AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Deleted IoT thing recreated after reconnecting

0

We are programmatically deleting things via the Javascript SDK, specifically:

  • For all thing principals
  1. detatch principal
  2. set cert to inactive (our certs don't have policies attached)
  3. delete cert
  • delete thing
  • delete thing shadow

After this process, both the thing and its certificate are deleted. However, if we reconnect the device, I see the device re-created in IoT (via JITP I assume?) with the same cert as before.

When I delete the thing via the AWS console, we do not see this behavior -- the device cannot connect again once it's been deleted.

I assume we're missing something in our programmatic approach. Our certificates don't have policies so we skipped those steps in the reference post here: https://stackoverflow.com/a/47541482/1137498

トピック
モノのインターネット (IoT)
タグ
AWS IoT Core
言語
English
gstclair
質問済み 7ヶ月前263ビュー
2回答
1
承認された回答

At the time of connecting device with IOT, which certificate you are using? assuming auto-registeration is enable on the CA if try to connect with a cert that is not known to IoT (deleted from IOT) but was signed by a CA that was registered, the cert will be auto-registered in a PENDING_ACTIVATION state. and there need another call to update certificate to ACTIVE state and the connect to be successful. (which happened in your case as well)

Even if cert is deleted from AWS IOT, you can use the same device cert to connect to IOT. JITR or JITP will auto register the certificate

AWS
サポートエンジニア
Palak
回答済み 6ヶ月前
  • gstclair
    6ヶ月前

    Yes, I think this is what's happening. I thought the re-registration was NOT working when deleting through the web console, but I think we were revoking instead of deactivating in that workflow.

    To recap, this workflow is now working for us:

    For all thing principals detatch principal REVOKE cert (instead of deactivating) delete cert delete thing delete thing shadow

0

Hi. How are your devices connecting if there's no policy attached to the certificate? I'm not sure if I'm misunderstanding something, but that doesn't ring true. (Maybe these devices are GG client devices?) And have you setup JITP? I presume you must have.

Are these devices Greengrass core devices? I know you have asked GG questions in the past. To properly delete a GG core device, you also need to call this: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/GreengrassV2.html#deleteCoreDevice-property. Perhaps you deleted the core device in the console.

profile pictureAWS
エキスパート
Greg_B
回答済み 7ヶ月前
  • gstclair
    7ヶ月前

    Our policy is attached to the thing group, not the certificate itself. Yes, we have JITP configured for these devices. I think something is getting left behind after the delete process above that allows it to reuse the certificate again for JITP.

    These are not GG core devices, just standard IoT things (that sometimes connect as GG client devices). This is 100% reproducible.

  • gstclair
    6ヶ月前

    Should we revoke the cert rather than set to inactive?

    https://docs.aws.amazon.com/iot/latest/developerguide/revoke-ca-cert.html

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ