By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Device Discovery REST API, with self-signed client-certificates

0

I have the following use-case

We are implementing an iot application with Client Devices that need to connect to a Greengrass Core Device for telemetry. Both the Greengrass Core Device and the Client Devices are provisioned with client certificates that are signed by a CA that is registered in IoT Core.

The client devices themselves retrieve DeviceDiscovery information from the Data Plane endpoint: greengrass-ats.iot.<region_name>.amazonaws.com:8443/greengrass/discover/thing/<thing_name>

Problem description

When performing initial proof-of-concept test we provisioned our devices with AWS-signed certs, and in that case device-discovery worked perfectly, by returning associated core-devices along with connectivity info. However if we take the same client devices with the same clientID's and attach new self-signed activated certificates with the same policy attached we get the following response from device discovery:

curl: (52) Empty reply from server

In the troubleshooting guide at https://docs.aws.amazon.com/greengrass/v2/developerguide/troubleshooting-client-devices.html#greengrass-discovery-issues we are advised to check if the certificate is active, which it definitely is.

So my concern is then whether this is due to missing support for self-signed client certificates in the discovery API, or whether i have missed something else ?

Thanks , Mathias

Topics
Internet of Things (IoT)
Tags
AWS IoT GreengrassAWS IoT Core
Language
English
math045d
asked 18 days ago135 views
1 Answer
0
Accepted Answer

Hello,

The certificate will need to be attached to the thing, just like the AWS generated certificate was. It will also need to have appropriate IoT Policies attached to it so that the certificate is allowed to call the discovery APIs.

What is the IoT Policy that you attached to the new certificate? Did you associate the certificate with the client device's thing?

Cheers,

Michael

AWS
EXPERT
MichaelDombrowski-AWS
answered 18 days ago
  • math045d
    18 days ago

    Hi Michael

    Currently the device that i'm testing with has both the original AWS-signed certificate, and the new custom CA-signed cert attached. Both certificates have the same IoT Policy attached to it, that amongst other things contains:

    { "Effect": "Allow", "Action": "greengrass:Discover", "Resource": "*" }

  • MichaelDombrowski-AWS EXPERT
    18 days ago

    Can you verify that the certificate you are using is correctly registered in AWS IoT by using that certificate to connect to AWS IoT Core using an MQTT client? Mosquitto for example is a command line client which will work to determine this.

  • MichaelDombrowski-AWS EXPERT
    18 days ago

    If you are able, I would recommend that you open a case with AWS support so that they can investigate your specific account settings.

  • math045d
    18 days ago

    Thanks for your suggestion :) - i tried the following: mosquitto_pub -h <account_id>-ats.iot.eu-central-1.amazonaws.com -p 8883 -t hello -m hello --cafile AmazonRootCA1.pem --cert device.pem.crt --key private.pem.key -i <client_id>

    With both sets of key/certificate it works without issue. I will see if i can open a case.

  • MichaelDombrowski-AWS EXPERT
    18 days ago

    Please try doing discovery using your IoT Core account-specific endpoint instead of the "shared" greengrass-ats endpoint. Find the correct endpoint in the AWS IoT Console or using the describe-endpoint command with the input iot:Data-ATS.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content