I have the following use-case
We are implementing an iot application with Client Devices that need to connect to a Greengrass Core Device for telemetry. Both the Greengrass Core Device and the Client Devices are provisioned with client certificates that are signed by a CA that is registered in IoT Core.
The client devices themselves retrieve DeviceDiscovery information from the Data Plane endpoint:
greengrass-ats.iot.<region_name>.amazonaws.com:8443/greengrass/discover/thing/<thing_name>
Problem description
When performing initial proof-of-concept test we provisioned our devices with AWS-signed certs, and in that case device-discovery worked perfectly, by returning associated core-devices along with connectivity info. However if we take the same client devices with the same clientID's and attach new self-signed activated certificates with the same policy attached we get the following response from device discovery:
curl: (52) Empty reply from server
In the troubleshooting guide at https://docs.aws.amazon.com/greengrass/v2/developerguide/troubleshooting-client-devices.html#greengrass-discovery-issues we are advised to check if the certificate is active, which it definitely is.
So my concern is then whether this is due to missing support for self-signed client certificates in the discovery API, or whether i have missed something else ?
Thanks ,
Mathias
Hi Michael
Currently the device that i'm testing with has both the original AWS-signed certificate, and the new custom CA-signed cert attached. Both certificates have the same IoT Policy attached to it, that amongst other things contains:
{ "Effect": "Allow", "Action": "greengrass:Discover", "Resource": "*" }
Can you verify that the certificate you are using is correctly registered in AWS IoT by using that certificate to connect to AWS IoT Core using an MQTT client? Mosquitto for example is a command line client which will work to determine this.
If you are able, I would recommend that you open a case with AWS support so that they can investigate your specific account settings.
Thanks for your suggestion :) - i tried the following: mosquitto_pub -h <account_id>-ats.iot.eu-central-1.amazonaws.com -p 8883 -t hello -m hello --cafile AmazonRootCA1.pem --cert device.pem.crt --key private.pem.key -i <client_id>
With both sets of key/certificate it works without issue. I will see if i can open a case.
Please try doing discovery using your IoT Core account-specific endpoint instead of the "shared" greengrass-ats endpoint. Find the correct endpoint in the AWS IoT Console or using the describe-endpoint command with the input
iot:Data-ATS
.