Unable to validate the provided access credentials: Failed to validate credentials. AdapterReference: http://provisioningservice.prelude.svc.cluster.local:8282/provisioning/adapter/ipam/endpointconfig. Error: Execution of action Infoblox_ValidateEndpoint failed on provider side: Infoblox HTTP request failed with: HTTPSConnectionPool(host=’<FQDN>’, port=443): Max retries exceeded with url: /wapi/v2.7/networkview?_return_fields=name (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,),)) Cloud account: null Task: /provisioning/endpoint-tasks/<endpoint_id> (less)
However, Python 3.x is a more restrictive than browsers as it requires the full certificate chain in order to build the chain of trust. Since the vRA Infoblox plugin is based on Python, customers must make sure that their Infoblox appliance is configured to return the whole certificate chain and not just the server certificate.
There are 2 options to resolve this issue.
Set the Infoblox.IPAM.DisableCertificateCheck parameter to True and Save the endpoint.
This will disable the SSL certificate checks so you won't get any more errors. However, from security perspective this is not the safest option since this opens the door for MITM attacks.
Configure Infoblox to return the full certificate chain, including intermediate and CA.
This is the safest and recommended option.
openssl s_client -showcerts -connect <hostname>:443
mdzhigarov@mdzhigarov-z02:~/openssl_test/root/ca$ openssl s_client -showcerts -connect <FQDN>:443
CONNECTED(00000003)
depth=0 C = BG, ST = XXXXX, L = XXXXX, O = XXXXXX, OU = XXXX, CN = <FQDN>, emailAddress = <Email_id>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = BG, ST = XXXXX, L = XXXXX, O = XXXXXX, OU = XXXX, CN = <FQDN>, emailAddress = <Email_id>
verify error:num=21:unable to verify the first certificate
verify return:1
Note: Notice how the returned server certificate cannot be verified due to unable to verify the first certificate error.
The browser displays the full certificate chain - including intermediate and CA.
In case the browser does not display the intermediate certificate and the CA - contact the Infoblox server administrator and ask him to provide the complete chain of signer certificates that were used for signing the Infoblox server CSR.
-----BEGIN CERTIFICATE-----
XXXXXXXCA8WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAweTELMAkGA1UEBhMCR0Ix
EDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFsaWNlIEx0ZDEoMCYGA1UECwwf
QWxpY2UgTHRkIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAwwRQWxpY2Ug
THRkIFJvb3QgQ0EwHhcNMjEwNzEzMDgyNjA1WhcNMzEwNzExMDgyNjA1WjCBgTEL
MAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFsaWNlIEx0
ZDEoMCYGA1UECwwfQWxpY2UgTHRkIENlcnRpZmljYXRlIEF1dGhvcml0eTEiMCAG
A1UEAwwZQWxpY2UgTHRkIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBAL97flCs7WEUjiBUPYWTNNdnDwvysrstUMWW+lAsQqKN
QZi06zEi07yC6+jP3gT2vUqHciJM9mZyYoet1/s/O+FUAPG/ZKGWoDPSmuUcUSMp
zK2Y+nM0mpnFEN8MD/kyCpLbUvQQ51XfmQ9qQdKZLODgdBqyddFRxPBnnvi4MC7A
MNTTReicoA49GNbGtsM1s3u+ccPfAJlWJdJZf8IIDbPpl+xTW54C1ircLC4WTnQ4
AgX+6i29592vTTx7ft+d+wtUZ/T20qsbuNkdaro8rIOAbteLGgkC39EWDra0DqYq
wRxOUqK8gxyl8iBEzNX5uS1mxecFbFBNCxCu3gpUJndghgsvFbgrJ//vJjO8Fpb2
xQrx0LaVIN4Odp4kOm/W7i8gn50oAuzm4n7H/DEcWOpbXLEhKDEEUKDUlQ44aMei
F+4KyVHD2HjqcUTg237ImHBzwTK4BgoQs6Yf1oOA0VlS7BoUNGMnrtWfl9IHNbEL
15l+u4nUMR9fqF/UHM5SRxphLkgbWMZWR+XiISId+SlGVxpobIuGvkT9uS0A8yXq
9/YEajZM+aRcyKRai8e1lX0sE+dDatgqAu46ANxrjkBGlhOwrdO/VBDH9JhoDMpY
OLmMMnfm7VznOKvf0FzfYEl0xgwITVPIzuxQ6K6Ss1D/VrWGosaDOZmUvvZBI6X/
AgMBAAGjZjBkMB0GA1UdDgQWBBQyIfjENiRcF63GfI9+GM7q38s3OTAfBgNVHSME
GDAWgBTgKQicv8nFNo2E/YuyMq1pgh5idjASBgNVHRMBAf8ECDAGAQH/AgEAMA4G
A1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAShWZiU7vb1W6VHYsiCSh
AJ+iUCYOfOFBjj2dpFkcRxgCjZ6Vm/ZCTMVm0PQFPx4QTp4Jk3te6WtJQXLqPyFe
BGTv420EJmt6YE88ydJ7NeUZGm2O+5CgHGQJWGkb7R5BXHlYhpMcHgEnySd9BA4W
Miqyt/qqvrX7m1GRXLtS2n4lrLAkQXklBV7uNTEPsDpeJpqlFVKJUD180x2dGTFg
dFwbaSCT8H+x0j21zrh/NtDnlaSg2mAwX/+nMHjKq2JBQpm79+ffxjmNUuDcsk23
/6mynbahIEfOOZlAmxsi0h36Lct7e+miHifSByJ8iQvPgL+KLbQa6xebLNjqOnIE
yrGjlRKXZ5IRMV+VicjEbhnLPlLteuTnftV/RdPOm7R0wzvYXYB3Gqruf9ZhN7X0
lgsvvKX8eIZ/DDJc8kllc0uxgaZGe3VRHuPTrYYvRluEkrU6k17DMgGXHwaDJh1F
zkcQ4QEM+v0ANysepQNe8QIWC18Cx6zqqUvOfLYniJIwvaypnMJbJx3cL5sr45ah
45AtvSIDekHL3VJ7J0aipUKBmqqc8ZBLeeUAwo7YRZrAIcFuytWW0YccO4wKTcdT
w6fiPXnlQ8bguriRd939pDOgXfmHtAd6jXpPR+X5U0kMiYovUhXYoMMoDGFjpdN9
w+szwROA2xNyJSqP0pXv2CI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXCA8ugAwIBAgIUGfziowvZwdob4sf6zEZVMO4kyEEwDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFs
aWNlIEx0ZDEoMCYGA1UECwwfQWxpY2UgTHRkIENlcnRpZmljYXRlIEF1dGhvcml0
eTEaMBgGA1UEAwwRQWxpY2UgTHRkIFJvb3QgQ0EwHhcNMjEwNzEzMDgyMDAzWhcN
NDEwNzA4MDgyMDAzWjB5MQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDES
MBAGA1UECgwJQWxpY2UgTHRkMSgwJgYDVQQLDB9BbGljZSBMdGQgQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MRowGAYDVQQDDBFBbGljZSBMdGQgUm9vdCBDQTCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMWoAMFYxrtQOeacIL7L2ZbJXul3/nCL
ArVD1hHkPQp28q/4CxboYoahewum0yDWX26ij6NXX8zxSk1NRncXIfDyYI/+gthx
67VjYti4sA/N0wetmg2ENeS0BCNpBQXO4SM/Ya+T2g+yP3MFZ/75bMV6/tg6Jkjw
NhXf1xhjI8KX8coBdAh/SRKBrbtJMBEncEhi2QkK/HtszcSfWxfgnshxDktnuG7j
Efpw5m3Q8ttFMYM/RRUa03hLWw91N1DQ7O4oY86ueEQBEOyWdwpUu5sb0hn61eTf
TzusEAz1erfnbHIe09nSTelObzcJetCFNZPbgaa7dsRv6OzMzADx58rDC8chEjGA
0B+mVKK22r8zvOByI1EmVTQhWt0vRwPiKH2p1eYWzPykZZiAg3YEgCMJQiywo1eD
HpJ5IFM7jrtgJvvS+xMtwQ9cqXLvpTL/EGx24oTRlZ0qTNDlWLpYUujKkCLEcMey
WzKFgdqVdkNz+E7E6XcFji4kjkxwqdOvRbtMjf8QCXbyxDgL7YHbbfC2K1DnBg32
yk1UTGD7N6Z+fcbOnJnHTE5ltFRKamHWW7hDYeUpGVtYG/WZbZfQJgsGhDnyZN4S
bOSRL5KAbQqHR1g0V0IDlsLrfKYky8fD6UgCVvWGNTp4c+pWfSyLUoZS6ZN68uQN
hIPcXnrgudIpAgMBAAGjYzBhMB0GA1UdDgQWBBTgKQicv8nFNo2E/YuyMq1pgh5i
djAfBgNVHSMEGDAWgBTgKQicv8nFNo2E/YuyMq1pgh5idjAPBgNVHRMBAf8EBTAD
AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAdFvZ0+7D0/Nl
/VuPrLZ/BDixnc2hQhvhWlimKV5G8wEymx+c9btxvQCqyvS+VxMdg/c5yusx9WJO
caeGNDgFS62V7TAj8E7hzRFU7JMAeGrcMUPJOxMvZCOcDNSQcp4U3M6eANV6Xz3e
HUfQ04D2pGHzjCXO0vszl6CwiwU0mlsJHMZLAwEI/znuK3Ja0Nn1KAp6irOMvpE2
L/gS/wHkeCiaLP9vIHLX1rLXWdusAg0u3PJRw7nJyzUI0z/6qNzInVCKdedcvAHZ
jY2sbI7gltuwh3tjB4cdeHXBuzQ/Hjf4udzKABbGePdEJ2rHa0jonzQXGW7uJdIr
xhPNdBRcNMa8auCzsW4AsTKz5XXSIBQvk2TimM3RbTgk9RDILUC806IPbD7iDn2S
mTWjYRqEtg3ZdVhIOwa0f3rlI8SNjP+mdIkJroJus+EbXHlL+ucf3dq+3h3WMojI
jbs0pr6JnjtPvHL6GOucWRlKOg5KRdXPGPEINSgbmR/rcPjnMitn9aKyE0g+S4hx
WXxBH/Ql11ON88am3zC7pvZn8tvml96PxEm24Ra9WuO4FUInZdHUzRxycDw303nm
/GV2f8dg4yrg3uOd46hk7U/yqm9+gjIFh/Oq/Ha4ixEGszj7f25cAUSfwi4DDJ6+
aRAibW7f3xUTm9VL+wBnQxMu8NHodNM=
-----END CERTIFICATE-----
openssl s_client -showcerts -connect <hostname>:443
Example:
mdzhigarov@mdzhigarov-z02:~/openssl_test/root/ca$ openssl s_client -showcerts -connect <FQDN>:443
CONNECTED(00000003)
depth=2 C = GB, ST = XXXXXX, O = XXXXX Ltd, OU = XXXXX Ltd Certificate Authority, CN = XXXXX Ltd Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = GB, ST = XXXXXXX, O = XXXXX Ltd, OU = XXXXX Ltd Certificate Authority, CN = XXXXX Ltd Root CA
verify return:1
depth=1 C = GB, ST = XXXXXXX, O = XXXXX Ltd, OU = XXXXX Ltd Certificate Authority, CN = XXXXX Ltd Intermediate CA
verify return:1
depth=0 C = BG, ST = XXXXX, L = XXXXXXX, O = XXXXX, OU = XXXX, CN = <FQDN>
verify return:1
Note: As can be seen from the output, the Infoblox appliance now returns the full certificate chain.