By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why does greengrass deployment fail when the device identity key uses EC instead of RSA?

0

I am using a private CA that has been registered with IoT core and it is used to sign the device identity key. Have been able to get devices to do Just In Time Provisioning (JITP) using both RSA and EC device identity keys. But, have not been able to get a greengrass deployment to work when using EC device identity keys. The same deployments work fine when device uses RSA keys for device identity.

My greengrass configuration:

system:
  certificateFilePath: "/foobar/device-identity.crt"
  privateKeyPath: "/foobar/device-identity.key"
  rootCaPath: "/foobar/awsRootCA.pem"
  rootpath: "/greengrass/v2"
  thingName: "<UNIQUE_THING_NAME_PLACEHOLDER>"
services:
  aws.greengrass.Nucleus:
    configuration:
      awsRegion: "${AWS_DEFAULT_REGION}"
      greengrassDataPlaneEndpoint: "iotdata"
      iotDataEndpoint: "${IOT_DATA_ENDPOINT}"
      iotCredEndpoint: "${IOT_CRED_ENDPOINT}"
      iotRoleAlias: "${TE_ROLE_ALIAS}"
      mqtt:
        port: 8883

Where the device-identity.key is the device private key file and device-identity.crt is a file that contains the CA cert appended to the device cert.

When I do a deployment to a device that has it's device private key created using EC I run into this error:

2024-09-24T17:10:58.090Z [WARN] (pool-3-thread-6) com.aws.greengrass.componentmanager.ClientConfigurationUtils: configure-greengrass-mutual-auth. Error during configure greengrass client mutual auth. {}
com.aws.greengrass.util.exceptions.TLSAuthException: Error during getting key managers
	at com.aws.greengrass.security.SecurityService.getDeviceIdentityKeyManagers(SecurityService.java:269)
	at com.aws.greengrass.deployment.DeviceConfiguration.getDeviceIdentityKeyManagers(DeviceConfiguration.java:968)
	at com.aws.greengrass.componentmanager.ClientConfigurationUtils.configureClientMutualTLS(ClientConfigurationUtils.java:122)
	at com.aws.greengrass.componentmanager.ClientConfigurationUtils.getConfiguredClientBuilder(ClientConfigurationUtils.java:105)
	at com.aws.greengrass.util.GreengrassServiceClientFactory.configureHttpClient(GreengrassServiceClientFactory.java:177)
	at com.aws.greengrass.util.GreengrassServiceClientFactory.configureClient(GreengrassServiceClientFactory.java:183)
	at com.aws.greengrass.util.GreengrassServiceClientFactory.fetchGreengrassV2DataClient(GreengrassServiceClientFactory.java:167)
	at com.aws.greengrass.deployment.ThingGroupHelper.lambda$listThingGroupsForDevice$2(ThingGroupHelper.java:83)
	at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:77)
	at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:45)
	at com.aws.greengrass.deployment.ThingGroupHelper.listThingGroupsForDevice(ThingGroupHelper.java:73)
	at com.aws.greengrass.deployment.DefaultDeploymentTask.getNonTargetGroupToRootPackagesMap(DefaultDeploymentTask.java:198)
	at com.aws.greengrass.deployment.DefaultDeploymentTask.call(DefaultDeploymentTask.java:115)
	at com.aws.greengrass.deployment.DefaultDeploymentTask.call(DefaultDeploymentTask.java:50)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1570)
Caused by: java.lang.IllegalArgumentException: Input byte array has incorrect ending byte at 49
	at java.base/java.util.Base64$Decoder.decode0(Base64.java:880)
	at java.base/java.util.Base64$Decoder.decode(Base64.java:570)
	at java.base/java.util.Base64$Decoder.decode(Base64.java:593)
	at com.aws.greengrass.util.EncryptionUtils.loadPrivateKeyPair(EncryptionUtils.java:100)
	at com.aws.greengrass.security.SecurityService$DefaultCryptoKeyProvider.getKeyPair(SecurityService.java:333)
	at com.aws.greengrass.security.SecurityService$DefaultCryptoKeyProvider.getKeyManagers(SecurityService.java:302)
	at com.aws.greengrass.security.SecurityService.getKeyManagers(SecurityService.java:163)
	at com.aws.greengrass.security.SecurityService.lambda$getDeviceIdentityKeyManagers$2(SecurityService.java:263)
	at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:77)
	at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:45)
	at com.aws.greengrass.security.SecurityService.getDeviceIdentityKeyManagers(SecurityService.java:263)
	... 17 more

What might be going on here?

Thanks

1 Answer
0

Hello,

To troubleshoot the issue in the right direction, we require the log file in /greengrass/v2/logs.

Please feel free to open a case with AWS Support and share them with us.

Thank you!

AWS
answered 2 months ago
  • Relevant snippet of greengrass log is shared in the post.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions