AWS IoT - Trying to make fleet provision by claim work but always get "disconnectReason": "CONNECTION_LOST" instead of the permanent certificates


Hi All, I am using core_mqtt library v1.1.2 and trying to make fleet provisioning by claim work. I am trying this with the trusted user option but for prototyping purpose I am generating the claim certificate using the aws cloudshell. I used the aws c sdk and tweaked this app: to work for me. I run through the steps mentioned here: However, when I subscribe to the accepted and rejected callback and publish to the certificate creation topic I end up with all the above steps working fine but just when aws has to send back the permanent certificates the mqtt connection shows as disconnected in cloudwatch like this "disconnectReason": "CONNECTION_LOST".

My policies seem to be fine because I am able to subscribe and publish. The cloud watch logs also show that the certificate request has been accepted and calls createKeysAndCertificate is called by aws to provision the new certificate. I can also see the permanent certificate id and the certificate which is pending activation in the console. But the certificate and the response packet never arrives at my device.

I've tried the following:

  1. Increase the network buffer size from 1k to 4k since certificate sizes are typically 1-2kb.
  2. increased the transport receive and send timeout value.
  3. Tried upgrading to the latest core_mqtt library as well. However, I have found no luck.

Please advise on what can be done.

1 Answer

Good morning rePost-User-7220504,

If I understand correctly, you are trying to build a fleet provisioning by claim scenario for a device running AWS C SDK; but the process is failing exactly at the moment you are supposed to receive your permanent certificate on your device (your device being suddenly disconnected by IoT Core). Is that accurate?

If so, there are at least 3 key things to ensure:

  1. The accepted/rejected certificate callback topics subscriptions should be completed before you publish to the certificate creation topic. You may introduce an explicit short delay (1 or 2 seconds) in your code for that.
  2. The accepted/rejected 'registerDevice' topics subscriptions should be completed before you publish to the device registration topic. You may introduce a short delay as well for that.
  3. You should have an existing provisioning template (that will determine your device IoT policy, group memberships, etc after registration).

Enforcing point #1 will likely solve your current main issue (not receiving final certificate on your device).

Enforcing points #2 & #3 will ensure that the rest of your device provisioning flow is completed successfully (Certificate status will change from 'Pending activation' to 'Active') and your device will be able to communicate with IoT Core and get on-boarded in groups as defined in your provisioning template. Refer to "CreateKeysAndCertificate" in official documentation here for a step by step description.

For deeper dive, you may go through this IoT Device Management Workshop series as well!


profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions