Join Log in
Score:0
acw avatar Server

EC2 outbound requests are in IPv6 causing connection timeout if server doesn't have AAAA record

cn flag
acw

I created an AWS VPC and security group with the necessary outbound rules and routes to an internet gateway for IPv4 and IPv6. I created an autoscaling group, but the important part is I have an Ubuntu 22 EC2 instance that can run wget https://google.com properly:

ubuntu@ip-10-0-0-0:~$ wget https://google.com
--2023-03-20 20:43:26--  https://google.com/
Resolving google.com (google.com)... 2607:f8b0:4004:c06::66, 2607:f8b0:4004:c06::64, 2607:f8b0:4004:c06::8b, ...
Connecting to google.com (google.com)|2607:f8b0:4004:c06::66|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/ [following]
--2023-03-20 20:43:27--  https://www.google.com/
Resolving www.google.com (www.google.com)... 2607:f8b0:4004:c1b::69, 2607:f8b0:4004:c1b::67, 2607:f8b0:4004:c1b::93, ...
Connecting to www.google.com (www.google.com)|2607:f8b0:4004:c1b::69|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.4’

index.html.4                        [ <=>                                                 ]  13.90K  --.-KB/s    in 0s      

2023-03-20 20:43:27 (184 MB/s) - ‘index.html.4’ saved [14231]

but it can't connect to a website that doesn't have AAAA record or one that accepts IPv6 like stackoverflow: https://ready.chair6.net/?url=https%3A%2F%2Fstackoverflow.com

It just hangs:

wget https://stackoverflow.com
--2023-03-20 20:45:40--  https://stackoverflow.com/
Resolving stackoverflow.com (stackoverflow.com)... 64:ff9b::9765:4145, 64:ff9b::9765:145, 64:ff9b::9765:c145, ...
Connecting to stackoverflow.com (stackoverflow.com)|64:ff9b::9765:4145|:443...

eventually it'll get there, but I'm not sure how to fix it? I feel like I've covered all grounds... (reason this is an issue is because the AWS CodeDeploy agent isn't able to validate SSL certificate; here's that error:

2023-03-20 19:44:32 INFO  [codedeploy-agent(13669)]: master 13669: Spawned child 1/1
2023-03-20 19:44:32 INFO  [codedeploy-agent(13671)]: On Premises config file does not exist or not readable
2023-03-20 19:44:32 INFO  [codedeploy-agent(13671)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2023-03-20 19:44:32 INFO  [codedeploy-agent(13671)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandExecutor: Archives to retain is: 5}
2023-03-20 19:44:32 INFO  [codedeploy-agent(13671)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2023-03-20 19:44:32 INFO  [codedeploy-agent(13671)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2023-03-20 19:44:33 INFO  [codedeploy-agent(13669)]: Started master 13669 with 1 children
2023-03-20 19:45:32 ERROR [codedeploy-agent(13671)]: InstanceAgent::Plugins::CodeDeployPlugin::CodeDeployControl: Error during certificate verification on codedeploy endpoint https://codedeploy-commands.us-east-1.amazonaws.com
2023-03-20 19:45:32 ERROR [codedeploy-agent(13671)]: Error validating the SSL configuration: Invalid server certificate
2023-03-20 19:45:32 ERROR [codedeploy-agent(13671)]: booting child: error during start or run: SystemExit - Stopping CodeDeploy agent due to SSL validation error. - /opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:65:in `abort'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:65:in `validate'
/opt/codedeploy-agent/lib/instance_agent/agent/base.rb:11:in `runner'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:32:in `block in prepare_run'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:78:in `with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:31:in `prepare_run'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:64:in `block in prepare_run_with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:78:in `with_error_handling'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:63:in `prepare_run_with_error_handling'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:20:in `start'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:206:in `block in spawn_child'

The EC2 instance has an assigned public IPv4 address and IPv6 address, and it's in a public subnet. Anyone have ideas on what could be going wrong? Greatly appreciate it:)

  • Other options I'm thinking about is figuring out how to just completely disable IPv6 outbound requests while still being able to accept IPv6 inbound via my network + application load balancer.
130
1 + 0
Score:0
acw avatar Server
cn flag
acw

Not a complete answer, but I just turned off auto-assign IPv6 to my public subnet and re-ran codedeploy

+ 1
Tim avatar
gp flag
Tim
Disabling ipv6 is a workaround rather than a solution. Your question isn't really very clear, if you want an answer that works with IPv6 you'll need to provide more detail about the problem.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.