How to make Gateway MQTT Bridge work with public SSL certificates

(Roman St) #1

I use Let’s Encrypt certificates that are publicly signed, so I don’t have CA, TLS certs and TLS Key. Normally, other MQTT clients allow to set option for “CA signed” certificates, so the PEM files are not needed. I could not find any info on how to generate these PEM files you require from Let’s Encrypt certificates. How can I make this work with your gateway MQTT client?

(Todor Velev) #2

Hi @roman. @Fomi maybe will answer you most accurate here.
Did you try described cross signing .

Best regards

(Fomi Tong) #3

Hi, @roman

Which gateway are you using?

(Roman St) #4

@Fomi, I’m using RAK7249 and RAK7248

(Fomi Tong) #5

@yutao Please help to answer this question.

(yutao) #6

Sorry, I don’t know how Let’s Encrypt certificates work. But I think that those mqtt clients that don’t need a CA certificate may be because they have a built-in CA certificate for the root certificate authority. However, the RAK7240 and RAK7258 do not have a built-in CA certificate. The SSL certificate issued by Let’s Encrypt Certificates also requires a CA certificate. Maybe you can use the Internet to check which CA institution is used by Let’s Encrypt Certifcates and obtain the CA certificate of the institution.

(yutao) #7

I am learning how Let’s Encrypt works. Regarding “option for CA signed certificates”, can you tell me which mqtt client provides this option? I want to refer to it.

(Roman St) #8

for example: Node-Red, MQTTBox

(Roman St) #9

@yutao, this is not a question specific to Let’s Encrypt, but to any CA using public certificates. Your client needs to interface directly to the public CA to get the certificates without asking for a private key. Writing a private key into a gateway that is deployed into field is almost always a bad security practice.

(yutao) #10

Does this mean that I need to have the root certificate of all public CAs built into the lora gateway? Or request authentication from a CA agency over the network?

(yutao) #11

@roman I will try to add a system ca-certificates software to loragateway. Maybe this software can help solve your problem. Do you need to fill in the TLS CERT/TLS KEY, depending on whether the mqtt broker has enabled mutual authentication.

(Roman St) #12

@yutao, the right thing to do is to dynamically get the certificates from the network, as they change often. And, I think it’s best if you provide both options for self-signed and CA certificates, as other MQTT clients do. Some people will want to use self-signed option.

(yutao) #13

@roman Thank you very much for your advice. I am trying to achieve in the next version