This process fixes the symptom by resolving the root cause.

This is not a workaround.

This process fixes an improper configuration on the Infoblox server side.

Symptoms:
When adding a new IPAM Infoblox integration to Cloud Assembly, when validating the integration you may receive the following error message

Unable to validate the provided access credentials: Failed to validate credentials. AdapterReference: http://provisioningservice.prelude.svc.cluster.local:8282/provisioning/adapter/ipam/endpointconfig. Error: Execution of action Infoblox_ValidateEndpoint failed on provider side: Infoblox HTTP request failed with: HTTPSConnectionPool(host=’<FQDN>’, port=443): Max retries exceeded with url: /wapi/v2.7/networkview?_return_fields=name (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,),)) Cloud account: null Task: /provisioning/endpoint-tasks/<endpoint_id> (less)

 

When establishing SSL handshake with the Infoblox server, vRA relies on Infoblox to present a complete certificate chain - including server cert, intermediate and CA.

This is not a hard requirement for browsers since the HTTPS RFC dictates that servers are allowed to only present the server certificate and still a chain of trust can be built in case the intermediate and CA are stored in the browser certificate trust store.

However, Python 3.x is a more restrictive than browsers as it requires the full certificate chain in order to build the chain of trust. Since the vRA Infoblox plugin is based on Python, customers must make sure that their Infoblox appliance is configured to return the whole certificate chain and not just the server certificate.

There are 2 options to resolve this issue.

Option 1

Set the Infoblox.IPAM.DisableCertificateCheck parameter to True and Save the endpoint.

This will disable the SSL certificate checks so you won't get any more errors. However, from security perspective this is not the safest option since this opens the door for MITM attacks.

Option 2

Configure Infoblox to return the full certificate chain, including intermediate and CA.
This is the safest and recommended option.

Procedure

1. Verify that the Infoblox server only returns the server certificate, omitting the full certificate chain by running the following command

   openssl s_client -showcerts -connect <hostname>:443

2. Verify the response is similar to the below exert

   mdzhigarov@mdzhigarov-z02:~/openssl_test/root/ca$ openssl s_client -showcerts -connect <FQDN>:443
   CONNECTED(00000003)
   depth=0 C = BG, ST = XXXXX, L = XXXXX, O = XXXXXX, OU = XXXX, CN = <FQDN>, emailAddress = <Email_id>
   verify error:num=20:unable to get local issuer certificate
   verify return:1
   depth=0 C = BG, ST = XXXXX, L = XXXXX, O = XXXXXX, OU = XXXX, CN = <FQDN>, emailAddress = <Email_id>
   verify error:num=21:unable to verify the first certificate
   verify return:1

Note: Notice how the returned server certificate cannot be verified due to unable to verify the first certificate error.

3. Open a client browser and navigate to the Infoblox server domain. In the browser top right corner next to the URL there should be a button to view the certificate chain:
4. Click on the Certificate button and check the certificate path

5. The browser displays the full certificate chain - including intermediate and CA.
   In case the browser does not display the intermediate certificate and the CA - contact the Infoblox server administrator and ask him to provide the complete chain of signer certificates that were used for signing the Infoblox server CSR.

6. Click on every certificate from the Certification Path tab except the server certificate and export it in PEM format:
   Alice Ltd Intermediate CA > View Certificate > Details > Copy to File > Base 64 encoded X.509 (.CER) > Save
   Alice Ltd Root CA > View Certificate > Details > Copy to File > Base 64 encoded X.509 (.CER) > Save
7. Concatenate the intermediate certificate and the CA into a single .pem file. The order in which the certificates are stored within the .pem file is very important. The CA must be at the last in the file, with each signer from the chain on top.
   In our example the Alice Ltd Intermediate CA must be first, followed by Alice Ltd Root CA. It should look similar to

   -----BEGIN CERTIFICATE-----
   XXXXXXXCA8WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAweTELMAkGA1UEBhMCR0Ix
   EDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFsaWNlIEx0ZDEoMCYGA1UECwwf
   QWxpY2UgTHRkIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAwwRQWxpY2Ug
   THRkIFJvb3QgQ0EwHhcNMjEwNzEzMDgyNjA1WhcNMzEwNzExMDgyNjA1WjCBgTEL
   MAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFsaWNlIEx0
   ZDEoMCYGA1UECwwfQWxpY2UgTHRkIENlcnRpZmljYXRlIEF1dGhvcml0eTEiMCAG
   A1UEAwwZQWxpY2UgTHRkIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEB
   BQADggIPADCCAgoCggIBAL97flCs7WEUjiBUPYWTNNdnDwvysrstUMWW+lAsQqKN
   QZi06zEi07yC6+jP3gT2vUqHciJM9mZyYoet1/s/O+FUAPG/ZKGWoDPSmuUcUSMp
   zK2Y+nM0mpnFEN8MD/kyCpLbUvQQ51XfmQ9qQdKZLODgdBqyddFRxPBnnvi4MC7A
   MNTTReicoA49GNbGtsM1s3u+ccPfAJlWJdJZf8IIDbPpl+xTW54C1ircLC4WTnQ4
   AgX+6i29592vTTx7ft+d+wtUZ/T20qsbuNkdaro8rIOAbteLGgkC39EWDra0DqYq
   wRxOUqK8gxyl8iBEzNX5uS1mxecFbFBNCxCu3gpUJndghgsvFbgrJ//vJjO8Fpb2
   xQrx0LaVIN4Odp4kOm/W7i8gn50oAuzm4n7H/DEcWOpbXLEhKDEEUKDUlQ44aMei
   F+4KyVHD2HjqcUTg237ImHBzwTK4BgoQs6Yf1oOA0VlS7BoUNGMnrtWfl9IHNbEL
   15l+u4nUMR9fqF/UHM5SRxphLkgbWMZWR+XiISId+SlGVxpobIuGvkT9uS0A8yXq
   9/YEajZM+aRcyKRai8e1lX0sE+dDatgqAu46ANxrjkBGlhOwrdO/VBDH9JhoDMpY
   OLmMMnfm7VznOKvf0FzfYEl0xgwITVPIzuxQ6K6Ss1D/VrWGosaDOZmUvvZBI6X/
   AgMBAAGjZjBkMB0GA1UdDgQWBBQyIfjENiRcF63GfI9+GM7q38s3OTAfBgNVHSME
   GDAWgBTgKQicv8nFNo2E/YuyMq1pgh5idjASBgNVHRMBAf8ECDAGAQH/AgEAMA4G
   A1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAShWZiU7vb1W6VHYsiCSh
   AJ+iUCYOfOFBjj2dpFkcRxgCjZ6Vm/ZCTMVm0PQFPx4QTp4Jk3te6WtJQXLqPyFe
   BGTv420EJmt6YE88ydJ7NeUZGm2O+5CgHGQJWGkb7R5BXHlYhpMcHgEnySd9BA4W
   Miqyt/qqvrX7m1GRXLtS2n4lrLAkQXklBV7uNTEPsDpeJpqlFVKJUD180x2dGTFg
   dFwbaSCT8H+x0j21zrh/NtDnlaSg2mAwX/+nMHjKq2JBQpm79+ffxjmNUuDcsk23
   /6mynbahIEfOOZlAmxsi0h36Lct7e+miHifSByJ8iQvPgL+KLbQa6xebLNjqOnIE
   yrGjlRKXZ5IRMV+VicjEbhnLPlLteuTnftV/RdPOm7R0wzvYXYB3Gqruf9ZhN7X0
   lgsvvKX8eIZ/DDJc8kllc0uxgaZGe3VRHuPTrYYvRluEkrU6k17DMgGXHwaDJh1F
   zkcQ4QEM+v0ANysepQNe8QIWC18Cx6zqqUvOfLYniJIwvaypnMJbJx3cL5sr45ah
   45AtvSIDekHL3VJ7J0aipUKBmqqc8ZBLeeUAwo7YRZrAIcFuytWW0YccO4wKTcdT
   w6fiPXnlQ8bguriRd939pDOgXfmHtAd6jXpPR+X5U0kMiYovUhXYoMMoDGFjpdN9
   w+szwROA2xNyJSqP0pXv2CI=
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   XXXXXXXCA8ugAwIBAgIUGfziowvZwdob4sf6zEZVMO4kyEEwDQYJKoZIhvcNAQEL
   BQAweTELMAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFs
   aWNlIEx0ZDEoMCYGA1UECwwfQWxpY2UgTHRkIENlcnRpZmljYXRlIEF1dGhvcml0
   eTEaMBgGA1UEAwwRQWxpY2UgTHRkIFJvb3QgQ0EwHhcNMjEwNzEzMDgyMDAzWhcN
   NDEwNzA4MDgyMDAzWjB5MQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDES
   MBAGA1UECgwJQWxpY2UgTHRkMSgwJgYDVQQLDB9BbGljZSBMdGQgQ2VydGlmaWNh
   dGUgQXV0aG9yaXR5MRowGAYDVQQDDBFBbGljZSBMdGQgUm9vdCBDQTCCAiIwDQYJ
   KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMWoAMFYxrtQOeacIL7L2ZbJXul3/nCL
   ArVD1hHkPQp28q/4CxboYoahewum0yDWX26ij6NXX8zxSk1NRncXIfDyYI/+gthx
   67VjYti4sA/N0wetmg2ENeS0BCNpBQXO4SM/Ya+T2g+yP3MFZ/75bMV6/tg6Jkjw
   NhXf1xhjI8KX8coBdAh/SRKBrbtJMBEncEhi2QkK/HtszcSfWxfgnshxDktnuG7j
   Efpw5m3Q8ttFMYM/RRUa03hLWw91N1DQ7O4oY86ueEQBEOyWdwpUu5sb0hn61eTf
   TzusEAz1erfnbHIe09nSTelObzcJetCFNZPbgaa7dsRv6OzMzADx58rDC8chEjGA
   0B+mVKK22r8zvOByI1EmVTQhWt0vRwPiKH2p1eYWzPykZZiAg3YEgCMJQiywo1eD
   HpJ5IFM7jrtgJvvS+xMtwQ9cqXLvpTL/EGx24oTRlZ0qTNDlWLpYUujKkCLEcMey
   WzKFgdqVdkNz+E7E6XcFji4kjkxwqdOvRbtMjf8QCXbyxDgL7YHbbfC2K1DnBg32
   yk1UTGD7N6Z+fcbOnJnHTE5ltFRKamHWW7hDYeUpGVtYG/WZbZfQJgsGhDnyZN4S
   bOSRL5KAbQqHR1g0V0IDlsLrfKYky8fD6UgCVvWGNTp4c+pWfSyLUoZS6ZN68uQN
   hIPcXnrgudIpAgMBAAGjYzBhMB0GA1UdDgQWBBTgKQicv8nFNo2E/YuyMq1pgh5i
   djAfBgNVHSMEGDAWgBTgKQicv8nFNo2E/YuyMq1pgh5idjAPBgNVHRMBAf8EBTAD
   AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAdFvZ0+7D0/Nl
   /VuPrLZ/BDixnc2hQhvhWlimKV5G8wEymx+c9btxvQCqyvS+VxMdg/c5yusx9WJO
   caeGNDgFS62V7TAj8E7hzRFU7JMAeGrcMUPJOxMvZCOcDNSQcp4U3M6eANV6Xz3e
   HUfQ04D2pGHzjCXO0vszl6CwiwU0mlsJHMZLAwEI/znuK3Ja0Nn1KAp6irOMvpE2
   L/gS/wHkeCiaLP9vIHLX1rLXWdusAg0u3PJRw7nJyzUI0z/6qNzInVCKdedcvAHZ
   jY2sbI7gltuwh3tjB4cdeHXBuzQ/Hjf4udzKABbGePdEJ2rHa0jonzQXGW7uJdIr
   xhPNdBRcNMa8auCzsW4AsTKz5XXSIBQvk2TimM3RbTgk9RDILUC806IPbD7iDn2S
   mTWjYRqEtg3ZdVhIOwa0f3rlI8SNjP+mdIkJroJus+EbXHlL+ucf3dq+3h3WMojI
   jbs0pr6JnjtPvHL6GOucWRlKOg5KRdXPGPEINSgbmR/rcPjnMitn9aKyE0g+S4hx
   WXxBH/Ql11ON88am3zC7pvZn8tvml96PxEm24Ra9WuO4FUInZdHUzRxycDw303nm
   /GV2f8dg4yrg3uOd46hk7U/yqm9+gjIFh/Oq/Ha4ixEGszj7f25cAUSfwi4DDJ6+
   aRAibW7f3xUTm9VL+wBnQxMu8NHodNM=
   -----END CERTIFICATE-----

8. Navigate to Infoblox > Grid > Members > Certificates > Manage CA Certificates

9. Upload the newly created .pem file from step 5.  You should see the certificates in the popup.

10. Wait for 2-3 minutes until Infoblox picks up the changes and verify that the full certificate chain is now returned by running the following command

    openssl s_client -showcerts -connect <hostname>:443

    Example:

    mdzhigarov@mdzhigarov-z02:~/openssl_test/root/ca$ openssl s_client -showcerts -connect <FQDN>:443
    CONNECTED(00000003)
    depth=2 C = GB, ST = XXXXXX, O = XXXXX Ltd, OU = XXXXX Ltd Certificate Authority, CN = XXXXX Ltd Root CA
    verify error:num=19:self signed certificate in certificate chain
    verify return:1
    depth=2 C = GB, ST = XXXXXXX, O = XXXXX Ltd, OU = XXXXX Ltd Certificate Authority, CN = XXXXX Ltd Root CA
    verify return:1
    depth=1 C = GB, ST = XXXXXXX, O = XXXXX Ltd, OU = XXXXX Ltd Certificate Authority, CN = XXXXX Ltd Intermediate CA
    verify return:1
    depth=0 C = BG, ST = XXXXX, L = XXXXXXX, O = XXXXX, OU = XXXX, CN = <FQDN>
    verify return:1

Note: As can be seen from the output, the Infoblox appliance now returns the full certificate chain.

11. Navigate to vRA and change Infoblox.IPAM.DisableCertificateCheck to False. Click Validate.