By using AWS re:Post, you agree to the Terms of Use

Questions tagged with Bring your own IP addresses (BYOIP)

Sort by most recent
  • 1
  • 12 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

EC2 BYOIP: signature couldn't be verified

**The goal** I am trying to bring my /46 IPv6 prefix to EC2. It is part of a /44 IPv6 assigned to my ASN with the status "ASSIGNED" within the RIPE database. The ROA records have been set which I could also verify under https://rpki.cloudflare.com/. **What I did so far** I have basically followed this doc, yet provisioning fails: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#prepare-for-byoip When I send the `aws ec2 provision-byoip-cidr` request, the status is `failed-provision` with the message "The CidrAuthorizationContext signature could not b e verified with the X509 certificates in the RIR records". The command `whois -r -h whois.ripe.net abcd:efab:cde::/46 | grep descr | grep BEGIN` delivers my certificate succesfully. My request looks like this: ``` # ! bin/sh text_message="1|aws|123456789012|abcd:efab:cde::/46|20230101|SHA256|RSAPSS" signed_message=$(echo $text_message | tr -d "\n" | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n") aws ec2 provision-byoip-cidr --cidr abcd:efab:cde::/46 --cidr-authorization-context Message="$text_message",Signature="$signed_message" --region eu-central-1 ``` So, I checked the signature: ``` $ echo "1|aws|123456789012|abcd:efab:cde::/46|20230101|SHA256|RSAPSS" > file.txt $ cat file.txt | openssl dgst -sha256 -sign private-key.pem -keyform PEM > rsasign.txt $ openssl sha256 -verify certificate.pem -signature rsasign.txt file.txt unable to load key file ``` It only works when I use the public key instead of the certificate: ``` $ openssl sha256 -verify public-key.pem -signature rsasign.txt file.txt Verified OK ``` I also tried adding just the public key to the inet6num object's descr in the RIPE database, but that results in "No X509 certificate could be found in the Whois remarks", so that won't do it. **Question: Any ideas on how to bring my IPv6 prefix to AWS?** The linked documentation alone is of no help at this moment..
0
answers
0
votes
86
views
asked 5 months ago
  • 1
  • 12 / page