Using ECC Keys with IoT Greengrass (and IDT)

Question

Hello,

I'm trying to switch from using RSA keys to ECC for IoT Greengrass.
Doing that results in more failures when running Greengrass IDT.

Results with RSA:

```
========== Test Summary ==========
Execution Time:           18m31s
Tests Completed:          8
Tests Passed:             8
Tests Failed:             0
Tests Skipped:            0
----------------------------------
Test Groups:
    coredependencies:             PASSED
    version:                      PASSED
    lambdadeployment:             PASSED
    mqtt:                         PASSED
    component:                    PASSED
    pretestvalidation:            PASSED
Optional Test Groups:
    dockerapplicationmanagerdependencies:      PASSED
    dockerapplicationmanager:                  PASSED
```

Results with ECC:

```
========== Test Summary ==========
Execution Time:            1h6m14s
Tests Completed:           8
Tests Passed:              4
Tests Failed:              4
Tests Skipped:             0
----------------------------------
Test Groups:
    version:                     PASSED
    component:                   FAILED
    lambdadeployment:            FAILED
    mqtt:                        FAILED
    pretestvalidation:           PASSED
    coredependencies:            PASSED
Optional Test Groups:
    dockerapplicationmanagerdependencies:       PASSED
    dockerapplicationmanager:                   FAILED
----------------------------------
Failed Tests:
    Group Name: component
        Test Name: cloudcomponent
            Reason: Failed at 'the Greengrass deployment is COMPLETED on the device after 180 seconds'
    Group Name: lambdadeployment
        Test Name: lambdadeploymenttest
            Reason: failed to verify lambda qualification component deployment: timed out
    Group Name: mqtt
        Test Name: mqttpubsub
            Reason: Failed at 'the Greengrass deployment is COMPLETED on the device after 300 seconds'
    Group Name: dockerapplicationmanager
        Test Name: docker_deploy_image_test
            Reason: Failed at 'the Greengrass deployment is COMPLETED on the device after 2 minutes'
```

There are no errors encountered while provisioning the device.
(For ECC, we follow same steps mentioned [here](https://docs.aws.amazon.com/greengrass/v2/developerguide/manual-installation.html#create-thing-certificate) with `create-certificate-from-csr`. The keys and CSR are generated using OpenSSL).

```
openssl ecparam -out ${GG_HOME}/private.pem.key -name prime256v1 -genkey
openssl req -new -batch -key ${GG_HOME}/private.pem.key -out ${GG_HOME}/${IOT_KEY_NAME}.csr

gg_cert_arn=$(aws iot create-certificate-from-csr --set-as-active \
                  --certificate-signing-request="file://${GG_HOME}/${IOT_KEY_NAME}.csr" \
                  --certificate-pem-outfile "${GG_HOME}/device.pem.crt" \
                  --output text --query "certificateArn")
```

Nucleus Version: 2.12.0
IDT Version: 4.9.4

Do we need to add specific configurations on AWS side (or IDT) to run this properly?
Here's the used [IDT access policy](https://gitlab.com/Linaro/cassini/meta-cassini/-/blob/scarthgap-dev/.gitlab/scripts/aws_policies/idt-role-access-policy.json).

Nucleus is started with this command on the device after provisioning:

```
sudo -E java -Droot="${GG_HOME}" -Dlog.store=FILE -jar "${GG_HOME}/alts/init/distro/lib/Greengrass.jar"
                                 --init-config "${GG_HOME}/generated_config.yml"
                                 --aws-region "${AWS_DEFAULT_REGION}"
                                 --thing-name "${IOT_THING_NAME}"
                                 --thing-group-name "${IOT_THING_GROUP}"
                                 --component-default-user ggc_user:ggc_group
                                 --setup-system-service true
                                 --start true
                                 --provision false
```

re:Post Agent · Answer

Using ECC keys instead of RSA keys with AWS IoT Greengrass can indeed lead to some challenges, especially when running the AWS IoT Device Tester (IDT) for Greengrass. The issues you're experiencing are not uncommon when switching to ECC keys.

First, it's important to note that AWS IoT Greengrass does support ECC keys, so the core functionality should work. However, the IDT tests may not be fully optimized for ECC key usage, which could explain the failures you're seeing.

The failures you're encountering seem to be primarily related to deployment completion timeouts. This suggests that the system might be taking longer to process or validate the ECC certificates during various operations.

Here are some steps you can try to address these issues:

1. Increase timeouts: If possible, try to increase the timeout values in your IDT configuration. This might allow more time for operations to complete when using ECC keys.

2. Check Greengrass logs: Examine the Greengrass logs on your device for any specific errors or warnings related to certificate processing or TLS connections.

3. Verify certificate chain: Ensure that the full certificate chain is properly set up and accessible to the Greengrass core. This includes the device certificate, any intermediate certificates, and the root CA certificate.

4. Update Greengrass and IDT: Make sure you're using the latest versions of both the Greengrass nucleus and IDT. While you're already on a recent version (Nucleus 2.12.0 and IDT 4.9.4), it's worth checking if there are any newer versions available that might have improved ECC support.

5. AWS side configuration: On the AWS side, ensure that the IoT policies attached to your thing and certificate allow all necessary actions. The policy should include permissions for connecting, publishing, subscribing, and receiving messages.

6. IDT access policy: Review your IDT access policy to ensure it includes all necessary permissions for running tests with ECC certificates. You may need to add or modify permissions related to certificate operations.

7. Nucleus configuration: Double-check your nucleus configuration (generated_config.yml) to ensure it correctly references the ECC key and certificate locations.

8. Consider testing individual components: Instead of running the full IDT suite, try running individual test groups or tests to isolate which specific operations are failing with ECC keys.

If these steps don't resolve the issue, you may need to contact AWS support for further assistance. They might be able to provide more specific guidance on using ECC keys with Greengrass and IDT, or they may need to update the IDT tests to better accommodate ECC key usage.

Remember that while ECC keys offer some advantages, they're not as widely used as RSA keys in all scenarios. If the issues persist and are blocking your development or deployment, you might need to consider temporarily reverting to RSA keys for testing purposes while working with AWS to resolve the ECC-related issues.  
**Sources**  
[Configure your device to run IDT tests - AWS IoT Greengrass](https://docs.aws.amazon.com/greengrass/v1/developerguide/device-config-setup.html)  
[Configure the AWS IoT Greengrass core - AWS IoT Greengrass](https://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)  
[Troubleshooting AWS IoT Greengrass - AWS IoT Greengrass](https://docs.aws.amazon.com/greengrass/v1/developerguide/gg-troubleshooting.html)

Using ECC Keys with IoT Greengrass (and IDT)

Add your answer

Relevant content