Copyright ©

Mongoose OS Forum

ATTENTION! This forum has moved to:

Do not post any new messages.

AWS Greengrass

Has anyone tried to connect to AWS Greengrass instead of directly to AWS?


  • Any feedback on Greengrass

  • SergeySergey Dublin, Ireland
    edited June 2017

    Yes, we are working with AWS IoT team, and can confirm that devices running Mongoose OS successfully connect to GreenGrass.
    Do you have more specific question? Could you elaborate on your project please?

  • My thinking is to configure the device first to aws iot as usual. Then change the mqtt address to the local greengrass IP address. I was not successful so far with it. Is there any additional things to do to make it connect directly to greengrass
  • Use case is alarm security panel with local intelligence and escalation of alarms only when the security system is armed
  • SergeySergey Dublin, Ireland
    edited June 2017

    You need to bootstrap from AWS IoT, which should give you a certificate to connect to the GG core.
    First, provision your device to AWS IoT. Then, copy this to init.js and change relevant parameters:

    let path = 'gg.json';
    let ggca = 'ggca.pem';
    // Those certs are on a device after AWS IoT onboarding
    let cert = 'XXXX-certificate.pem.crt';
    let key = 'XXXX-private.pem.key';
    // Change YOUR_DEVICE_THING and the aws iot endpoint
    let url = '
    // mos call GG.Config
    // trigger discovery
    RPC.addHandler('GG.Config', function(args) {
      print('Configuring GG, file', path);
        url: url,
        cert: cert,
        key: key,
        success: function(x, y) {
          File.write(x, path);            // Save full AWS IoT reply
          let obj = JSON.parse(x);
          File.write(obj.GGGroups[0].CAs[0], ggca);    // Save GG CA
          print('Success,', path, ggca, 'written.');
        error: function(x) {
          print('Error', x);
      return true;
    // mos call GG.Connect
    // trigger GG connection
    RPC.addHandler('GG.Connect', function(args) {
      let s =;
      let obj = JSON.parse(s);
      let ar = obj.GGGroups[0].Cores[0].Connectivity;
      for (let i = 0; i < ar.length; i++) {
        let addr = ar[i].HostAddress;
        print('  Got node:', addr);
        if (addr.length < 7 || addr.length > 15 || addr === '') {
        print('Using ', addr);
        // Hack to save mqtt config
        let s ='conf9.json');
        let obj = JSON.parse(s);
        if (!obj.mqtt) obj.mqtt = {};
        obj.mqtt.enable = true;
        obj.mqtt.server = addr + ':' + JSON.stringify(ar[i].PortNumber);
        obj.mqtt.ssl_ca_cert = ggca;
        obj.mqtt.ssl_cert = cert;
        obj.mqtt.ssl_key = key;
        File.write(JSON.stringify(obj), 'conf9.json');
        print('GG configured, reboot now');
      return true;

    When done, you can mos call GG.Config and mos call GG.Connect

  • Thanks for the instruction. It did not work 100% for me. Based on your java script I downloaded the cert of the Greengrass to Linux machine. First I downloaded the Private and Public key to my linux machine home drive (mos get ). Then I ran the following command

    curl --key mycert.key.pem --cert mycert.crt.pem
    (Note you need to replace the THingsname and endpoint according to your things specifics.)
    This will give a lot of information including the CA cert. Cut and paste from -----BEGIN CERTIFICATE----- to "-----END CERTIFICATE-----" (including those words to a file name ggca.pem.

    Now modify conf9.json mqtt area like below (Only changes are "server" with your IP address of Greengrass and ssl_ca_cert with ggca.pem

    "mqtt": {
    "server": "",
    "ssl_cert": "aws-iot-XXXXXXX.crt.pem",
    "ssl_key": "aws-iot-eXXXXXXX.key.pem",
    "ssl_ca_cert": "ggca.pem"

  • SergeySergey Dublin, Ireland


    Did you make it to work?

  • Yes it's working great. One I upload the greengrass CA cert thing worked perfectly. Thanks for the support. Looks like AWS going to have cli based access to greengrass CA info soon
  • SergeySergey Dublin, Ireland

    Awesome, thanks.
    Could you elaborate on the project you're working on, please?

  • I am working on a home automation/security project where I like to make some decisions locally and only escalate that event to the cloud only when needed. For example house motion sensors will trigger all the time but till household arm the system those mqtt messages does not need to go to the cloud
  • TonBTonB Eindhoven
    edited July 2017

    My MQTT config initially had the line:

    "ssl_cipher_suites": "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"

    in it. This caused the following error in the Greengrass logs (connection_manager.log):

    [ERROR] - MQTT message decoding error: unable to decode received MQTT message. tls: no cipher suite supported by both client and server

    I removed the line, and the error disappeared. Now I'm stuck with:

    [ERROR] - MQTT QoS Error: Greengrass does not support QoS 1.

    The device tries to log to the devicename/log subject. I'll have to switch off logging over MQTT, OR have that logging done using QoS 0?? Is that possible?

    I'm setting the log topics to empty "stdout_topic": "", "stderr_topic": "" to suppress logging. The QoS error remains. Is it the shadow update that's using QoS 1?

  • SergeySergey Dublin, Ireland

    Set debug.stderr_topic="" and debug.stdout_topic="" to disable logging over MQTT. You can also rpc.mqtt.enable=false to disable RPC over MQTT.

    mOS uses qos=1 by default, if GG does not like that try another qos, you'd need to rebuild the app.

  • TonBTonB Eindhoven

    I rebuilt mOS with qos 0, and I see no more errors, but shadow updates are not happening. Anyone had any luck with getting shadows to work through Greengrass?

  • Hello guys,

    I'm working on AWS Greengrass on Mongoose OS, can somebody tell me what are the steps (from very basic)?
    And is it possible to implement it on ESP32?


  • can anybody help me please?

  • does anybody know how to deploy certificates generated by AWS Greengrass on ESP to connect it to the AWS GG?
    Any help really appreciated.

  • @keivan, use mos aws-iot-setup --aws-enable-greengrass

  • @dimonomid, Thank you so much man.
    I've done that. it defines thing on aws cloud and also gives the device 2 certificates to the device. I download them to my Ubuntu 16.04 Linux machine.
    I use curl --key xxxx.key.pem --cert xxxx.crt.pem, but it doesn't give me CA.
    How can I get CA? what is the next step?

  • according to nice debug console of Mongoose, debug.level=3, board got the following error when tries to connect to Greengrass:
    AWS Greengrass reply: {"message":"Forbidden","traceId":"bc57e9a5-bc3a-447f-55a6-46231b157d70"}
    Any help and suggestion really appreciated.

  • TonBTonB Eindhoven
    edited January 2018

    @keivan To make the discovery service work, you have to attach the greengrass:Discover policy to the client certificate. Go to the AWS IoT console, select Secure, then Certificates, and find the certificate as referenced in your curl statement. If you don't have a policy document with the right statements in it, you'd best create a new one (I'd leave the mos-default untouched). Make sure the following entry is in the Statements list:

      "Effect": "Allow",
      "Action": [
      "Resource": [

    This should enable the discovery data download. Note that the response contains much more than just the CA certificate. I extract the certificate into a PEM file using the JQ tool (
    My script to do this is:

    set certificate=aws-iot-xxx.crt.pem
    set certificateKey=aws-iot-xxx.key.pem
    set endpoint=
    set outputCAcert=ca-discovery.pem
    curl -k --cert %certificate% --cert-type PEM --key %certificateKey% --key-type PEM %endpoint% | jq-win64 -r .GGGroups[0].CAs[0] > %outputCAcert%

    Note that the script breaks if you have more than one group or more than one CA. Also, the mongoose library will perform the discovery by itself. To trigger that, mqtt.enable should be set to false in the config, and aws.greengrass.enable to true.

  • jazibjazib Islambad

    I followed above mentioned instruction, and successfully get my greengrass core ip and core certificate.

    But my mqtt connection can't be establish. I am gettig this error in my log.
    mgos_mqtt_ev MQTT TCP connect ok (0)
    mgos_mqtt_ev MQTT CONNACK 5
    mgos_mqtt_ev MQTT Disconnect
    mqtt_global_reconnec MQTT connecting after 7505 ms
    Now what should i do?

  • dzhagrdzhagr Capitola

    I've tried to use shadows with Greengrass with no success. Simply because of this check:

    The question to everybody: is anyone aware of any plans to fix that?

  • @TonB & @dzhagr

    I am also having this problem, I believe. I did the orginal AWS IoT install, which worked fine. I got the GGC's CA and added it ti ca.pem and MQTT does successfully connect to my GGC, but I see the "MQTT is not configured for AWS, not initialising shadow" message and now shadow updates go through either direction. I would be great if this could be fixed, or is there something else I need to do?

  • flipyflipy Barcelona
    edited February 24

    I'd like to share my current status, which despite of not fully working, it did help me understand how mongoose implementes AWS IoT GreenGrass Core connections.

    My first attemps to connect were using mos aws-iot-setup --aws-region $AWSREGION --aws-enable-greengrass.
    It did work and I could see shadows going thru AWS IoT console.

    However, I wanted to use GreenGrass core to be able to work with information before pushing it out.
    Following what most people have stated here and changing the mqtt.server to my local GreenGrass device and mqtt.ssl_ca_cert -- which can be obtained by running openssl s_client -connect $MYIP:$MYPORT -showcerts or by fetching it from AWS IoT's GreenGrass core information -- it led to a non-working environment since MQTT client will not connect nor display an error message.

    Next step was to configure AWS GreenGrass manually, by first registering the device on AWS IoT and adding it to the GreenGrass Group, download certificates and, once the device could connect to the internet, running the following command -- assuming the certificate and key file are already stored on the filesystem of the device, either by being on the fs directory or by issuing mos put $FILE -- mos config-set mqtt.enable=false mqtt1.enable=false aws.greengrass.enable=true mqtt.ssl_ca_cert="ca.pem" mqtt.ssl_cert="$MYDEVICE.crt.pem" mqtt.ssl_key="$MYDEVICE.key.pem" mqtt.server="$".
    After the device rebooted, I noticed that mqtt.server got updated to the private IP of the GreenGrass Core device and mqtt.ssl_ca_cert got renamed to aws-gg-ca.pem and contained the valid CA for the GreenGrass Core device; and finally mqtt.enabled got updated with true.
    However, it is still not working since I am getting the following error while booting the device mgos_aws_shadow.c:571 MQTT is not configured for AWS, not initialising shadow -- due to having mqtt.enable=true.
    From the GreenGrass Core log, I can see the following messages:
    [ERROR]-MQTT message decoding error: unable to decode received MQTT message. read tcp $GEENGRASSCOREIP:8883->$DEVICEIP:38524: read: connection reset by peer which I suspect is due to wrong agreement of SSL cipher suites;
    but right after I get [INFO]-Added a new connection DEVICEID(mqtt) to the table. which leads to believe it has been connected successfully.
    Lastly, I cannot get any shadow pushed to the cloud even if it is set to do so.

    If mqtt.enable is set to false, as this is how it was working when connecting directly to GreenGrass, the device tries to discover itself from GreenGrass:
    mgos_aws_greengrass:180 AWS Greengrass connecting to https://GREENGRASSCOREIP:8443/greengrass/discover/thing/DEVICEID.

    I might have missed or misunderstood some guidelines, and any hint would be greatly appreciated.

Sign In or Register to comment.