- Connection issues
- Greengrass does not connect to AWS at all
- Deployment issues
- Deployment is received but fails with PKIX error
- TODO
- How do I run a debugger on my deployed functions?
Connection issues
Greengrass does not connect to AWS at all
TL;DR - if rootCA.pem
is missing, download Amazon Root CA 1 and put it in the Greengrass v2 root directory as rootCA.pem
If Greengrass never connects to AWS IoT and does not show up in the console look for an entry in the greengrass.log
file in the logs
directory that looks like this:
[ERROR] com.aws.greengrass.lifecyclemanager.KernelExceptionHandler: uncaught-exception. {thread=Thread[pool-2-thread-7,5,main]}
software.amazon.awssdk.crt.CrtRuntimeException: aws_tls_ctx_options_override_default_trust_store_from_path failed (aws_last_error: AWS_ERROR_FILE_INVALID_PATH(44), Invalid file path.) UNKNOWN(-1)
Usually this means that the rootCA.pem
file specified as the rootCaPath
variable in the YAML configuration file is missing.
The AWS IoT server authentication page has more details and links to the CAs. The correct CA to use is "RSA 2048 bit key: Amazon Root CA 1".
Deployment issues
Deployment is received but fails with PKIX error
TL;DR - replace the rootCA.pem
file with Amazon Root CA 1
If you are trying to do a deployment to Greengrass V2 and it is failing look for an entry in the greengrass.log
file in the logs
directory that looks like this:
software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Usually this means that the rootCA.pem
file specified as the rootCaPath
variable in the YAML configuration file is pointing to the certificate for the Verisign CA instead of the Amazon root CAs. The issue with using the Verisign CA is that data plane connections to AWS IoT will still work but data plane connections to the Greengrass endpoint (greengrass-ats.*
) and other services will fail.
The AWS IoT server authentication page has more details and links to the CAs. The correct CA to use is "RSA 2048 bit key: Amazon Root CA 1".