New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support MQTT certificate and the key for the gateway backend #201
Conversation
ebbb626
to
e7937d8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your work!
I have a couple of comments to make these config options consistent with the other TLS related config options.
Could you update these and apply these changes to to lora-gateway-bridge and loraserver? Then these changes should be good to merge :-)
docs/content/install/config.md
Outdated
@@ -20,6 +20,8 @@ GLOBAL OPTIONS: | |||
--mqtt-username value mqtt server username (optional) [$MQTT_USERNAME] | |||
--mqtt-password value mqtt server password (optional) [$MQTT_PASSWORD] | |||
--mqtt-ca-cert value mqtt CA certificate file used by the gateway backend (optional) [$MQTT_CA_CERT] | |||
--mqtt-cert value mqtt certificate file used by the gateway backend (optional) [$MQTT_CERT] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous comment (--mqtt-tls-cert
and --mqtt-tls-key
)
} | ||
tlsconfig, err := newTLSConfig(cafile, certFile, certKeyFile) | ||
if err != nil { | ||
log.Fatalf("Error with the mqtt CA certificate: %s", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this would print more debugging information:
log.WithError(err).WithFields(log.Fields{
"ca_cert": cafile,
"tls_cert": certFile,
"tls_key": certKeyFile,
}).Fatal("error loading mqtt certificate files")
@@ -70,23 +69,47 @@ func NewHandler(server, username, password, cafile string) (handler.Handler, err | |||
return &h, nil | |||
} | |||
|
|||
func newTLSConfig(cafile string) (*tls.Config, error) { | |||
func newTLSConfig(cafile, certFile, certKeyFile string) (*tls.Config, error) { | |||
if cafile == "" && (certFile == "" || certKeyFile == "") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there are three valid options:
- Only CA
- TLS cert + key
- CA, TLS + key
If in this case the CA cert is set + only the TLS cert or TLS key, it would pass this check, but the config is invalid I believe.
return nil, err | ||
} | ||
|
||
kp, err := tls.X509KeyPair(cert, certKey) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use https://golang.org/pkg/crypto/tls/#LoadX509KeyPair. It allows you to directly load the files by passing the paths to these files. Saves a couple of lines ;-)
@brocaar But Travis CI is failing... I wonder why. Can it be rebuilt? |
After rebuilding, fixed it :) |
@brocaar How about this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for also adding tests 👍
I've added some small comments (I think you might have missed some renames). Let me know what you think.
cmd/lora-app-server/main.go
Outdated
@@ -174,7 +174,7 @@ func setRedisPool(c *cli.Context) error { | |||
} | |||
|
|||
func setHandler(c *cli.Context) error { | |||
h, err := mqtthandler.NewHandler(c.String("mqtt-server"), c.String("mqtt-username"), c.String("mqtt-password"), c.String("mqtt-ca-cert")) | |||
h, err := mqtthandler.NewHandler(c.String("mqtt-server"), c.String("mqtt-username"), c.String("mqtt-password"), c.String("mqtt-ca-cert"), c.String("mqtt-cert"), c.String("mqtt-cert-key")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
c.String("mqtt-cert"), c.String("mqtt-cert-key")
That should be mqtt-tls-cert
an mqtt-tls-key
I think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uh oh, I missed... Sorry.
docs/content/install/config.md
Outdated
@@ -20,6 +20,8 @@ GLOBAL OPTIONS: | |||
--mqtt-username value mqtt server username (optional) [$MQTT_USERNAME] | |||
--mqtt-password value mqtt server password (optional) [$MQTT_PASSWORD] | |||
--mqtt-ca-cert value mqtt CA certificate file used by the gateway backend (optional) [$MQTT_CA_CERT] | |||
--mqtt-tls-cert value mqtt certificate file used by the gateway backend (optional) [$MQTT_CERT] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$MQTT_CERT
--> $MQTT_TLS_CERT
, same for $MQTT_CERT_KEY
.
@@ -70,23 +75,57 @@ func NewHandler(server, username, password, cafile string) (handler.Handler, err | |||
return &h, nil | |||
} | |||
|
|||
func newTLSConfig(cafile string) (*tls.Config, error) { | |||
func newTLSConfig(cafile, certFile, certKeyFile string) (*tls.Config, error) { | |||
// Here are three valid options: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for commenting on this again, but maybe it is better to remove the whole check at all. E.g. when the user does only provide a tls cert or only a tls key, tls.LoadX509KeyPair(certFile, certKeyFile)
will also handle this as an error.
I'm sorry for my late reply (I was lost the Internet connection...). I fixed some typos and redundant MQTT TLS argument validation. Could you review this patch again? |
Thanks for your contribution! I've merged your pull-request :-) |
Thank you so much for your merging! |
Yes, please do! That would be much appreciated :-) |
Sure, I'll do that! |
brocaar/chirpstack-network-server#284 is the same motivation.