Public bug reported: If needed, I can provide more exact steps to reproduce this, but hopefully this will be sufficient. Note that follow identical steps with Ubuntu 20.04 results in a working configuration.
Launch an ec2 instance using the latest version of the Ubuntu AMI as returned by this query: aws ec2 describe-images --filters Name=architecture,Values=x86_64 Name=virtualization-type,Values=hvm Name=name,Values="ubuntu/images/*22.04-amd64-server-*" Name=block- device-mapping.volume-type,Values=gp2 --owners 099720109477 At this moment, that is ami-09db26f1ef0a9f406 in my region, us-east-1. Send public key: aws ec2-instance-connect send-ssh-public-key --availability-zone us- east-1a --instance-id i-abcdexample --instance-os-user ubuntu --ssh- public-key file:///home/user/.ssh/id_rsa.pub (Note: results are identical with .ssh/id_ed25519.pub) Attempt ssh ubuntu@ip-addr On the instance, /var/log/auth.log reports a failure. May 25 18:57:25 ip-10-98-1-66 sshd[1549]: AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys ubuntu SHA256:abcdefgexample failed, status 2 Running the failed command as root on the instance shows: C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority error 89 at 4 depth lookup: Basic Constraints of CA cert not marked critical C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority error 92 at 4 depth lookup: CA cert does not include key usage extension error /dev/shm/eic-7MlPua7W/cert.pem: verification failed I'm not sure where this certificate comes from, what's enforcing the key usage extension, etc. I haven't investigated further other than to verify that it's the same whether I use my RSA key or my ed25519 key (in fact, either way, my ssh client offers both keys, I see two log messages, and they both fail the same way) and to verify that it does work on Ubuntu 20.04. Also tried: apt update; apt dist-upgrade; reboot to ensure everything is up to date, verifying that ca-certificates is installed. If I use a keypair, I can log in just fine. To reproduce this for above, I launched the instance with a key pair, then moved .ssh/authorized_keys out of the way to see the failure. Please let me know if there's any other information I should supply or anything else you would like me to try. ** Affects: ec2-instance-connect (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1975740 Title: ec2-instance-connect fails with cert validation on ubuntu 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1975740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs