I am trying to enable secure tunnelling in a Device using Greengrass v2, right now I only added the component in the deployment and declared the OS as "raspberry", yet I get errors with the settings with the certificates (Permissions not set to desired value) as well as an error that seems like a placeholder is not edited for the client:
2024-07-12T17:44:05.165Z [WARN] {Config.cpp}: Path replace_with_root_ca_file_location to RootCA is invalid. Ignoring... Will attempt to use default trust store.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
The documentation for the component does not specify anything aditional step therefore I am not sure if I am doing something wrong, any help is appreciated.
OS: Raspbian GNU/Linux 11 (bullseye)
Tunnelling component version: 1.0.19
Nucleus Version: 2.12.6
The only configuration merged into the recipe is:
"OS_DIST_INFO": "raspberry"
When I try to access the tunnel from the console, the following errors appear
2024-07-12T21:05:09.325Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [INFO ] 2024-07-12 17:05:09.324 [AwsEventLoop 1] SubscribeResponseHandler - Received new tunnel notification message.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-12T21:05:09.395Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-12 17:05:09.392 [pool-3-thread-2] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-12T21:05:09.391Z [WARN] {FileUtils.cpp}: Permissions to given file/dir path '/tmp/' is not set to recommended value... {Permissions: {desired: 745, actual: 777}}. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-12T21:05:09.397Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-12 17:05:09.396 [pool-3-thread-2] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-12T21:05:09.391Z [WARN] {FileUtils.cpp}: Permissions to given file/dir path '/tmp/device-client-settings.json97283231374049021111720810127642' is not set to recommended value... {Permissions: {desired: 640, actual: 644}}. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-12T21:05:09.399Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-12 17:05:09.398 [pool-3-thread-2] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-12T21:05:09.391Z [WARN] {Config.cpp}: Path replace_with_root_ca_file_location to RootCA is invalid. Ignoring... Will attempt to use default trust store.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-12T21:05:26.999Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-12 17:05:26.998 [pool-3-thread-2] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-12T21:05:26.998Z [ERROR] {TcpForward.cpp}: TcpForward::OnConnectionResult error_code=1047. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
And when I access with local proxy using a Docker image I get:
2024-07-15T19:50:49.733Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-15 15:50:49.729 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-15T19:50:49.675Z [WARN] {FileUtils.cpp}: Permissions to given file/dir path '/tmp/' is not set to recommended value... {Permissions: {desired: 745, actual: 777}}. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-15T19:50:49.735Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-15 15:50:49.731 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-15T19:50:49.680Z [WARN] {FileUtils.cpp}: Permissions to given file/dir path '/tmp/device-client-settings.json79754660964669720811721073030236' is not set to recommended value... {Permissions: {desired: 640, actual: 644}}. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-15T19:50:49.736Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-15 15:50:49.732 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-15T19:50:49.681Z [WARN] {Config.cpp}: Path replace_with_root_ca_file_location to RootCA is invalid. Ignoring... Will attempt to use default trust store.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
2024-07-15T19:53:49.385Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-07-15 15:53:49.383 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024-07-15T19:53:49.383Z [ERROR] {TcpForward.cpp}: TcpForward::OnConnectionResult error_code=1047. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
I am not sure what configuration I am missing, the documentation does not help a lot with this, any help is appreciated
Hello Fernanda, the issue mentioned over here is an connection error. It has nothing to do with component not able to find
RootCA
or the file permissions issue. As mentioned in another comment by Greg_B bellow, make sure your port is accessible or not. I believe it is an device side error where component is not being able to establish a connection securely.