Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

BYOIP result in "No X509 certificate could be found in the Whois remarks"

0

So I'm trying to bring an ip bloc to EC2 and I receive this error when checking the status. aws ec2 describe-byoip-cidrs --region us-east-1 --max-results 10 { "ByoipCidrs": [ { "Cidr": "xyz.xyz.xyz.0/24", "AsnAssociations": [], "StatusMessage": "No X509 certificate could be found in the Whois remarks", "State": "failed-provision" } ] } Doing a whois -a ipblock give me this: remarks: **************************** remarks: * THIS OBJECT IS MODIFIED remarks: * Please note that all data that is generally regarded as personal remarks: * data has been removed from this object. remarks: * To view the original object, please query the ARIN Database at: remarks: * http://www.arin.net/ remarks: ****************************

but if I do whois -h whois.arin.net r + ipblock does show the certificate in comment:

Any idea?

Topics
ComputeNetworking & Content Delivery
Tags
Bring your own IP addresses (BYOIP)Amazon EC2
Language
English
asked a year ago186 views
2 Answers
0

The issue you're experiencing is related to how AWS verifies control over the IP address range you're trying to bring into EC2 using BYOIP (Bring Your Own IP).

When you use BYOIP with AWS, one of the methods to verify control of the IP address range is through an X.509 self-signed certificate. This certificate should be included in the RDAP (Registry Data Access Protocol) record for your IP range.

The error message "No X509 certificate could be found in the Whois remarks" suggests that AWS is unable to find the required X.509 certificate in the RDAP record when querying the Regional Internet Registry (RIR) database.

The fact that you can see the certificate when using the command whois -h whois.arin.net r + ipblock indicates that the certificate is present in ARIN's (American Registry for Internet Numbers) database. However, AWS may be using a different method or source to query this information, which is not returning the certificate.

To resolve this issue, you should:

  1. Ensure that the X.509 self-signed certificate is properly added to the RDAP record for your IP range.
  2. Verify that the certificate is visible in the public RDAP query results, not just in ARIN's specific query.
  3. Double-check that the certificate meets AWS's requirements for BYOIP verification.
  4. If the issue persists, you may need to contact AWS support for further assistance, as there might be a discrepancy between what's visible in ARIN's database and what AWS can access through its verification process.

Remember that changes to RDAP records may take some time to propagate, so you might need to wait a while after making any updates before trying the BYOIP process again.
Sources
Bring your own IP addresses (BYOIP) to Amazon EC2 - Amazon Elastic Compute Cloud
ByoipCidr - Amazon Elastic Compute Cloud

answered a year ago
0

everything got checked and is ok on my ends

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content