private key for MqttCertificate is not set

I've tried all manner of subscriptions:

pub -> sub
pub -> cloud
cloud -> sub
shadow -> ...

These do get reflected in the deployment group config, but seem to have no effect.

Edited by: memelet on Jul 12, 2019 9:06 AM

I can however publish directly to the iot broker. It's just using the greengrass broker that does not work at all.

With core logging set to DEBUG I get these when publishing to the core

==> GGConnManager.log <==
[2019-07-12T16:14:04.989Z][DEBUG]-Checking if client fingerprint is valid.	{"fingerprint": "d6cc89deb4017c1c07ab8cbf7e71aa561e62342b3ddfb7877fc7c979c43cc110", "clientId": "lm-connect_Collector1"}
[2019-07-12T16:14:04.989Z][DEBUG]-Add an incoming connection.	{"clientId": "lm-connect_Collector1", "address": "127.0.0.1:51169"}
[2019-07-12T16:14:04.989Z][DEBUG]-Added a new client connection.	{"clientId": "lm-connect_Collector1"}
[2019-07-12T16:14:04.989Z][DEBUG]-Connection refused.	{"address": "127.0.0.1:51169", "errorString": "Connection Refused: not authorized"}
[2019-07-12T16:14:04.989Z][DEBUG]-Delete a connection.	{"clientId": "lm-connect_Collector1", "address": "<nil>"}
[2019-07-12T16:14:04.99Z][DEBUG]-Deleted a client connection.	{"address": "<nil>"}
[2019-07-12T16:14:04.99Z][DEBUG]-Removing device connection.{"clientId": "lm-connect_Collector1", "address": "127.0.0.1:51169"}
[2019-07-12T16:14:04.99Z][DEBUG]-Close and clean up connection.	{"address": "<nil>"}
[2019-07-12T16:14:04.99Z][DEBUG]-Close connection	{"address": "<nil>"}
[2019-07-12T16:14:05.998Z][DEBUG]-Checking if client fingerprint is valid.	{"fingerprint": "d6cc89deb4017c1c07ab8cbf7e71aa561e62342b3ddfb7877fc7c979c43cc110", "clientId": "lm-connect_Collector1"}
[2019-07-12T16:14:05.998Z][DEBUG]-Add an incoming connection.	{"clientId": "lm-connect_Collector1", "address": "127.0.0.1:45277"}
[2019-07-12T16:14:05.999Z][DEBUG]-Added a new client connection.	{"clientId": "lm-connect_Collector1"}
[2019-07-12T16:14:05.999Z][DEBUG]-Connection refused.	{"address": "127.0.0.1:45277", "errorString": "Connection Refused: not authorized"}
[2019-07-12T16:14:05.999Z][DEBUG]-Delete a connection.	{"clientId": "lm-connect_Collector1", "address": "<nil>"}
[2019-07-12T16:14:05.999Z][DEBUG]-Deleted a client connection.	{"address": "<nil>"}
[2019-07-12T16:14:05.999Z][DEBUG]-Removing device connection.	{"clientId": "lm-connect_Collector1", "address": "127.0.0.1:45277"}
[2019-07-12T16:14:05.999Z][DEBUG]-Close and clean up connection.	{"address": "<nil>"}
[2019-07-12T16:14:05.999Z][DEBUG]-Close connection	{"address": "<nil>"}
[2019-07-12T16:14:08.01Z][DEBUG]-Checking if client fingerprint is valid.	{"fingerprint": "d6cc89deb4017c1c07ab8cbf7e71aa561e62342b3ddfb7877fc7c979c43cc110", "clientId": "lm-connect_Collector1"}
[2019-07-12T16:14:08.01Z][DEBUG]-Add an incoming connection.{"clientId": "lm-connect_Collector1", "address": "127.0.0.1:52545"}
[2019-07-12T16:14:08.01Z][DEBUG]-Added a new client connection.	{"clientId": "lm-connect_Collector1"}
[2019-07-12T16:14:08.01Z][DEBUG]-Connection refused.	{"address": "127.0.0.1:52545", "errorString": "Connection Refused: not authorized"}
[2019-07-12T16:14:08.01Z][DEBUG]-Delete a connection.	{"clientId": "lm-connect_Collector1", "address": "<nil>"}
[2019-07-12T16:14:08.01Z][DEBUG]-Deleted a client connection.	{"address": "<nil>"}
[2019-07-12T16:14:08.01Z][DEBUG]-Removing device connection.{"clientId": "lm-connect_Collector1", "address": "127.0.0.1:52545"}
[2019-07-12T16:14:08.01Z][DEBUG]-Close and clean up connection.	{"address": "<nil>"}
[2019-07-12T16:14:08.01Z][DEBUG]-Close connection	{"address": "<nil>"}
[2019-07-12T16:14:12.123Z][DEBUG]-Checking if client fingerprint is valid.	{"fingerprint": "d6cc89deb4017c1c07ab8cbf7e71aa561e62342b3ddfb7877fc7c979c43cc110", "clientId": "lm-connect_Collector1"}
[2019-07-12T16:14:12.123Z][DEBUG]-Add an incoming connection.	{"clientId": "lm-connect_Collector1", "address": "127.0.0.1:55259"}
[2019-07-12T16:14:12.123Z][DEBUG]-Added a new client connection.	{"clientId": "lm-connect_Collector1"}
[2019-07-12T16:14:12.123Z][DEBUG]-Connection refused.	{"address": "127.0.0.1:55259", "errorString": "Connection Refused: not authorized"}
[2019-07-12T16:14:12.123Z][DEBUG]-Delete a connection.	{"clientId": "lm-connect_Collector1", "address": "<nil>"}
[2019-07-12T16:14:12.123Z][DEBUG]-Deleted a client connection.	{"address": "<nil>"}
[2019-07-12T16:14:12.123Z][DEBUG]-Removing device connection.	{"clientId": "lm-connect_Collector1", "address": "127.0.0.1:55259"}
[2019-07-12T16:14:12.123Z][DEBUG]-Close and clean up connection.	{"address": "<nil>"}
[2019-07-12T16:14:12.123Z][DEBUG]-Close connection	{"address": "<nil>"}

So it appears the connection is being refused. The python tester (ie, basicDiscovery.py) output does not indicate this at all.

Why is a connection refused message at the debug level? Seems that's a pretty important message. In any case, it would be nice if the reason for the refusal was logged.

Edited by: memelet on Jul 12, 2019 9:17 AM

Solved as user error: I was using the wrong certs for the publisher.

Would be really nice if the python basicDiscovery.py would emit an error when it cannot authenticate.

So, it seems the original log in runtime.log -- private key for MqttCertificate is not set -- seems to be a decoy.

Hi memelet,

That error is covered in the Troubleshooting guide.
https://docs.aws.amazon.com/greengrass/latest/developerguide/gg-troubleshooting.html

Thanks,
KR-AWS

Hi KR-AWS ,

thanks for the link explaining the underlying issue. Something is not right here, 'Error' word means to me an issue I shall deal with, however in this case this is not actually an error, just an information. It'd be nice to have something more accurate here.

BR / blelump

Hi BR, this issue is logged as a warning [WARN]-[5]GK Remote: Error retrieving public key data: ErrPrincipalNotConfigured: private key for MqttCertificate is not set. as mentioned here https://docs.aws.amazon.com/greengrass/latest/developerguide/gg-troubleshooting.html#troubleshoot-mqttcertificate-warning
Do you suggest different ways?