Just In Time Provisioning (JITP) only works the first time then not anymore

[DumitruTudor]

Describe the bug

I am trying to use JITP scenario for provisioning devices in our company.
We have already tried it on python and it has worked only once after which gives an error that is fully described in this issue and happens to be the same here with the device client: aws/aws-iot-device-sdk-python-v2#531

To Reproduce

Steps to reproduce the behavior:
With a JITP provisioning template created as well as a CA registered in the aws iot console, run the aws-iot-device-client where the config has fleet provisioning turned on.

Expected behavior

The execution of aws-iot-device-client should lead to a thing creation
I should be able to create many key and cert files and provision a thing for each of them.
However when I go to the iot webconsole under Security->Certificates I can see that a new certificates appeared.
However unlike the first one, it sits on pending instead of active.
If I manually set it to active and attach a policy and then rerun the code from above, everything works fine.
However the beauty of JITP should be that it automatically attaches the policy and activates the certificate.

Actual behavior

After the device client is setup with fleet provisioning enabled and the CA is registered in the aws iot web console, running the aws-iot-device-client will give an error like this:

2023-11-28T12:43:29.082Z [ERROR] {SharedCrtResourceManager.cpp}: MQTT Connection failed with error: libaws-c-mqtt: AWS_ERROR_MQTT_UNEXPECTED_HANGUP, The connection was closed unexpectedly.
2023-11-28T12:43:29.082Z [ERROR] {SharedCrtResourceManager.cpp}: *** Did you make sure you are using valid certificate with recommended policy attached to it? Please refer README->Fleet Provisioning Feature section for more details on recommended policies for AWS IoT Device Client. ***
2023-11-28T12:43:29.082Z [ERROR] {SharedCrtResourceManager.cpp}: Failed to establish shared MQTT connection, but will attempt retry...
2023-11-28T12:43:29.082Z [DEBUG] {Retry.cpp}: Retryable function returned unsuccessfully, sleeping for 10000 milliseconds

This error happens before fleet provisioning is ever attempted.

Possible Solution
Probably I misunderstood something about how to use JITP and self signed certificates.
But also the first attempt works the first time as expected.

Environment (please complete the following information):

• OS: Ubuntu
• Version: 20.04
• Architecture: x86-64

Additional context

No response

[HarshGandhi-AWS]

Hello @DumitruTudor , I believe your Fleet Provisioning template does not specify to set the certificate status to Active after provisioning the thing. Please refer to this sample template over here and update your provisioning template to set the certificate status to Active after provisioning/creation. https://github.com/aws/aws-iot-device-sdk-python-v2/

.
.
.
...
"Resources": {
    "certificate": {
      "Properties": {
        "CertificateId": {
          "Ref": "AWS::IoT::Certificate::Id"
        },
        "Status": "Active"
      },
      "Type": "AWS::IoT::Certificate"
    },
    "policy": {
      "Properties": {
        "PolicyName": "FPCertPolicy"
      },
...
.
.
.

Once you set it to active, the service will create the certificate and set it to active by default for all things which are provisioned using your provisioning template.

The documentation itself is self explanatory but if you still have any questions for us then please feel free to reach out to us over here.

Regards,
Harsh Gandhi

[HarshGandhi-AWS]

Hello @DumitruTudor , its been a while since we heard back from you. We will close this issue now. I hope the previous comment answers your question and you are unblocked now.
If you have any other question regarding Device Client or if you are having any trouble using the software then please feel free to reopen this issue or create a new one.

Regards,
Harsh Gandhi