With the IP detector (emphasis added):
$ echo | openssl s_client -showcerts -connect 127.0.0.1:8883 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:2c:d1:07:9f:ae:ea:b6:9a:4f:6d:f1:ac:95:4c:90:69:53:b9:82
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon.com Inc., OU = Amazon Web Services, ST = Washington, L = Seattle, CN = 541589084637:a2002849-467d-44e7-b3a1-a2e4f91077e8
Validity
Not Before: Nov 4 22:01:41 2020 GMT
Not After : Nov 11 22:01:41 2020 GMT
Subject: C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., OU = Amazon Web Services, CN = ec2_Core
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cf:73:33:be:67:04:6f:64:7c:59:dd:c1:29:98:
df:47:6a:5e:b8:ac:c4:8d:43:68:52:0c:8f:0d:0a:
06:80:d6:62:01:24:cc:0b:b7:0a:e1:fb:ec:68:77:
14:f1:b3:49:53:94:69:2f:ec:0c:48:74:25:96:c6:
b1:4c:df:27:eb:42:80:56:69:8b:3c:76:6c:04:74:
d2:85:fa:fb:43:7f:ca:5a:3f:39:b0:1d:ae:8c:37:
34:da:65:59:2e:dd:7e:7d:ca:56:3a:80:66:39:a4:
fa:95:52:d3:63:69:7c:58:29:76:e7:b4:b9:2c:5a:
19:6d:e3:44:43:09:33:2e:2b:ec:de:9c:55:15:d9:
80:d3:20:bd:83:5e:26:b4:c2:a1:3d:fa:84:66:de:
ba:67:4c:f6:a1:9f:9d:da:89:4f:35:4e:a7:26:53:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:2c:d1:07:9f:ae:ea:b6:9a:4f:6d:f1:ac:95:4c:90:69:53:b9:82
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon.com Inc., OU = Amazon Web Services, ST = Washington, L = Seattle, CN = 541589084637:a2002849-467d-44e7-b3a1-a2e4f91077e8
Validity
Not Before: Nov 4 22:01:41 2020 GMT
Not After : Nov 11 22:01:41 2020 GMT
Subject: C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., OU = Amazon Web Services, CN = ec2_Core
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cf:73:33:be:67:04:6f:64:7c:59:dd:c1:29:98:
df:47:6a:5e:b8:ac:c4:8d:43:68:52:0c:8f:0d:0a:
06:80:d6:62:01:24:cc:0b:b7:0a:e1:fb:ec:68:77:
14:f1:b3:49:53:94:69:2f:ec:0c:48:74:25:96:c6:
b1:4c:df:27:eb:42:80:56:69:8b:3c:76:6c:04:74:
d2:85:fa:fb:43:7f:ca:5a:3f:39:b0:1d:ae:8c:37:
34:da:65:59:2e:dd:7e:7d:ca:56:3a:80:66:39:a4:
fa:95:52:d3:63:69:7c:58:29:76:e7:b4:b9:2c:5a:
19:6d:e3:44:43:09:33:2e:2b:ec:de:9c:55:15:d9:
a0:e7:5d:54:3f:1e:80:42:35:4a:e1:78:ac:e6:0d:
94:b5:b8:ed:cd:86:ec:5b:ab:6b:5a:ce:58:b0:44:
4a:d3:15:9f:0e:49:67:b3:a7:4f:55:1f:8f:2f:2b:
cb:bd:ff:1b:8f:b4:e1:d2:67:82:7d:28:7b:12:1d:
2d:db:5a:35:01:e7:56:8a:47:98:0d:65:cf:ce:31:
46:46:0a:5a:14:79:8f:65:d8:6e:69:1a:26:ed:69:
42:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:DF:F6:B2:0D:9D:C4:01:EA:54:03:2E:B5:DA:1C:7C:38:0D:40:EC:4C
DirName:/C=US/O=Amazon.com Inc./OU=Amazon Web Services/ST=Washington/L=Seattle/CN=541589084637:a2002849-467d-44e7-b3a1-a2e4f91077e8
serial:84:4A:E6:B7:05:87:81:4B:56:C5:9D:08:C4:13:8A:F9:A9:A0:8F:57
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
A3:20:A1:4F:52:0F:2B:4B:06:E6:FE:77:B0:3D:5D:6D:28:D0:10:A2
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, IP Address:172.17.0.1, IP Address:172.31.83.184, IP Address:0:0:0:0:0:0:0:1, IP Address:FE80:0:0:0:14C3:22FF:FE17:1395
Signature Algorithm: sha256WithRSAEncryption
03:1b:6f:be:b3:40:c7:e3:dd:6c:21:f5:e2:89:ee:ad:81:87:
d1:58:c0:a9:e7:f5:7e:d1:60:53:66:ee:3c:7f:e6:03:4f:11:
9e:32:29:3a:f0:85:d4:ec:28:f9:7b:61:9d:a8:63:9f:a2:94:
74:c5:23:c7:2b:a9:d6:c3:72:f9:24:b5:df:68:16:93:a8:49:
44:ea:fb:e3:01:a9:8e:8e:c6:38:59:0d:67:91:29:2b:04:1f:
4e:09:4f:cd:11:ad:12:a2:2f:0a:de:5f:23:a4:e0:9f:87:17:
0b:dc:4b:bc:b6:68:8c:92:27:9d:36:e2:14:d9:9a:93:8a:6f:
41:68:73:4d:a4:f4:8e:14:5d:bf:51:8d:a0:d6:fb:ec:54:dc:
34:21:c7:be:43:dd:4f:ef:f0:24:da:ff:05:87:e3:35:26:0f:
d2:43:26:fd:8f:3c:43:b5:67:10:fd:88:cd:2b:22:9f:b3:75:
b3:9e:5a:b4:95:77:99:52:20:e3:28:aa:49:9b:92:14:96:24:
37:67:a3:49:48:5d:ab:f4:47:9f:17:51:3e:e2:7e:d0:53:7f:
66:26:15:13:2c:27:94:28:ff:7b:a7:f9:d0:cf:96:fe:92:17:
17:ca:ee:01:36:86:86:04:90:f2:1f:b6:bd:16:bd:e9:18:8f:
0c:c7:b2:bf
Without IP detector, openssl s_client actually fails:
$ echo | openssl s_client -showcerts -connect 127.0.0.1:8883 2>/dev/null | openssl x509 -inform pem -noout -text
unable to load certificate
140682443964864:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
This is because Greengrass isn't even listening on port 8883 as we can see by using netstat:
$ netstat -an | grep LISTEN | grep tcp
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
If this happens your Greengrass group may not have the IP detector enabled (set to manual endpoint configuration), or the IP detector may be failing (too many IPs). Try setting Local connection detection
to Automatically detect and override connection information
in the group configuration and then do a redeployment. After the redeployment finishes the IP should be updated.