Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Issue with Custom Certificate Paths in Greengrass Fleet Provisioning by Claim

0

Hello AWS Community,

I am currently working on customizing the certificate paths for AWS Greengrass Fleet Provisioning by Claim and encountering an issue where the custom paths seem to be ignored during execution.

Here is what I have done so far:

I added the following configuration to config.yaml to customize the certificate locations: certPath: "/greengrass-setup/thingCert.crt"
keyPath: "/greengrass-setup/privKey.key"

From the logs, it appears that these parameters are being processed: 2025-01-14T12:22:42.791Z [DEBUG] (pool-3-thread-1) com.aws.greengrass.FleetProvisioningByClaimPlugin: The parameter map for the plugin is:
{parameters={awsRegion=eu-central-1, certPath=/greengrass-setup/thingCert.crt, claimCertificatePath=/greengrass-setup/certificate.pem, claimCertificatePrivateKeyPath=/greengrass-setup/certificate.key, iotCredentialEndpoint=XY.credentials.iot.eu-central-1.amazonaws.com, iotDataEndpoint=XY-ats.iot.eu-central-1.amazonaws.com, iotRoleAlias=GreengrassCoreTokenExchangeRoleAlias, keyPath=/greengrass-setup/privKey.key, provisioningTemplate=GreengrassFleetProvisioningTemplate, rootCaPath=/greengrass-setup/AmazonRootCA1.pem, rootPath=/greengrass/v2, templateParameters={OwnerId=XY, ThingGroupName=XY, ThingName=XY}}}

Despite this, the certificates are still being stored in the rootPath, and the effectiveConfig.yaml points to the root directory:

system:
certificateFilePath: "/greengrass/v2/thingCert.crt"
privateKeyPath: "/greengrass/v2/privKey.key"
rootCaPath: "/greengrass-setup/AmazonRootCA1.pem"
rootpath: "/greengrass/v2"
thingName: "01JHJC8572KT0AQK3V8P79T06T"

I also updated the OPTIONS variable in greengrass-entrypoint.sh to include the plugin, as follows: OPTIONS="-Droot=${GGC_ROOT_PATH} -Dlog.store=FILE -Dlog.level=${LOG_LEVEL} -jar ${INIT_JAR_PATH}/lib/Greengrass.jar --provision ${PROVISION} --deploy-dev-tools ${DEPLOY_DEV_TOOLS} --aws-region ${AWS_REGION} --start false --init-config ${INIT_CONFIG} --trusted-plugin ${TRUSTED_PLUGIN}"

The changes I made follow the documentation from Fleet Provisioning by Claim. Unfortunately, these modifications have not resolved the issue.

My Code based on: https://github.com/aws-greengrass/aws-greengrass-docker https://github.com/aws-greengrass/aws-greengrass-fleet-provisioning-by-claim?tab=readme-ov-file

My question: How can I ensure that the custom paths for the certificates are correctly recognized and used by Greengrass? Is there any additional configuration or troubleshooting step I might have missed? I appreciate any advice or suggestions the community can provide.

Thank you!

Best regards

Topics
Internet of Things (IoT)Containers
Tags
AWS IoT CoreContainersAWS IoT Greengrass
Language
English
asked a year ago157 views
2 Answers
1

Currently, core devices provisioned with the fleet provisioning plugin will always store the device identity credentials at the greengrass root folder. The configuration keys you updated are not supported by the fleet provisioning plugin yet. So, the device identity credentials (cert and the private key) are still stored at the root folder.

AWS
answered a year ago
-1

It appears that you're encountering an issue where AWS IoT Greengrass is not recognizing the custom certificate paths you've specified in your configuration. This is a known challenge when working with Greengrass fleet provisioning.

To address this issue, consider the following steps:

  1. Double-check your config.yaml file to ensure the paths are correctly specified and there are no typos.

  2. Verify that the certificates and keys are actually present in the locations you've specified (/greengrass-setup/ in your case).

  3. Make sure you're using the latest version of the AWS IoT Greengrass Core software, as older versions might have bugs related to custom certificate paths.

  4. In your greengrass-entrypoint.sh script, ensure that the INIT_CONFIG variable is correctly set to point to your custom config.yaml file.

  5. Check the Greengrass logs for any error messages or warnings related to certificate loading or file paths.

  6. If you're using a Docker container, ensure that the volumes are correctly mapped so that Greengrass can access the certificate files in the specified locations.

  7. Try using absolute paths instead of relative paths for the certificate locations in your config.yaml file.

  8. If the issue persists, you might need to modify the Greengrass core software to explicitly use your custom paths. This would involve editing the Java code responsible for loading the certificates.

  9. As a workaround, you could try symlinking your custom certificate locations to the default locations that Greengrass is using.

If none of these steps resolve the issue, you may need to contact AWS support for further assistance, as there could be an underlying issue with the Greengrass software itself.

Remember that when working with AWS IoT Greengrass, it's crucial to follow security best practices, especially when handling certificates and private keys.

Sources
Device onboarding to AWS IoT using Virtual Private Cloud endpoints | The Internet of Things on AWS – Official Blog
Install and run AWS IoT Greengrass on the core device - AWS IoT Greengrass

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content