AWS IoT Greengrass debugging notes

Connection issues

Greengrass does not connect to AWS at all

TL;DR - if rootCA.pem is missing, download Amazon Root CA 1 and put it in the Greengrass v2 root directory as rootCA.pem

If Greengrass never connects to AWS IoT and does not show up in the console look for an entry in the greengrass.log file in the logs directory that looks like this:

[ERROR] com.aws.greengrass.lifecyclemanager.KernelExceptionHandler: uncaught-exception. {thread=Thread[pool-2-thread-7,5,main]}
software.amazon.awssdk.crt.CrtRuntimeException: aws_tls_ctx_options_override_default_trust_store_from_path failed (aws_last_error: AWS_ERROR_FILE_INVALID_PATH(44), Invalid file path.) UNKNOWN(-1)

Usually this means that the rootCA.pem file specified as the rootCaPath variable in the YAML configuration file is missing.

The AWS IoT server authentication page has more details and links to the CAs. The correct CA to use is "RSA 2048 bit key: Amazon Root CA 1".

Deployment issues

Deployment is received but fails with PKIX error

TL;DR - replace the rootCA.pem file with Amazon Root CA 1

If you are trying to do a deployment to Greengrass V2 and it is failing look for an entry in the greengrass.log file in the logs directory that looks like this:

software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Usually this means that the rootCA.pem file specified as the rootCaPath variable in the YAML configuration file is pointing to the certificate for the Verisign CA instead of the Amazon root CAs. The issue with using the Verisign CA is that data plane connections to AWS IoT will still work but data plane connections to the Greengrass endpoint (greengrass-ats.*) and other services will fail.

The AWS IoT server authentication page has more details and links to the CAs. The correct CA to use is "RSA 2048 bit key: Amazon Root CA 1".

TODO

How do I run a debugger on my deployed functions?