Deleted IoT thing recreated after reconnecting

0

We are programmatically deleting things via the Javascript SDK, specifically:

  • For all thing principals
  1. detatch principal
  2. set cert to inactive (our certs don't have policies attached)
  3. delete cert
  • delete thing
  • delete thing shadow

After this process, both the thing and its certificate are deleted. However, if we reconnect the device, I see the device re-created in IoT (via JITP I assume?) with the same cert as before.

When I delete the thing via the AWS console, we do not see this behavior -- the device cannot connect again once it's been deleted.

I assume we're missing something in our programmatic approach. Our certificates don't have policies so we skipped those steps in the reference post here: https://stackoverflow.com/a/47541482/1137498

asked 6 months ago246 views
2 Answers
1
Accepted Answer

At the time of connecting device with IOT, which certificate you are using? assuming auto-registeration is enable on the CA if try to connect with a cert that is not known to IoT (deleted from IOT) but was signed by a CA that was registered, the cert will be auto-registered in a PENDING_ACTIVATION state. and there need another call to update certificate to ACTIVE state and the connect to be successful. (which happened in your case as well)

Even if cert is deleted from AWS IOT, you can use the same device cert to connect to IOT. JITR or JITP will auto register the certificate

AWS
SUPPORT ENGINEER
Palak
answered 6 months ago
  • Yes, I think this is what's happening. I thought the re-registration was NOT working when deleting through the web console, but I think we were revoking instead of deactivating in that workflow.

    To recap, this workflow is now working for us:

    For all thing principals detatch principal REVOKE cert (instead of deactivating) delete cert delete thing delete thing shadow

0

Hi. How are your devices connecting if there's no policy attached to the certificate? I'm not sure if I'm misunderstanding something, but that doesn't ring true. (Maybe these devices are GG client devices?) And have you setup JITP? I presume you must have.

Are these devices Greengrass core devices? I know you have asked GG questions in the past. To properly delete a GG core device, you also need to call this: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/GreengrassV2.html#deleteCoreDevice-property. Perhaps you deleted the core device in the console.

profile pictureAWS
EXPERT
Greg_B
answered 6 months ago
  • Our policy is attached to the thing group, not the certificate itself. Yes, we have JITP configured for these devices. I think something is getting left behind after the delete process above that allows it to reuse the certificate again for JITP.

    These are not GG core devices, just standard IoT things (that sometimes connect as GG client devices). This is 100% reproducible.

  • Should we revoke the cert rather than set to inactive?

    https://docs.aws.amazon.com/iot/latest/developerguide/revoke-ca-cert.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions