Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Deleted IoT thing recreated after reconnecting

0

We are programmatically deleting things via the Javascript SDK, specifically:

  • For all thing principals
  1. detatch principal
  2. set cert to inactive (our certs don't have policies attached)
  3. delete cert
  • delete thing
  • delete thing shadow

After this process, both the thing and its certificate are deleted. However, if we reconnect the device, I see the device re-created in IoT (via JITP I assume?) with the same cert as before.

When I delete the thing via the AWS console, we do not see this behavior -- the device cannot connect again once it's been deleted.

I assume we're missing something in our programmatic approach. Our certificates don't have policies so we skipped those steps in the reference post here: https://stackoverflow.com/a/47541482/1137498

Themen
Internet der Dinge (IoT)
Tags
AWS IoT Core
Sprache
English
gstclair
gefragt vor 7 Monaten263 Aufrufe
2 Antworten
1
Akzeptierte Antwort

At the time of connecting device with IOT, which certificate you are using? assuming auto-registeration is enable on the CA if try to connect with a cert that is not known to IoT (deleted from IOT) but was signed by a CA that was registered, the cert will be auto-registered in a PENDING_ACTIVATION state. and there need another call to update certificate to ACTIVE state and the connect to be successful. (which happened in your case as well)

Even if cert is deleted from AWS IOT, you can use the same device cert to connect to IOT. JITR or JITP will auto register the certificate

AWS
SUPPORT-TECHNIKER
Palak
beantwortet vor 6 Monaten
  • gstclair
    vor 6 Monaten

    Yes, I think this is what's happening. I thought the re-registration was NOT working when deleting through the web console, but I think we were revoking instead of deactivating in that workflow.

    To recap, this workflow is now working for us:

    For all thing principals detatch principal REVOKE cert (instead of deactivating) delete cert delete thing delete thing shadow

0

Hi. How are your devices connecting if there's no policy attached to the certificate? I'm not sure if I'm misunderstanding something, but that doesn't ring true. (Maybe these devices are GG client devices?) And have you setup JITP? I presume you must have.

Are these devices Greengrass core devices? I know you have asked GG questions in the past. To properly delete a GG core device, you also need to call this: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/GreengrassV2.html#deleteCoreDevice-property. Perhaps you deleted the core device in the console.

profile pictureAWS
EXPERTE
Greg_B
beantwortet vor 7 Monaten
  • gstclair
    vor 7 Monaten

    Our policy is attached to the thing group, not the certificate itself. Yes, we have JITP configured for these devices. I think something is getting left behind after the delete process above that allows it to reuse the certificate again for JITP.

    These are not GG core devices, just standard IoT things (that sometimes connect as GG client devices). This is 100% reproducible.

  • gstclair
    vor 6 Monaten

    Should we revoke the cert rather than set to inactive?

    https://docs.aws.amazon.com/iot/latest/developerguide/revoke-ca-cert.html

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt