スキップしてコンテンツを表示
AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post
re:Postに関して

BYOIP IPv6 /48 fails with “No X509 certificate could be found in the Whois remarks” though ARIN WHOIS & RDAP show PEM (child + parent) and signature verifies

0

Context

  • CIDRs: 2607:6100:a5::/48 (us-west-2), 2607:6100:a4::/48 (us-east-2)
  • Goal: Provision BYOIP IPv6 /48s to EC2.
  • Error: "No X509 certificate could be found in the Whois remarks."

What I've already done

  1. Created child ARIN Net objects for both /48s:
    • a5: NET6-2607-6100-A5-1
    • a4: NET6-2607-6100-A4-1
  2. Pasted a proper multi-line PEM (BEGIN/64-char lines/END) in Public Comments on both child /48 nets and the /32 parent NET6-2607-6100-1. PEM is the first (and only) remarks block.
  3. Removed the RWhois referral (no ReferralServer in parent WHOIS).
  4. Verified my signature locally using the RDAP-served cert’s public key (Verified OK).
  5. Confirmed RDAP + WHOIS child & parent all serve the same PEM as my local file.

Evidence

  • WHOIS child (/48) certificate (BEGIN…END only): (output of) whois -h whois.arin.net "2607:6100:a5::/48" | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p'

  • WHOIS parent (/32) certificate (BEGIN…END only): whois -h whois.arin.net "NET6-2607-6100-1" | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p'

  • RDAP remarks (child): curl -s https://rdap.arin.net/registry/ip/2607:6100:a5::/48 | jq '.remarks'

  • Hashes (all identical): LOCAL (my pem body md5): [hash] WHOIS child pem body md5: [hash] WHOIS parent pem body md5: [hash] RDAP child pem body md5: [hash]

  • Signature verification (a5): base64 -d signed-amazon-a5.txt > sig.bin curl -s https://rdap.arin.net/registry/ip/2607:6100:a5::/48 | jq -r '.remarks[0].description[]' > rdap-cert.pem openssl dgst -sha256 -verify <(openssl x509 -in rdap-cert.pem -pubkey -noout) -signature sig.bin amazon-a5.txt => Verified OK

  • Current AWS status (us-west-2 for a5): aws ec2 describe-byoip-cidrs --region us-west-2 --max-results 100
    | jq '.ByoipCidrs[] | select(.Cidr=="2607:6100:a5::/48")' => State="failed-provision", StatusMessage="No X509 certificate could be found in the Whois remarks"

  • Same for a4/us-east-2 (after creating the a4 child net and PEM): [paste the single JSON object]

Ask Could someone from AWS please trigger a backend refresh/re-read of RIR WHOIS/RDAP remarks for these prefixes, or advise if there’s an internal cache/criteria we’re missing? From the evidence above, RDAP and port-43 WHOIS (child and parent) serve a valid PEM that matches the key used to sign the message, and local verification succeeds.

Thank you!

トピック
ネットワークとコンテンツ配信
タグ
IPv6
言語
English
質問済み 3ヶ月前32ビュー
1回答
0

Based on your detailed information, it appears you've correctly followed the BYOIP process for your IPv6 /48 prefixes but are encountering an error during AWS's validation of your X.509 certificate in the WHOIS remarks.

For ARIN-registered IPv6 addresses, the certificate should be added as a remarks field for your address range. You've confirmed that you've added the proper multi-line PEM certificate (with BEGIN/END markers and proper 64-character line formatting) to both the child /48 objects and the parent /32 object in ARIN's database. You've also verified that the certificate is being properly served via both WHOIS and RDAP queries, and that signature verification works correctly with your local copy.

There are a few potential issues that might be causing this error:

  1. Format of the certificate in remarks: Ensure there are no extra spaces, line breaks, or characters in the certificate as stored in ARIN's database. The certificate must be in the exact expected format.

  2. WHOIS query method: AWS might be using a specific WHOIS query format or endpoint that returns different results than what you're seeing. For ARIN specifically, try verifying your certificate appears when using different query formats.

  3. Propagation delay: There could be a delay in propagation of your WHOIS record changes throughout all ARIN's systems. Although you've verified the certificate appears in your queries, it might not have fully propagated to all systems.

  4. Internal AWS caching: As you suggested, AWS might be caching previous WHOIS query results. In this case, you would need AWS support to refresh their cache or re-read the WHOIS/RDAP remarks for your prefixes.

Since you've verified that the certificate is correctly present in both WHOIS and RDAP, and that signature verification works, this appears to be an issue with how AWS is reading or interpreting the certificate data. I recommend opening a support case with AWS to have them investigate this specific issue, as they may need to trigger a backend refresh of their WHOIS/RDAP cache or address a potential issue in their BYOIP validation process.
Sources
Onboard your address range for use in Amazon EC2 - Amazon Elastic Compute Cloud

回答済み 3ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

関連するコンテンツ