BasicStation: The certificate Common Name (CN) does not match

[sagar-patel-sls]

I have generated SSL certificates and getting the below error while configuring the SSL/TLS certificate in the basic-station

2021-02-08 11:35:23.958 [CUP:INFO] Connecting to CUPS-boot ... https://127.0.0.1:3001 (try #107)
2021-02-08 11:35:23.958 [AIO:ERRO] cups URI requires TLS but no trust configured
2021-02-08 11:35:23.958 [CUP:INFO] Interaction with CUPS failed - retrying in 1m
2021-02-08 11:35:55.045 [any:INFO] ./tc.trust:
cert. version     : 3
serial number     : 3C:42:12:02:01:D2:63:C3:1D:E6:50:FD:84:77:DF:F3:1C:CB:2F:9F
issuer name       : CN=ChirpStack CA
subject name      : CN=ChirpStack CA
issued  on        : 2021-02-08 09:57:00
expires on        : 2026-02-07 09:57:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign
2021-02-08 11:35:55.154 [any:INFO] ./tc.crt:
cert. version     : 3
serial number     : 69:F9:D2:19:E7:26:35:B0:A0:E6:92:5B:18:8F:A8:8A:C9:88:08:91
issuer name       : CN=ChirpStack CA
subject name      : CN=0011223344556677
issued  on        : 2021-02-08 09:57:00
expires on        : 2022-02-08 09:57:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  :
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Clien2021-02-08 11:35:55.154 [AIO:INFO]
2021-02-08 11:35:55.156 [TCE:INFO] Connecting to INFOS: wss://https://127.0.0.1:3001
2021-02-08 11:35:55.180 [AIO:INFO] TLS server certificate verification failed: The certificate Common Name (CN) does not match with the expected CN
2021-02-08 11:35:55.180 [AIO:DEBU] [4] WS connection shutdown...
2021-02-08 11:35:55.194 [TCE:INFO] INFOS reconnect backoff 60s (retry 7)

chirpstack-gateway-bridge configuration

# TLS certificate and key files.
#
# When set, the websocket listener will use TLS to secure the connections
# between the gateways and ChirpStack Gateway Bridge (optional).
tls_cert = "cert/basicstation-server.pem"
tls_key = "cert/basicstation-server-key.pem"

# TLS CA certificate.
#
# When configured, ChirpStack Gateway Bridge will validate that the client
# certificate of the gateway has been signed by this CA certificate.
ca_cert = "cert/ca.pem"

[brocaar]

What is the ID of your gateway?

[sagar-patel-sls]

What is the ID of your gateway?

6f114e6bfcc4e407

I have generated a certificate with 6f114e6bfcc4e407 this gatewayID but unfortunately, I didn't success

I have already use the gateway-bridge client certificate in *.key and *.crt file

[brocaar]

Please see the logs:

subject name : CN=0011223344556677

0011223344556677 != 6f114e6bfcc4e407, which explains the error:

The certificate Common Name (CN) does not match with the expected CN

[sagar-patel-sls]

Hi @brocaar
Thanks for your reply
I have re-generated certificates with 6f114e6bfcc4e407 gatewayID but getting same error.

[MatteoAndreoni]

I'm getting the same error. Chirpstack-gateway-bridge configuration file settings are the same as @sagar-patel-sls.

2021-03-26 22:53:31.923 [SYS:INFO] Logging     : stderr (maxsize=10000000, rotate=3)
2021-03-26 22:53:31.923 [SYS:INFO] Station Ver : 2.0.5(rpi/std) 2021-03-20 00:10:49
2021-03-26 22:53:31.923 [SYS:INFO] Package Ver : 2.0.4
2021-03-26 22:53:31.923 [SYS:INFO] proto EUI   : dca6:32ff:fe42:5e49	(station.conf)
2021-03-26 22:53:31.923 [SYS:INFO] prefix EUI  : ::1	(builtin)
2021-03-26 22:53:31.923 [SYS:INFO] Station EUI : dca6:32ff:fe42:5e49
2021-03-26 22:53:31.923 [SYS:INFO] Station home: ./	(builtin)
2021-03-26 22:53:31.923 [SYS:INFO] Station temp: /var/tmp/	(builtin)
2021-03-26 22:53:31.923 [SYS:WARN] Station in NO-CUPS mode
2021-03-26 22:53:32.125 [TCE:INFO] Starting TC engine
2021-03-26 22:53:32.126 [any:INFO] ./tc.trust: 
cert. version     : 3
serial number     : 3F:04:96:2B:40:1C:94:CA:DA:A2:2D:25:8E:61:5F:B6:74:09:C6:01
issuer name       : CN=ChirpStack CA
subject name      : CN=ChirpStack CA
issued  on        : 2021-03-25 23:59:00
expires on        : 2026-03-24 23:59:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign
2021-03-26 22:53:32.126 [AIO:INFO] tc has no key+cert configured - running server auth only
2021-03-26 22:53:32.130 [TCE:INFO] Connecting to INFOS: wss://192.168.1.153:3001
2021-03-26 22:53:32.153 [AIO:INFO] TLS server certificate verification failed: The certificate Common Name (CN) does not match with the expected CN
2021-03-26 22:53:32.153 [AIO:DEBU] [3] WS connection shutdown...

chirpstack-gateway-bridge log
chirpstack-gateway-bridge[1975]: 2021/03/26 23:06:08 http: TLS handshake error from 192.168.1.218:46864: remote error: tls: bad certificate

[brocaar]

@MatteoAndreoni you have configured the ChirpStack Gateway Bridge to validate the client-certificate, but you have not configured a client-certificate on the BasicStation:

tc has no key+cert configured - running server auth only

[MatteoAndreoni]

@brocaar I also tried with key + cert but the result is the same

2021-03-29 16:40:04.328 [SYS:INFO] Logging     : stderr (maxsize=10000000, rotate=3)
2021-03-29 16:40:04.328 [SYS:INFO] Station Ver : 2.0.5(rpi/std) 2021-03-20 00:10:49
2021-03-29 16:40:04.328 [SYS:INFO] Package Ver : 2.0.4
2021-03-29 16:40:04.328 [SYS:INFO] proto EUI   : 0:dca6:3242:5e49	(/sys/class/net/wlan0/address)
2021-03-29 16:40:04.328 [SYS:INFO] prefix EUI  : ::1	(builtin)
2021-03-29 16:40:04.328 [SYS:INFO] Station EUI : dca6:32ff:fe42:5e49
2021-03-29 16:40:04.328 [SYS:INFO] Station home: ./	(builtin)
2021-03-29 16:40:04.328 [SYS:INFO] Station temp: /var/tmp/	(builtin)
2021-03-29 16:40:04.328 [SYS:WARN] Station in NO-CUPS mode
2021-03-29 16:40:04.530 [TCE:INFO] Starting TC engine
2021-03-29 16:40:04.531 [any:INFO] ./tc.trust: 
cert. version     : 3
serial number     : 6A:FF:ED:2E:98:63:8E:E8:27:9E:E0:AD:9E:A2:4A:AF:CD:F1:E5:20
issuer name       : CN=ChirpStack CA
subject name      : CN=ChirpStack CA
issued  on        : 2021-03-28 01:17:00
expires on        : 2026-03-27 01:17:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign
2021-03-29 16:40:04.549 [any:INFO] ./tc.crt: 
cert. version     : 3
serial number     : E0:8B:C7:19:61:9C:65:99:DF:9A:32:DB:A7:96:B1:4C
issuer name       : CN=ChirpStack CA
subject name      : CN=dca632fffe425e49
issued  on        : 2021-03-29 16:39:30
expires on        : 2022-03-29 16:39:30
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
key usage         : Digital Signature
ext key usage     : TLS Web Client Authentication
2021-03-29 16:40:04.549 [AIO:INFO] 
2021-03-29 16:40:04.554 [AIO:XDEB] [3] ws_connecting state=1
2021-03-29 16:40:04.554 [TCE:INFO] Connecting to INFOS: wss://192.168.1.153:3001
2021-03-29 16:40:04.570 [AIO:XDEB] [3] ws_connecting state=1
2021-03-29 16:40:04.572 [AIO:INFO] TLS server certificate verification failed: The certificate Common Name (CN) does not match with the expected CN
2021-03-29 16:40:04.572 [AIO:DEBU] [3] WS connection shutdown...
2021-03-29 16:40:04.572 [TCE:INFO] INFOS reconnect backoff 0s (retry 0)