By using AWS re:Post, you agree to the Terms of Use

Use our own CA cert with Greengrass aws.greengrass.FleetProvisioningByClaim.jar


Hi, I've create and registered a CA certificate in IoT core. When I use this for greengrass fleet provisioning it fails with

java.lang.RuntimeException: TLS (SSL) negotiation failed

The documentation is not very clear about how to use it with Greengrass. But the existence of "Automatic certificate registration" when doing "Register CA certificate" suggests it should work and I'm missing something. Any advice much appreciated.

2 Answers

UPDATE - Looked into this a bit more, seems like you're trying to use your own CA because you'd register your own client certificates signed by that CA to use for your devices, in which case, the Greengrass aws.greengrass.FleetProvisioningPlugin will not help, you can use this plugin if you're okay using the Amazon Root CA and let IoT Core generate client certificates for you from the claim certificate and provisioning template. If that doesn't work for you, you may be looking for JITP/JITR options IoT Core provides and

answered 7 months ago
  • Thanks @shagupta-aws for the information. If we bake the claim cert and key into lots of devices and then it is deleted or revoked (accidently) is there a way to restore it if it's an Amazon issued certificate? I guess that was my only reason for using a custom CA.


Hi @ncarn,

Thanks for using Greengrass. It's hard to tell just by the error message why it failed, but common reasons for this issue are using the incorrect IoT data endpoint or the root CA certificate, could you tell us what configuration options you provided while installing Greengrass using the aws.greengrass.FleetProvisioningByClaim plugin? As described here, please ensure that you're using the ATS IoT data endpoint and placing the Amazon Root CA certificate on the device you're trying to provision. Did you see the private key and certificate files downloaded on the device, if not, were there any other failure logs in greengrass.log file? It will be helpful if you can share the logs too.

You could also try enabling monitoring for connection failures in CloudWatch to get logs in your AWS account It might not provide information for client side issues but will make troubleshooting easier overall.

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions