I am using a private CA that has been registered with IoT core and it is used to sign the device identity key. Have been able to get devices to do Just In Time Provisioning (JITP) using both RSA and EC device identity keys. But, have not been able to get a greengrass deployment to work when using EC device identity keys. The same deployments work fine when device uses RSA keys for device identity.
My greengrass configuration:
system:
certificateFilePath: "/foobar/device-identity.crt"
privateKeyPath: "/foobar/device-identity.key"
rootCaPath: "/foobar/awsRootCA.pem"
rootpath: "/greengrass/v2"
thingName: "<UNIQUE_THING_NAME_PLACEHOLDER>"
services:
aws.greengrass.Nucleus:
configuration:
awsRegion: "${AWS_DEFAULT_REGION}"
greengrassDataPlaneEndpoint: "iotdata"
iotDataEndpoint: "${IOT_DATA_ENDPOINT}"
iotCredEndpoint: "${IOT_CRED_ENDPOINT}"
iotRoleAlias: "${TE_ROLE_ALIAS}"
mqtt:
port: 8883
Where the device-identity.key
is the device private key file and device-identity.crt
is a file that contains the CA cert appended to the device cert.
When I do a deployment to a device that has it's device private key created using EC I run into this error:
2024-09-24T17:10:58.090Z [WARN] (pool-3-thread-6) com.aws.greengrass.componentmanager.ClientConfigurationUtils: configure-greengrass-mutual-auth. Error during configure greengrass client mutual auth. {}
com.aws.greengrass.util.exceptions.TLSAuthException: Error during getting key managers
at com.aws.greengrass.security.SecurityService.getDeviceIdentityKeyManagers(SecurityService.java:269)
at com.aws.greengrass.deployment.DeviceConfiguration.getDeviceIdentityKeyManagers(DeviceConfiguration.java:968)
at com.aws.greengrass.componentmanager.ClientConfigurationUtils.configureClientMutualTLS(ClientConfigurationUtils.java:122)
at com.aws.greengrass.componentmanager.ClientConfigurationUtils.getConfiguredClientBuilder(ClientConfigurationUtils.java:105)
at com.aws.greengrass.util.GreengrassServiceClientFactory.configureHttpClient(GreengrassServiceClientFactory.java:177)
at com.aws.greengrass.util.GreengrassServiceClientFactory.configureClient(GreengrassServiceClientFactory.java:183)
at com.aws.greengrass.util.GreengrassServiceClientFactory.fetchGreengrassV2DataClient(GreengrassServiceClientFactory.java:167)
at com.aws.greengrass.deployment.ThingGroupHelper.lambda$listThingGroupsForDevice$2(ThingGroupHelper.java:83)
at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:77)
at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:45)
at com.aws.greengrass.deployment.ThingGroupHelper.listThingGroupsForDevice(ThingGroupHelper.java:73)
at com.aws.greengrass.deployment.DefaultDeploymentTask.getNonTargetGroupToRootPackagesMap(DefaultDeploymentTask.java:198)
at com.aws.greengrass.deployment.DefaultDeploymentTask.call(DefaultDeploymentTask.java:115)
at com.aws.greengrass.deployment.DefaultDeploymentTask.call(DefaultDeploymentTask.java:50)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1570)
Caused by: java.lang.IllegalArgumentException: Input byte array has incorrect ending byte at 49
at java.base/java.util.Base64$Decoder.decode0(Base64.java:880)
at java.base/java.util.Base64$Decoder.decode(Base64.java:570)
at java.base/java.util.Base64$Decoder.decode(Base64.java:593)
at com.aws.greengrass.util.EncryptionUtils.loadPrivateKeyPair(EncryptionUtils.java:100)
at com.aws.greengrass.security.SecurityService$DefaultCryptoKeyProvider.getKeyPair(SecurityService.java:333)
at com.aws.greengrass.security.SecurityService$DefaultCryptoKeyProvider.getKeyManagers(SecurityService.java:302)
at com.aws.greengrass.security.SecurityService.getKeyManagers(SecurityService.java:163)
at com.aws.greengrass.security.SecurityService.lambda$getDeviceIdentityKeyManagers$2(SecurityService.java:263)
at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:77)
at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:45)
at com.aws.greengrass.security.SecurityService.getDeviceIdentityKeyManagers(SecurityService.java:263)
... 17 more
What might be going on here?
Thanks
Relevant snippet of greengrass log is shared in the post.