Copyright ©

Mongoose OS Forum


AWS Greengrass

Has anyone tried to connect to AWS Greengrass instead of directly to AWS?


  • Any feedback on Greengrass

  • SergeySergey Dublin, Ireland
    edited June 2017

    Yes, we are working with AWS IoT team, and can confirm that devices running Mongoose OS successfully connect to GreenGrass.
    Do you have more specific question? Could you elaborate on your project please?

  • My thinking is to configure the device first to aws iot as usual. Then change the mqtt address to the local greengrass IP address. I was not successful so far with it. Is there any additional things to do to make it connect directly to greengrass
  • Use case is alarm security panel with local intelligence and escalation of alarms only when the security system is armed
  • SergeySergey Dublin, Ireland
    edited June 2017

    You need to bootstrap from AWS IoT, which should give you a certificate to connect to the GG core.
    First, provision your device to AWS IoT. Then, copy this to init.js and change relevant parameters:

    let path = 'gg.json';
    let ggca = 'ggca.pem';
    // Those certs are on a device after AWS IoT onboarding
    let cert = 'XXXX-certificate.pem.crt';
    let key = 'XXXX-private.pem.key';
    // Change YOUR_DEVICE_THING and the aws iot endpoint
    let url = '
    // mos call GG.Config
    // trigger discovery
    RPC.addHandler('GG.Config', function(args) {
      print('Configuring GG, file', path);
        url: url,
        cert: cert,
        key: key,
        success: function(x, y) {
          File.write(x, path);            // Save full AWS IoT reply
          let obj = JSON.parse(x);
          File.write(obj.GGGroups[0].CAs[0], ggca);    // Save GG CA
          print('Success,', path, ggca, 'written.');
        error: function(x) {
          print('Error', x);
      return true;
    // mos call GG.Connect
    // trigger GG connection
    RPC.addHandler('GG.Connect', function(args) {
      let s =;
      let obj = JSON.parse(s);
      let ar = obj.GGGroups[0].Cores[0].Connectivity;
      for (let i = 0; i < ar.length; i++) {
        let addr = ar[i].HostAddress;
        print('  Got node:', addr);
        if (addr.length < 7 || addr.length > 15 || addr === '') {
        print('Using ', addr);
        // Hack to save mqtt config
        let s ='conf9.json');
        let obj = JSON.parse(s);
        if (!obj.mqtt) obj.mqtt = {};
        obj.mqtt.enable = true;
        obj.mqtt.server = addr + ':' + JSON.stringify(ar[i].PortNumber);
        obj.mqtt.ssl_ca_cert = ggca;
        obj.mqtt.ssl_cert = cert;
        obj.mqtt.ssl_key = key;
        File.write(JSON.stringify(obj), 'conf9.json');
        print('GG configured, reboot now');
      return true;

    When done, you can mos call GG.Config and mos call GG.Connect

  • Thanks for the instruction. It did not work 100% for me. Based on your java script I downloaded the cert of the Greengrass to Linux machine. First I downloaded the Private and Public key to my linux machine home drive (mos get ). Then I ran the following command

    curl --key mycert.key.pem --cert mycert.crt.pem
    (Note you need to replace the THingsname and endpoint according to your things specifics.)
    This will give a lot of information including the CA cert. Cut and paste from -----BEGIN CERTIFICATE----- to "-----END CERTIFICATE-----" (including those words to a file name ggca.pem.

    Now modify conf9.json mqtt area like below (Only changes are "server" with your IP address of Greengrass and ssl_ca_cert with ggca.pem

    "mqtt": {
    "server": "",
    "ssl_cert": "aws-iot-XXXXXXX.crt.pem",
    "ssl_key": "aws-iot-eXXXXXXX.key.pem",
    "ssl_ca_cert": "ggca.pem"

  • SergeySergey Dublin, Ireland


    Did you make it to work?

  • Yes it's working great. One I upload the greengrass CA cert thing worked perfectly. Thanks for the support. Looks like AWS going to have cli based access to greengrass CA info soon
  • SergeySergey Dublin, Ireland

    Awesome, thanks.
    Could you elaborate on the project you're working on, please?

  • I am working on a home automation/security project where I like to make some decisions locally and only escalate that event to the cloud only when needed. For example house motion sensors will trigger all the time but till household arm the system those mqtt messages does not need to go to the cloud
  • TonBTonB Eindhoven
    edited July 2017

    My MQTT config initially had the line:

    "ssl_cipher_suites": "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"

    in it. This caused the following error in the Greengrass logs (connection_manager.log):

    [ERROR] - MQTT message decoding error: unable to decode received MQTT message. tls: no cipher suite supported by both client and server

    I removed the line, and the error disappeared. Now I'm stuck with:

    [ERROR] - MQTT QoS Error: Greengrass does not support QoS 1.

    The device tries to log to the devicename/log subject. I'll have to switch off logging over MQTT, OR have that logging done using QoS 0?? Is that possible?

    I'm setting the log topics to empty "stdout_topic": "", "stderr_topic": "" to suppress logging. The QoS error remains. Is it the shadow update that's using QoS 1?

  • SergeySergey Dublin, Ireland

    Set debug.stderr_topic="" and debug.stdout_topic="" to disable logging over MQTT. You can also rpc.mqtt.enable=false to disable RPC over MQTT.

    mOS uses qos=1 by default, if GG does not like that try another qos, you'd need to rebuild the app.

  • TonBTonB Eindhoven

    I rebuilt mOS with qos 0, and I see no more errors, but shadow updates are not happening. Anyone had any luck with getting shadows to work through Greengrass?

  • Hello guys,

    I'm working on AWS Greengrass on Mongoose OS, can somebody tell me what are the steps (from very basic)?
    And is it possible to implement it on ESP32?


  • can anybody help me please?

  • does anybody know how to deploy certificates generated by AWS Greengrass on ESP to connect it to the AWS GG?
    Any help really appreciated.

  • @keivan, use mos aws-iot-setup --aws-enable-greengrass

  • @dimonomid, Thank you so much man.
    I've done that. it defines thing on aws cloud and also gives the device 2 certificates to the device. I download them to my Ubuntu 16.04 Linux machine.
    I use curl --key xxxx.key.pem --cert xxxx.crt.pem, but it doesn't give me CA.
    How can I get CA? what is the next step?

  • according to nice debug console of Mongoose, debug.level=3, board got the following error when tries to connect to Greengrass:
    AWS Greengrass reply: {"message":"Forbidden","traceId":"bc57e9a5-bc3a-447f-55a6-46231b157d70"}
    Any help and suggestion really appreciated.

  • TonBTonB Eindhoven
    edited January 2018

    @keivan To make the discovery service work, you have to attach the greengrass:Discover policy to the client certificate. Go to the AWS IoT console, select Secure, then Certificates, and find the certificate as referenced in your curl statement. If you don't have a policy document with the right statements in it, you'd best create a new one (I'd leave the mos-default untouched). Make sure the following entry is in the Statements list:

      "Effect": "Allow",
      "Action": [
      "Resource": [

    This should enable the discovery data download. Note that the response contains much more than just the CA certificate. I extract the certificate into a PEM file using the JQ tool (
    My script to do this is:

    set certificate=aws-iot-xxx.crt.pem
    set certificateKey=aws-iot-xxx.key.pem
    set endpoint=
    set outputCAcert=ca-discovery.pem
    curl -k --cert %certificate% --cert-type PEM --key %certificateKey% --key-type PEM %endpoint% | jq-win64 -r .GGGroups[0].CAs[0] > %outputCAcert%

    Note that the script breaks if you have more than one group or more than one CA. Also, the mongoose library will perform the discovery by itself. To trigger that, mqtt.enable should be set to false in the config, and aws.greengrass.enable to true.

  • jazibjazib Islambad

    I followed above mentioned instruction, and successfully get my greengrass core ip and core certificate.

    But my mqtt connection can't be establish. I am gettig this error in my log.
    mgos_mqtt_ev MQTT TCP connect ok (0)
    mgos_mqtt_ev MQTT CONNACK 5
    mgos_mqtt_ev MQTT Disconnect
    mqtt_global_reconnec MQTT connecting after 7505 ms
    Now what should i do?

  • dzhagrdzhagr Capitola

    I've tried to use shadows with Greengrass with no success. Simply because of this check:

    The question to everybody: is anyone aware of any plans to fix that?

  • @TonB & @dzhagr

    I am also having this problem, I believe. I did the orginal AWS IoT install, which worked fine. I got the GGC's CA and added it ti ca.pem and MQTT does successfully connect to my GGC, but I see the "MQTT is not configured for AWS, not initialising shadow" message and now shadow updates go through either direction. I would be great if this could be fixed, or is there something else I need to do?

Sign In or Register to comment.