Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
When adding a new IPAM Infoblox integration to Cloud Assembly, when validating the integration you may receive the following error message Unable to validate the provided access credentials: Failed to validate credentials. AdapterReference: http://provisioningservice.prelude.svc.cluster.local:8282/provisioning/adapter/ipam/endpointconfig. Error: Execution of action Infoblox_ValidateEndpoint failed on provider side: Infoblox HTTP request failed with: HTTPSConnectionPool(host=’<FQDN>’, port=443): Max retries exceeded with url: /wapi/v2.7/networkview?_return_fields=name (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,),)) Cloud account: null Task: /provisioning/endpoint-tasks/<endpoint_id> (less)
This process fixes the symptom by resolving the root cause.This is not a workaround.This process fixes an improper configuration on the Infoblox server side.
When establishing SSL handshake with the Infoblox server, vRA relies on Infoblox to present a complete certificate chain - including server cert, intermediate and CA.This is not a hard requirement for browsers since the HTTPS RFC dictates that servers are allowed to only present the server certificate and still a chain of trust can be built in case the intermediate and CA are stored in the browser certificate trust store. However, Python 3.x is a more restrictive than browsers as it requires the full certificate chain in order to build the chain of trust. Since the vRA Infoblox plugin is based on Python, customers must make sure that their Infoblox appliance is configured to return the whole certificate chain and not just the server certificate.
There are 2 options to resolve this issue. Option 1 Set the Infoblox.IPAM.DisableCertificateCheck parameter to True and Save the endpoint.This will disable the SSL certificate checks so you won't get any more errors. However, from security perspective this is not the safest option since this opens the door for MITM attacks. Option 2 Configure Infoblox to return the full certificate chain, including intermediate and CA.This is the safest and recommended option. Procedure Verify that the Infoblox server only returns the server certificate, omitting the full certificate chain by running the following command openssl s_client -showcerts -connect <hostname>:443 Verify the response is similar to the below exert mdzhigarov@mdzhigarov-z02:~/openssl_test/root/ca$ openssl s_client -showcerts -connect <FQDN>:443 CONNECTED(00000003) depth=0 C = BG, ST = XXXXX, L = XXXXX, O = XXXXXX, OU = XXXX, CN = <FQDN>, emailAddress = <Email_id> verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = BG, ST = XXXXX, L = XXXXX, O = XXXXXX, OU = XXXX, CN = <FQDN>, emailAddress = <Email_id> verify error:num=21:unable to verify the first certificate verify return:1 Note: Notice how the returned server certificate cannot be verified due to unable to verify the first certificate error. Open a client browser and navigate to the Infoblox server domain. In the browser top right corner next to the URL there should be a button to view the certificate chain:Click on the Certificate button and check the certificate path The browser displays the full certificate chain - including intermediate and CA. In case the browser does not display the intermediate certificate and the CA - contact the Infoblox server administrator and ask him to provide the complete chain of signer certificates that were used for signing the Infoblox server CSR. Click on every certificate from the Certification Path tab except the server certificate and export it in PEM format: Alice Ltd Intermediate CA > View Certificate > Details > Copy to File > Base 64 encoded X.509 (.CER) > Save Alice Ltd Root CA > View Certificate > Details > Copy to File > Base 64 encoded X.509 (.CER) > SaveConcatenate the intermediate certificate and the CA into a single .pem file. The order in which the certificates are stored within the .pem file is very important. The CA must be at the last in the file, with each signer from the chain on top. In our example the Alice Ltd Intermediate CA must be first, followed by Alice Ltd Root CA. It should look similar to -----BEGIN CERTIFICATE----- XXXXXXXCA8WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAweTELMAkGA1UEBhMCR0Ix EDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFsaWNlIEx0ZDEoMCYGA1UECwwf QWxpY2UgTHRkIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAwwRQWxpY2Ug THRkIFJvb3QgQ0EwHhcNMjEwNzEzMDgyNjA1WhcNMzEwNzExMDgyNjA1WjCBgTEL MAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFsaWNlIEx0 ZDEoMCYGA1UECwwfQWxpY2UgTHRkIENlcnRpZmljYXRlIEF1dGhvcml0eTEiMCAG A1UEAwwZQWxpY2UgTHRkIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEB BQADggIPADCCAgoCggIBAL97flCs7WEUjiBUPYWTNNdnDwvysrstUMWW+lAsQqKN QZi06zEi07yC6+jP3gT2vUqHciJM9mZyYoet1/s/O+FUAPG/ZKGWoDPSmuUcUSMp zK2Y+nM0mpnFEN8MD/kyCpLbUvQQ51XfmQ9qQdKZLODgdBqyddFRxPBnnvi4MC7A MNTTReicoA49GNbGtsM1s3u+ccPfAJlWJdJZf8IIDbPpl+xTW54C1ircLC4WTnQ4 AgX+6i29592vTTx7ft+d+wtUZ/T20qsbuNkdaro8rIOAbteLGgkC39EWDra0DqYq wRxOUqK8gxyl8iBEzNX5uS1mxecFbFBNCxCu3gpUJndghgsvFbgrJ//vJjO8Fpb2 xQrx0LaVIN4Odp4kOm/W7i8gn50oAuzm4n7H/DEcWOpbXLEhKDEEUKDUlQ44aMei F+4KyVHD2HjqcUTg237ImHBzwTK4BgoQs6Yf1oOA0VlS7BoUNGMnrtWfl9IHNbEL 15l+u4nUMR9fqF/UHM5SRxphLkgbWMZWR+XiISId+SlGVxpobIuGvkT9uS0A8yXq 9/YEajZM+aRcyKRai8e1lX0sE+dDatgqAu46ANxrjkBGlhOwrdO/VBDH9JhoDMpY OLmMMnfm7VznOKvf0FzfYEl0xgwITVPIzuxQ6K6Ss1D/VrWGosaDOZmUvvZBI6X/ AgMBAAGjZjBkMB0GA1UdDgQWBBQyIfjENiRcF63GfI9+GM7q38s3OTAfBgNVHSME GDAWgBTgKQicv8nFNo2E/YuyMq1pgh5idjASBgNVHRMBAf8ECDAGAQH/AgEAMA4G A1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAShWZiU7vb1W6VHYsiCSh AJ+iUCYOfOFBjj2dpFkcRxgCjZ6Vm/ZCTMVm0PQFPx4QTp4Jk3te6WtJQXLqPyFe BGTv420EJmt6YE88ydJ7NeUZGm2O+5CgHGQJWGkb7R5BXHlYhpMcHgEnySd9BA4W Miqyt/qqvrX7m1GRXLtS2n4lrLAkQXklBV7uNTEPsDpeJpqlFVKJUD180x2dGTFg dFwbaSCT8H+x0j21zrh/NtDnlaSg2mAwX/+nMHjKq2JBQpm79+ffxjmNUuDcsk23 /6mynbahIEfOOZlAmxsi0h36Lct7e+miHifSByJ8iQvPgL+KLbQa6xebLNjqOnIE yrGjlRKXZ5IRMV+VicjEbhnLPlLteuTnftV/RdPOm7R0wzvYXYB3Gqruf9ZhN7X0 lgsvvKX8eIZ/DDJc8kllc0uxgaZGe3VRHuPTrYYvRluEkrU6k17DMgGXHwaDJh1F zkcQ4QEM+v0ANysepQNe8QIWC18Cx6zqqUvOfLYniJIwvaypnMJbJx3cL5sr45ah 45AtvSIDekHL3VJ7J0aipUKBmqqc8ZBLeeUAwo7YRZrAIcFuytWW0YccO4wKTcdT w6fiPXnlQ8bguriRd939pDOgXfmHtAd6jXpPR+X5U0kMiYovUhXYoMMoDGFjpdN9 w+szwROA2xNyJSqP0pXv2CI= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- XXXXXXXCA8ugAwIBAgIUGfziowvZwdob4sf6zEZVMO4kyEEwDQYJKoZIhvcNAQEL BQAweTELMAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFs aWNlIEx0ZDEoMCYGA1UECwwfQWxpY2UgTHRkIENlcnRpZmljYXRlIEF1dGhvcml0 eTEaMBgGA1UEAwwRQWxpY2UgTHRkIFJvb3QgQ0EwHhcNMjEwNzEzMDgyMDAzWhcN NDEwNzA4MDgyMDAzWjB5MQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDES MBAGA1UECgwJQWxpY2UgTHRkMSgwJgYDVQQLDB9BbGljZSBMdGQgQ2VydGlmaWNh dGUgQXV0aG9yaXR5MRowGAYDVQQDDBFBbGljZSBMdGQgUm9vdCBDQTCCAiIwDQYJ KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMWoAMFYxrtQOeacIL7L2ZbJXul3/nCL ArVD1hHkPQp28q/4CxboYoahewum0yDWX26ij6NXX8zxSk1NRncXIfDyYI/+gthx 67VjYti4sA/N0wetmg2ENeS0BCNpBQXO4SM/Ya+T2g+yP3MFZ/75bMV6/tg6Jkjw NhXf1xhjI8KX8coBdAh/SRKBrbtJMBEncEhi2QkK/HtszcSfWxfgnshxDktnuG7j Efpw5m3Q8ttFMYM/RRUa03hLWw91N1DQ7O4oY86ueEQBEOyWdwpUu5sb0hn61eTf TzusEAz1erfnbHIe09nSTelObzcJetCFNZPbgaa7dsRv6OzMzADx58rDC8chEjGA 0B+mVKK22r8zvOByI1EmVTQhWt0vRwPiKH2p1eYWzPykZZiAg3YEgCMJQiywo1eD HpJ5IFM7jrtgJvvS+xMtwQ9cqXLvpTL/EGx24oTRlZ0qTNDlWLpYUujKkCLEcMey WzKFgdqVdkNz+E7E6XcFji4kjkxwqdOvRbtMjf8QCXbyxDgL7YHbbfC2K1DnBg32 yk1UTGD7N6Z+fcbOnJnHTE5ltFRKamHWW7hDYeUpGVtYG/WZbZfQJgsGhDnyZN4S bOSRL5KAbQqHR1g0V0IDlsLrfKYky8fD6UgCVvWGNTp4c+pWfSyLUoZS6ZN68uQN hIPcXnrgudIpAgMBAAGjYzBhMB0GA1UdDgQWBBTgKQicv8nFNo2E/YuyMq1pgh5i djAfBgNVHSMEGDAWgBTgKQicv8nFNo2E/YuyMq1pgh5idjAPBgNVHRMBAf8EBTAD AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAdFvZ0+7D0/Nl /VuPrLZ/BDixnc2hQhvhWlimKV5G8wEymx+c9btxvQCqyvS+VxMdg/c5yusx9WJO caeGNDgFS62V7TAj8E7hzRFU7JMAeGrcMUPJOxMvZCOcDNSQcp4U3M6eANV6Xz3e HUfQ04D2pGHzjCXO0vszl6CwiwU0mlsJHMZLAwEI/znuK3Ja0Nn1KAp6irOMvpE2 L/gS/wHkeCiaLP9vIHLX1rLXWdusAg0u3PJRw7nJyzUI0z/6qNzInVCKdedcvAHZ jY2sbI7gltuwh3tjB4cdeHXBuzQ/Hjf4udzKABbGePdEJ2rHa0jonzQXGW7uJdIr xhPNdBRcNMa8auCzsW4AsTKz5XXSIBQvk2TimM3RbTgk9RDILUC806IPbD7iDn2S mTWjYRqEtg3ZdVhIOwa0f3rlI8SNjP+mdIkJroJus+EbXHlL+ucf3dq+3h3WMojI jbs0pr6JnjtPvHL6GOucWRlKOg5KRdXPGPEINSgbmR/rcPjnMitn9aKyE0g+S4hx WXxBH/Ql11ON88am3zC7pvZn8tvml96PxEm24Ra9WuO4FUInZdHUzRxycDw303nm /GV2f8dg4yrg3uOd46hk7U/yqm9+gjIFh/Oq/Ha4ixEGszj7f25cAUSfwi4DDJ6+ aRAibW7f3xUTm9VL+wBnQxMu8NHodNM= -----END CERTIFICATE----- Navigate to Infoblox > Grid > Members > Certificates > Manage CA Certificates Upload the newly created .pem file from step 5. You should see the certificates in the popup. Wait for 2-3 minutes until Infoblox picks up the changes and verify that the full certificate chain is now returned by running the following command openssl s_client -showcerts -connect <hostname>:443 Example: mdzhigarov@mdzhigarov-z02:~/openssl_test/root/ca$ openssl s_client -showcerts -connect <FQDN>:443 CONNECTED(00000003) depth=2 C = GB, ST = XXXXXX, O = XXXXX Ltd, OU = XXXXX Ltd Certificate Authority, CN = XXXXX Ltd Root CA verify error:num=19:self signed certificate in certificate chain verify return:1 depth=2 C = GB, ST = XXXXXXX, O = XXXXX Ltd, OU = XXXXX Ltd Certificate Authority, CN = XXXXX Ltd Root CA verify return:1 depth=1 C = GB, ST = XXXXXXX, O = XXXXX Ltd, OU = XXXXX Ltd Certificate Authority, CN = XXXXX Ltd Intermediate CA verify return:1 depth=0 C = BG, ST = XXXXX, L = XXXXXXX, O = XXXXX, OU = XXXX, CN = <FQDN> verify return:1 Note: As can be seen from the output, the Infoblox appliance now returns the full certificate chain. Navigate to vRA and change Infoblox.IPAM.DisableCertificateCheck to False. Click Validate.