Configuration with Client Certificates
[mqtt]
topic_prefix="eu868"
server="ssl://my.broker.com:18883"
username=""
password=""
ca_cert="/etc/chirpstack-mqtt-forwarder/root_ca.crt"
tls_cert="/etc/chirpstack-mqtt-forwarder/client.crt"
tls_key="/etc/chirpstack-mqtt-forwarder/client.key"
client_id="lorawan-gateway-dragino"
Observed Behavior
The MQTT client is configured, but no connection attempt is made to the broker. Broker logs show no connection attempts from the Dragino's IP.
Comparison: Username/Password with TLS Works
With the following configuration (username/password auth, with TLS), the connection works perfectly:
[mqtt]
topic_prefix="eu868"
server="ssl://my.broker.com:18883"
username="chirpstack"
password="***"
ca_cert="/etc/chirpstack-mqtt-forwarder/root_ca.crt"
client_id="lorawan-gateway-dragino"
Relevant Log Output (mTLS Configuration)
Starting ChirpStack MQTT Forwarder (version: 4.3.1)
Setting up Semtech UDP Packet Forwarder backend
Binding UDP socket, bind: 0.0.0.0:1700
Retrieving Gateway ID from backend
Received Gateway ID from backend, gateway_id: a84041ffff2b89fa
Setting up MQTT client
Configuring client with TLS certificate, ca_cert: ..., tls_cert: ..., tls_key: ...
add_parsable_certificates processed 129 valid and 0 invalid certs
No further log entries after this – no connection attempt.
Yes, I know I'm using an unusual port here (18883). I want to use different listeners and this shouldn't be a problem, right?
Already Tried
ca_chain.crt(root + intermediate CA) instead ofroot_ca.crt- Server URL with IP address instead of hostname
- Verified full certificate chain on broker
- Network connectivity confirmed (e.g.
ncto broker works)
Is there any known problem with mTLS (cert/key)?