Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Deleted IoT thing recreated after reconnecting

0

We are programmatically deleting things via the Javascript SDK, specifically:

  • For all thing principals
  1. detatch principal
  2. set cert to inactive (our certs don't have policies attached)
  3. delete cert
  • delete thing
  • delete thing shadow

After this process, both the thing and its certificate are deleted. However, if we reconnect the device, I see the device re-created in IoT (via JITP I assume?) with the same cert as before.

When I delete the thing via the AWS console, we do not see this behavior -- the device cannot connect again once it's been deleted.

I assume we're missing something in our programmatic approach. Our certificates don't have policies so we skipped those steps in the reference post here: https://stackoverflow.com/a/47541482/1137498

Temas
Internet de las cosas (IoT)
Etiquetas
AWS IoT Core
Idioma
English
gstclair
preguntada hace 7 meses263 visualizaciones
2 Respuestas
1
Respuesta aceptada

At the time of connecting device with IOT, which certificate you are using? assuming auto-registeration is enable on the CA if try to connect with a cert that is not known to IoT (deleted from IOT) but was signed by a CA that was registered, the cert will be auto-registered in a PENDING_ACTIVATION state. and there need another call to update certificate to ACTIVE state and the connect to be successful. (which happened in your case as well)

Even if cert is deleted from AWS IOT, you can use the same device cert to connect to IOT. JITR or JITP will auto register the certificate

AWS
INGENIERO DE SOPORTE
Palak
respondido hace 6 meses
  • gstclair
    hace 6 meses

    Yes, I think this is what's happening. I thought the re-registration was NOT working when deleting through the web console, but I think we were revoking instead of deactivating in that workflow.

    To recap, this workflow is now working for us:

    For all thing principals detatch principal REVOKE cert (instead of deactivating) delete cert delete thing delete thing shadow

0

Hi. How are your devices connecting if there's no policy attached to the certificate? I'm not sure if I'm misunderstanding something, but that doesn't ring true. (Maybe these devices are GG client devices?) And have you setup JITP? I presume you must have.

Are these devices Greengrass core devices? I know you have asked GG questions in the past. To properly delete a GG core device, you also need to call this: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/GreengrassV2.html#deleteCoreDevice-property. Perhaps you deleted the core device in the console.

profile pictureAWS
EXPERTO
Greg_B
respondido hace 7 meses
  • gstclair
    hace 7 meses

    Our policy is attached to the thing group, not the certificate itself. Yes, we have JITP configured for these devices. I think something is getting left behind after the delete process above that allows it to reuse the certificate again for JITP.

    These are not GG core devices, just standard IoT things (that sometimes connect as GG client devices). This is 100% reproducible.

  • gstclair
    hace 6 meses

    Should we revoke the cert rather than set to inactive?

    https://docs.aws.amazon.com/iot/latest/developerguide/revoke-ca-cert.html

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante