Closed chaudhariatul closed 1 year ago
Hi @chaudhariatul !
Not sure if you are already doing it like this but: since you are using CUPS you should define the CUPS_TRUST variable when creating your basicstation container (in the docker-compose.yml
file, for instance). The content of the variable should be a one-liner of the root certificate, someting you can get by:
cat <path_to_ca.pem_file> | tr -d '\n'
Hi @xoseperez , yes I have tried as your document suggests to use the certificate in one line. I have also added the root certificate created from this step to the linux host where I'm running the basicstation.
https://www.thethingsindustries.com/docs/getting-started/installation/certificates/
Hi @chaudhariatul. The BasicStation container does not have access to its root certificates folder, s that step is unneeded. The error suggests the certificate is wrong. If you can login into the stack webUI without problem (after accepting the self-signed certificate) then they have been created right.Double check that you are correctly generating the one-line cert from the ca.pem file used in your The Things Stack instance. Also, check that you are accessing the The Things Stack instance using the hostname you used for the certificate, it should be the same hostname/IP you are using to access the UI.
Hi @xoseperez ,
That's correct. I used the ca.pem file in the docker-compose.yml file.
Is there a way to skip 'CN' verification or disable SSL check?
I'm still getting this error:
basicstation | 2022-08-22 01:54:22.599 [SYS:INFO] Logging : stderr (maxsize=10000000, rotate=3)
basicstation | 2022-08-22 01:54:22.600 [SYS:INFO] Station Ver : 2.0.6(corecell/stdn) 2022-08-02 06:49:20
basicstation | 2022-08-22 01:54:22.600 [SYS:INFO] Package Ver : (null)
basicstation | 2022-08-22 01:54:22.600 [SYS:INFO] mbedTLS Ver : 2.28.0
basicstation | 2022-08-22 01:54:22.600 [SYS:INFO] proto EUI : e45f:1ff:fe92:2f6 (station.conf)
basicstation | 2022-08-22 01:54:22.600 [SYS:INFO] prefix EUI : ::1 (builtin)
basicstation | 2022-08-22 01:54:22.600 [SYS:INFO] Station EUI : e45f:1ff:fe92:2f6
basicstation | 2022-08-22 01:54:22.600 [SYS:INFO] Station home: ./ (builtin)
basicstation | 2022-08-22 01:54:22.600 [SYS:INFO] Station temp: /var/tmp/ (builtin)
basicstation | 2022-08-22 01:54:22.600 [SYS:WARN] Station in NO-CUPS mode
basicstation | 2022-08-22 01:54:22.602 [RAL:DEBU] execvp argv[0]: </proc/self/exe>
basicstation | 2022-08-22 01:54:22.602 [RAL:DEBU] argv[1]: <-S>
basicstation | 2022-08-22 01:54:22.603 [RAL:DEBU] argv[2]: <(null)>
basicstation | 2022-08-22 01:54:22.605 [S00:INFO] Logging : stderr (maxsize=10000000, rotate=3)
basicstation | 2022-08-22 01:54:22.605 [S00:INFO] Station Ver : 2.0.6(corecell/stdn) 2022-08-02 06:49:20
basicstation | 2022-08-22 01:54:22.606 [S00:INFO] Package Ver : (null)
basicstation | 2022-08-22 01:54:22.606 [S00:INFO] mbedTLS Ver : 2.28.0
basicstation | 2022-08-22 01:54:22.606 [S00:INFO] proto EUI : e45f:1ff:fe92:2f6 (station.conf)
basicstation | 2022-08-22 01:54:22.606 [S00:INFO] prefix EUI : ::1 (builtin)
basicstation | 2022-08-22 01:54:22.606 [S00:INFO] Station EUI : e45f:1ff:fe92:2f6
basicstation | 2022-08-22 01:54:22.606 [S00:INFO] Station home: ./ (builtin)
basicstation | 2022-08-22 01:54:22.606 [S00:INFO] Station temp: /var/tmp/ (builtin)
basicstation | 2022-08-22 01:54:22.606 [S00:INFO] Station slave: 0
basicstation | 2022-08-22 01:54:22.606 [S00:WARN] Station in NO-CUPS mode
basicstation | 2022-08-22 01:54:22.606 [S00:INFO] Slave LGW (0) - started.
basicstation | 2022-08-22 01:54:22.602 [RAL:INFO] Master has started slave: pid=34 idx=0 (attempt 1)
basicstation | 2022-08-22 01:54:22.802 [TCE:INFO] Starting TC engine
basicstation | 2022-08-22 01:54:22.803 [AIO:INFO] ./tc.trust:
basicstation | cert. version : 3
basicstation | serial number : 2F:64:54:79:96:FC:EC:F9:24:31:F6:36:CD:BD:74:79:43:6A:55:93
basicstation | issuer name : C=US, ST=CA, L=SJ, O=Tech, CN=Tech
basicstation | subject name : C=US, ST=CA, L=SJ, O=Tech, CN=Tech
basicstation | issued on : 2022-08-22 01:47:00
basicstation | expires on : 2027-08-21 01:47:00
basicstation | signed using : ECDSA with SHA256
basicstation | EC key size : 256 bits
basicstation | basic constraints : CA=true
basicstation | key usage : Key Cert Sign, CRL Sign
basicstation | 2022-08-22 01:54:22.803 [TCE:INFO] Connecting to INFOS: wss://192.168.0.47:8887
basicstation | 2022-08-22 01:54:22.838 [AIO:INFO] TLS server certificate verification failed: The certificate Common Name (CN) does not match with the expected CN
basicstation | 2022-08-22 01:54:22.838 [AIO:DEBU] [4] WS connection shutdown...
basicstation | 2022-08-22 01:54:22.838 [TCE:INFO] INFOS reconnect backoff 0s (retry 0)
basicstation | 2022-08-22 01:54:22.838 [AIO:INFO] ./tc.trust:
basicstation | cert. version : 3
basicstation | serial number : 2F:64:54:79:96:FC:EC:F9:24:31:F6:36:CD:BD:74:79:43:6A:55:93
basicstation | issuer name : C=US, ST=CA, L=SJ, O=Tech, CN=Tech
basicstation | subject name : C=US, ST=CA, L=SJ, O=Tech, CN=Tech
basicstation | issued on : 2022-08-22 01:47:00
basicstation | expires on : 2027-08-21 01:47:00
basicstation | signed using : ECDSA with SHA256
basicstation | EC key size : 256 bits
basicstation | basic constraints : CA=true
basicstation | key usage : Key Cert Sign, CRL Sign
basicstation | 2022-08-22 01:54:22.839 [TCE:INFO] Connecting to INFOS: wss://192.168.0.47:8887
basicstation | 2022-08-22 01:54:22.873 [AIO:INFO] TLS server certificate verification failed: The certificate Common Name (CN) does not match with the expected CN
basicstation | 2022-08-22 01:54:22.873 [AIO:DEBU] [4] WS connection shutdown...
basicstation | 2022-08-22 01:54:22.873 [TCE:INFO] INFOS reconnect backoff 10s (retry 1)
No, there is no way and I guess that's the point. It certainly looks like the IP you are using to access the TTS (192.168.0.47) is not the one the certificate was generated against. How are you accessing the TTS web UI? You could try using the same IP or domain name.
Hi @xoseperez ,
I created the certificates using cfssl and this as the cert.json. In the web ui in the browser I'm accessing using the same IP.
{
"hosts": ["192.168.0.47"],
"names": [
{"C": "US", "ST": "CA", "L": "SJ", "O": "Tech"}
]
}
This maybe an issue with Thingstack open source: https://www.thethingsnetwork.org/forum/t/rak2287-with-open-source-stack-on-localhost/58561
Hi @chaudhariatul, sorry it took me some time to debug the issue. I found using an IP is somewhat limited on the options it offers. I had to tweak the way the certificate is being created. You can check how I am doing it here:
But, even this way not all combinations are working. This tables tries to summarize my tests, hope it can help you find a working approach:
BasicStation configuration |
If Common Name is an IP |
If Common Name is a domain name |
---|---|---|
Using localhost: LNS1 | OK | OK |
Using localhost: CUPS1 | ERROR (Common Name mismatch) | OK2 |
Using localhost: Web UI | OK | OK |
Using IP: LNS | ERROR (Common Name mismatch) | ERROR (Common Name mismatch) |
Using IP: CUPS | ERROR (CA check fail) | ERROR (CA check fail) |
Using IP: Web UI | OK | OK3 |
Using domain name: LNS | ERROR (Common Name mismatch) | OK |
Using domain name: CUPS | ERROR (CA check fail) | OK |
Using domain name: Web UI | OK4 | OK |
wss://<domain_name>:8887
)https://<domain_name>
after login, hence domain name must resolve to the IP.https://<ip>
after login, hence domain name must resolve to the same IP.So:
wss://localhost:8887
. CUPS does not work. This is OK for isolated standalone gateways (packet forwarder and network server).@xoseperez I sincerely appreciate your efforts here!
I will definitely try this today and update you!
Hi @xoseperez I'm still getting the same error
basicstation | 2022-08-28 03:58:05.460 [TCE:INFO] INFOS reconnect backoff 0s (retry 0)
basicstation | 2022-08-28 03:58:05.460 [AIO:INFO] ./tc.trust:
basicstation | cert. version : 3
basicstation | serial number : 21:94:0F:B3:7C:21:4F:C2:60:79:31:38:A1:2E:2A:97:8A:4F:3E:E1
basicstation | issuer name : C=ES, ST=Catalunya, L=Barcelona, O=TTN Catalunya, CN=192.168.0.247
basicstation | subject name : C=ES, ST=Catalunya, L=Barcelona, O=TTN Catalunya, CN=192.168.0.247
basicstation | issued on : 2022-08-28 03:47:00
basicstation | expires on : 2027-08-27 03:47:00
basicstation | signed using : RSA with SHA-256
basicstation | RSA key size : 2048 bits
basicstation | basic constraints : CA=true, max_pathlen2022-08-28 03:58:05.460 [TCE:INFO] Connecting to INFOS: wss://192.168.0.247:8887
basicstation | 2022-08-28 03:58:05.481 [AIO:INFO] TLS server certificate verification failed: The certificate Common Name (CN) does not match with the expected CN
basicstation | 2022-08-28 03:58:05.481 [AIO:DEBU] [4] WS connection shutdown...
basicstation | 2022-08-28 03:58:05.482 [TCE:INFO] INFOS reconnect backoff 10s (retry 1)
Do you have any DNS service running on your raspberry? If yes What are the A records added?
I have a pi-hole running on the same network. Used that to assign a name to the raspberry under a domain of mine. It should resolve from your BasicStation container and from the PC you us to access the TTS.
lns.example.com A 192.168.0.247
And then use that same domain name in your ttn-lw-stack.yml file. If your basicstation container is in the same machine as the TTS, just use wss://localhost:8887 as your LNS server (set the container to network_mode host so localhost resolves to the host).
@xoseperez Perfect! That worked!
Great!! So good you finally made it work!
Just for future reference, there could be another approach to address the issue. LoRa Basics Station allows to disable the server name indication (SNI) check by setting the environment variable TLS_SNI=false
. The SNI check is mostly needed when public CAs are used in your security architecture (as it is the case on the public TTN network, where the certificates are signed by Let's Encrypt). When you operate your own CA, then just checking the validity of the server certificate is enough in most scenarios. Hence, it is safe to set TLS_SNI=false
whenever private CAs are used. Maybe you can give that a try?
Sure @beitler, will test it and update the docs. Thanks for sharing!
Tested all the scenarios where it was not working before and they all work with "TLS_SNI: false" in the environment section. Thanks again @beitler ! Will update the documentation now.
While connecting RAK7371 to Things Stack running on a localhost in docker container these are the errors I get on the basicstation container.
The root certificate created while creating self-signed certificates is added to /usr/local/share/ca-certificates/ and
sudo update-ca-certificates
I'm running this on a 64 bit raspibian on Raspberry Pi 4B with 8GB ram.