Secure Tunnelling component does not work as it should

0

I am trying to enable secure tunnelling in a Device using Greengrass v2, right now I only added the component in the deployment and declared the OS as "raspberry", yet I get errors with the settings with the certificates (Permissions not set to desired value) as well as an error that seems like a placeholder is not edited for the client:

2024-07-12T17:44:05.165Z [WARN]  {Config.cpp}: Path replace_with_root_ca_file_location to RootCA is invalid. Ignoring... Will attempt to use default trust store.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}

The documentation for the component does not specify anything aditional step therefore I am not sure if I am doing something wrong, any help is appreciated.

OS: Raspbian GNU/Linux 11 (bullseye) Tunnelling component version: 1.0.19 Nucleus Version: 2.12.6

The only configuration merged into the recipe is:

"OS_DIST_INFO": "raspberry"

When I try to access the tunnel from the console, the following errors appear

2024-07-12T21:05:09.325Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [INFO ] 2024-07-12 17:05:09.324 [AwsEventLoop 1] SubscribeResponseHandler - Received new tunnel notification message.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-12T21:05:09.395Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-12 17:05:09.392 [pool-3-thread-2] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-12T21:05:09.391Z [WARN]  {FileUtils.cpp}: Permissions to given file/dir path '/tmp/' is not set to recommended value... {Permissions: {desired: 745, actual: 777}}. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-12T21:05:09.397Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-12 17:05:09.396 [pool-3-thread-2] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-12T21:05:09.391Z [WARN]  {FileUtils.cpp}: Permissions to given file/dir path '/tmp/device-client-settings.json97283231374049021111720810127642' is not set to recommended value... {Permissions: {desired: 640, actual: 644}}. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-12T21:05:09.399Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-12 17:05:09.398 [pool-3-thread-2] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-12T21:05:09.391Z [WARN]  {Config.cpp}: Path replace_with_root_ca_file_location to RootCA is invalid. Ignoring... Will attempt to use default trust store.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-12T21:05:26.999Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-12 17:05:26.998 [pool-3-thread-2] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-12T21:05:26.998Z [ERROR] {TcpForward.cpp}: TcpForward::OnConnectionResult error_code=1047. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}

And when I access with local proxy using a Docker image I get:

2024-07-15T19:50:49.733Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-15 15:50:49.729 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-15T19:50:49.675Z [WARN]  {FileUtils.cpp}: Permissions to given file/dir path '/tmp/' is not set to recommended value... {Permissions: {desired: 745, actual: 777}}. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-15T19:50:49.735Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-15 15:50:49.731 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-15T19:50:49.680Z [WARN]  {FileUtils.cpp}: Permissions to given file/dir path '/tmp/device-client-settings.json79754660964669720811721073030236' is not set to recommended value... {Permissions: {desired: 640, actual: 644}}. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-15T19:50:49.736Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-15 15:50:49.732 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-15T19:50:49.681Z [WARN]  {Config.cpp}: Path replace_with_root_ca_file_location to RootCA is invalid. Ignoring... Will attempt to use default trust store.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-15T19:53:49.385Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-15 15:53:49.383 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-15T19:53:49.383Z [ERROR] {TcpForward.cpp}: TcpForward::OnConnectionResult error_code=1047. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}

I am not sure what configuration I am missing, the documentation does not help a lot with this, any help is appreciated

  • Hello Fernanda, the issue mentioned over here is an connection error. It has nothing to do with component not able to find RootCA or the file permissions issue. As mentioned in another comment by Greg_B bellow, make sure your port is accessible or not. I believe it is an device side error where component is not being able to establish a connection securely.

asked 3 months ago200 views
1 Answer
-2

Hi. You've assigned an invalid value to OS_DIST_INFO: https://docs.aws.amazon.com/greengrass/v2/developerguide/secure-tunneling-component.html#secure-tunneling-component-configuration

I'm not sure that explains everything.

UPDATE July 23: Adding to the answer since I've been getting downvotes. What I said above is correct (albeit only a partial answer), so the downvotes are a tad harsh.

The only error or warning of consequence in the logs is TcpForward::OnConnectionResult error_code=1047. This is a socket connection refused. The secure tunneling component is a special build of AWS IoT Device Client, and this error message comes from here: https://github.com/awslabs/aws-iot-device-client/blob/cf738c82927f5a0020a58fda88a5de65b11a4574/source/tunneling/TcpForward.cpp#L107. Does your device meet all the requirements (specifically is the secure tunneling endpoint reachable and is port 443 open)? https://docs.aws.amazon.com/greengrass/v2/developerguide/secure-tunneling-component.html#secure-tunneling-component-requirements

For the permissions warnings, these come from here: https://github.com/awslabs/aws-iot-device-client/blob/cf738c82927f5a0020a58fda88a5de65b11a4574/source/util/FileUtils.cpp#L198. More information here: https://github.com/awslabs/aws-iot-device-client/blob/main/docs/PERMISSIONS.md. In your case, they are only warnings and will not prevent proper function. I get the same messages on my RPi, and secure tunneling works.

The secure tunneling component creates an AWS IoT Device Client configuration file in /tmp/device-client-settings.json<unique-id>. If you inspect that file, you'll see:

"root-ca": "replace_with_root_ca_file_location"

That's what's causing the other warning. Again, it's of no concern in this instance because the root CA will instead be found from your Greengrass configuration.

profile pictureAWS
EXPERT
Greg_B
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
  • Yeah I realized after I posted it, I modified it and still the same issue occurs ("OS_DIST_INFO": "raspberrypi", but it won't work as "auto" either). From what i've read error 1047 has something to do with permissions but I did as the documentation said.

  • Answer updated to be more complete.

  • I also checked the port, I allowed it via ufw (I even disabled it to test) and I can see the port being avaliable with this comand:

    root@<user>:/greengrass/v2/logs# sudo lsof -i :443
    COMMAND    PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
    aws-iot-d 1623 ggc_user    7u  IPv4  31670      0t0  TCP <user>:59562->ec2-3-213-214-212.compute-1.amazonaws.com:https (ESTABLISHED)
    

    About the other requirements, I believe we meet all the requierements, we use python 3.8 and the documentation asks for 3.5 or above, and glibc is 2.31

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions