Problems with basicstation

To narrow it down the objectives would be:

  • Enable multi-container for Balena flavored Basicstation
  • Clean up unreliable certs
  • Clean up time sync errors
  • Enable basicstation > chirpstack (specifically their gateway bridge running in its own container)

Btw, I AM getting packets from my lora nodes successfully appearing in balena’s logs, which is very encouraging… SO close to complete :grinning:

29.09.20 10:58:22 (-0400)  basicstation  2020-09-29 14:58:22.091 [S2E:VERB] RX 903.9MHz DR3 SF7/BW125 snr=10.0 rssi=-75 xtime=0x9C00003DF41AEB - updf mhdr=40 DevAddr=xxxx FCtrl=C0 FCnt=210 FOpts=[] 01F9 mic=524311765 (14 bytes)

@barryjump what LoRa concentrator do you use?

havent’ tried chirpstack myself yet. I see their repo and this is the one we used to build our repo. I think it should work with their own TC_URI. Do you have it?

on the multi-container, what other containers would you need?

@mpous I’m using the RAK2245 on their developer gateway model (basically RPi4 & GPS included). I’ve got chirpstack about 80% configured on GCP so I think it will work like a charm, just some of their on device concentrator settings are a little confusing.

The ideal multi-container setup for me (and others maybe?) would be:

  • Basicstation (for security reasons)
  • Chirpstack Gateway Bridge (talking to above)
  • Datadog (or another lightweight monitoring / logs agent like Netdata)
  • Possibly NodeRed

I’d consider node-red optional mostly for testing or doing edge work like filtering or local action downlinks.
All the pieces are out there and balena is INCREDIBLE so I feel like we’re so close to a click-to-deploy version of a production ready gateway, especially if you swap the RPi for a Kunbus or Fin.

@mpous also I totally missed their tc_uri setting. Good eye! I’ll give that a shot and share my progress here.

Hi @barryjump, I like the idea of the Chirpstack Gateway Bridge I will start testing it and see what comes out. Probably you’re ahead of me in that part, so any advice would be welcome.
Regards

Probably not much further, I’m juggling two projects so not moving as quickly as I’d like. But I do think it should be relatively simple to build the right compose file to run both on device. I dont know as much as i’d like about opening docker ports so they can talk to each other securely however. Chirpstacks docs would need some customization for an install like this.

Hey @ronyvargas & @barryjump! question, why we dont make it simple and start with Basics Station + Datadog, if that works, BS + Datadog + nodered and finally we can have chirpstack compatible?

what do you think?

1 Like

I like that idea. Should we set up a shared GitHub and Balena apps?

@barryjump Feel free to clone the repo on your account and then you can PR on our repo!

Hi @mpous I like the idea too, I will update my fork with the updated repo and start hacking.

1 Like

@mpous I took a short break from trying to get Chripstack talking to basicstation.

I’ve been playing with the things stack instead today. Was looking at your guide again for TTN & TTI.
Technically neither is exactly the things stack, but I’ve got a secured domain running TTS with a secure websocket listener. But I’m getting the following error:

From Balena logs:

14.10.20 15:37:46 (-0400)  basicstation  cert. version     : 3
14.10.20 15:37:46 (-0400)  basicstation  serial number     : 44:AF:[[redacted]]:86:2E:F8:40:6B
14.10.20 15:37:46 (-0400)  basicstation  issuer name       : O=Digital Signature Trust Co., CN=DST Root CA X3
14.10.20 15:37:46 (-0400)  basicstation  subject name      : O=Digital Signature Trust Co., CN=DST Root CA X3
14.10.20 15:37:46 (-0400)  basicstation  issued  on        : 2000-09-30 21:12:19
14.10.20 15:37:46 (-0400)  basicstation  expires on        : 2021-09-30 14:01:15
14.10.20 15:37:46 (-0400)  basicstation  signed using      : RSA with SHA1
14.10.20 15:37:46 (-0400)  basicstation  RSA key size      : 2048 bits
14.10.20 15:37:46 (-0400)  basicstation  basic constraints : CA=true
14.10.20 15:37:46 (-0400)  basicstation  key usage         : Key Cert Sign, CRL Sign
14.10.20 15:37:46 (-0400)  basicstation  2020-10-14 19:37:46.219 [AIO:INFO] tc has no key+cert configured - running server auth only
14.10.20 15:37:46 (-0400)  basicstation  2020-10-14 19:37:46.247 [TCE:VERB] Connecting to MUXS...
14.10.20 15:37:46 (-0400)  basicstation  2020-10-14 19:37:46.411 [AIO:ERRO] [3] WS upgrade failed with HTTP status code: 401
14.10.20 15:37:46 (-0400)  basicstation  2020-10-14 19:37:46.411 [AIO:DEBU] [3] WS connection shutdown...
14.10.20 15:37:46 (-0400)  basicstation  2020-10-14 19:37:46.411 [TCE:VERB] Connection to MUXS closed in state 3
14.10.20 15:37:46 (-0400)  basicstation  2020-10-14 19:37:46.411 [TCE:INFO] INFOS reconnect backoff 10s (retry 1)

From TTS Logs:

INFO Request handled duration=13.403456ms error=error:pkg/gatewayserver/io/ws:no_auth_provided (no auth provided 0242acfffeXXXXXX) method=GET namespace=gatewayserver/io/ws remote_addr=69.XXX.XXX.123:55906 request_id=01EMM8BXJ2REX6FRXH59ZYQFCQ status=401 uid=0242acfffeXXXXX url=/traffic/eui-0242ACFFFEXXXXX

You mention the TC_TRUST variable for connecting to TTI (the things industries). Can you elaborate? Did you paste the entire certificate.crt contents from the server?

Thanks for your message @barryjump.

For connecting to TTI you will need to point to another websocket that’s usually in another server and will need (potentially) another type of certificates.

On the tests that i did, it worked with the certificate being used on the repo, but could you please confirm that the TC_URI you are using accepts the same type of TC_CERT?

@mpous good point, I had assumed it did, but I may be wrong. Especially if since TTS (the things stack) is an open version of TTI (the things industries), it gives developers the option for where to get their certificates (I used zerossl.com for example, and in prod would actually probably use AWS Certificate Manager). So I think I have to dig a bit deeper on how to translate the private.key, ca_cundle.crt, and certificate.crt issued by them to something that can be loaded onto the gateway.

Fwiw, this is where I’m looking for some guidance:

An update: Was able to get vanilla balena/basicstation working with a private installation of TTS (the things stack) but only after forcing TTS to accept unsecured connections. Again, the main problem was the certs issue. Basicstation can be very picky about the certificates especially when combined with TTS with CUPS and LNS with secure websocket.

Success! (almost)

If anyone wants to more formally collaborate on getting the certs working let me know.

1 Like

Good job @barryjump! I agree that certificates are complex with the Basics Station! So looking fwd to see if anyone from the community want to help here :slight_smile:

Hey @barryjump i’m currently testing the right certificates to connect the gateway to the TTS (public instance). Feel free to share any advance you had. I will keep you updated :slight_smile:

Awesome. Wish I had some good news for you - I’ve been running on unsecured websocket since day one. Never did figure it out.

There is a setting in the config file that you have to set to allow:

  • gs.basic-station.allow-unauthenticated: Allow unauthenticated Basic Station connections. This is set to false by default. Set to disable auth check for testing.

Hi @barryjump, @mpous, TTS uses a built in agent to request the certificates from the LetsEncrypt free certificate services if I am not wrong, based on the URI you configure, I haven’t had time yet to deploy my own TTS yet, because lack of time. I’ll try my best to deploy and sort out the certificates part, I have some background on PKI area, but not yet to know well TTS to ensure what I talk :slight_smile:

Hey @ronyvargas hope you’re well.
Yes thats true, and I can confirm it works as advertised. At first deploy it auto provisioned a Letsencrypt cert and I believe even auto-renewed it after 3 months. I tested TTS with custom certs from a few places including ZeroSSL and all work fine. Though the out of the box and auto-renew script is by far the easiest.

The main challenge for me has remained though - trying to figure out how to get that auto-provisioned cert into the gateway, get basicstation to be happy with it, and to then get TTS to accept it once connected. I tried using balena’s env variable TC_CERT, tried manually including it in the project file at build, tried VIMing it through SSH, etc, etc.