etc/chirpstack/region_us915_7.toml", ] -depends = "$auto, golang-cfssl" suggests = "postgresql, mosquitto, redis" maintainer-scripts = "debian/" systemd-units = { enable = true } diff --git a/chirpstack/Makefile b/chirpstack/Makefile index 0294e3b5..285f5738 100644 --- a/chirpstack/Makefile +++ b/chirpstack/Makefile @@ -111,14 +111,8 @@ test: test-lrwn: cd ../lrwn && make test -test-server: debug-amd64 configuration/certs/ca.pem +test-server: debug-amd64 ../target/debug/chirpstack -c ./configuration dbshell: psql -h postgres -U chirpstack chirpstack - -configuration/certs/ca.pem: - cfssl gencert -initca configuration/certs/ca-csr.json | cfssljson -bare configuration/certs/ca - -configuration/certs/mqtt-server.pem: configuration/certs/ca.pem - cfssl gencert -ca configuration/certs/ca.pem -ca-key configuration/certs/ca-key.pem -config configuration/certs/ca-config.json -profile server configuration/certs/mqtt-server.json | cfssljson -bare configuration/certs/mqtt-server diff --git a/chirpstack/configuration/certs/ca-config.json b/chirpstack/configuration/certs/ca-config.json deleted file mode 100644 index 3cf34d5d..00000000 --- a/chirpstack/configuration/certs/ca-config.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "8760h" - }, - "profiles": { - "server": { - "expiry": "8760h", - "usages": [ - "signing", - "key encipherment", - "server auth" - ] - } - } - } -} diff --git a/chirpstack/configuration/certs/ca-csr.json b/chirpstack/configuration/certs/ca-csr.json deleted file mode 100644 index a5be2270..00000000 --- a/chirpstack/configuration/certs/ca-csr.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "CN": "ChirpStack CA", - "key": { - "algo": "rsa", - "size": 4096 - } -} diff --git a/chirpstack/configuration/certs/mqtt-server.json b/chirpstack/configuration/certs/mqtt-server.json deleted file mode 100644 index 0e4f5bc5..00000000 --- a/chirpstack/configuration/certs/mqtt-server.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "CN": "mqtt-broker", - "hosts": [ - "*" - ], - "key": { - "algo": "rsa", - "size": 4096 - } -} diff --git a/chirpstack/configuration/chirpstack.toml b/chirpstack/configuration/chirpstack.toml index f22e1ef9..5c6877a5 100644 --- a/chirpstack/configuration/chirpstack.toml +++ b/chirpstack/configuration/chirpstack.toml @@ -97,19 +97,9 @@ secret="you-must-replace-this" -[gateway] - client_cert_lifetime="365days" - ca_cert="configuration/certs/ca.pem" - ca_key="configuration/certs/ca-key.pem" - [integration] enabled=["mqtt"] [integration.mqtt] server="tcp://$MQTT_BROKER_HOST:1883/" json=true - - [integration.mqtt.client] - client_cert_lifetime="365days" - ca_cert="configuration/certs/ca.pem" - ca_key="configuration/certs/ca-key.pem" diff --git a/chirpstack/debian/postinst b/chirpstack/debian/postinst index e319ea60..0aa83ba6 100644 --- a/chirpstack/debian/postinst +++ b/chirpstack/debian/postinst @@ -3,18 +3,6 @@ # Set config-file permissions chown -R chirpstack:chirpstack /etc/chirpstack chmod 750 /etc/chirpstack -chmod 750 /etc/chirpstack/certs chmod 640 /etc/chirpstack/*.toml -# Generate certificates -CERTROOT=/etc/chirpstack/certs - -if [ ! -f $CERTROOT/ca.pem ]; then - cfssl gencert -initca $CERTROOT/ca-csr.json | cfssljson -bare $CERTROOT/ca -fi - -if [ ! -f $CERTROOT/mqtt-server.pem ]; then - cfssl gencert -ca $CERTROOT/ca.pem -ca-key $CERTROOT/ca-key.pem -config $CERTROOT/ca-config.json -profile server $CERTROOT/mqtt-server.json | cfssljson -bare $CERTROOT/mqtt-server -fi - #DEBHELPER#