Foreman 3.4 not fetching DHCP IP from infoblox server (SSL error)

binoy · November 30, 2022, 10:59pm

Problem:
Failed to fetch a free IP from proxy foreman-xx (https:// foreman.test.net:8443): ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::NotFound]: 404 Not Found) for proxy https://foreman-test.net:8443/dhcp
Expected outcome:
As dhcp_infoblox plugin enforce ssl verification our foreman not getting response from infoblox.
Same plugin (older version working fine on older foreman)

Is there any option to ignore ssl verfication ?

We have 2 infoblox servers and have one(1) url infoblox.labs.test.net (servers active passive).
Self signed certificate (not expired and valid)

Any other option to consider?
Please advice

Foreman and Proxy versions:
3.4 /
Foreman and Proxy plugin versions:
rubygem-smart_proxy_dhcp_infoblox-0.0.16-7.fm3_3.el8.noarch
Distribution and version:
Centos 8
Other relevant data:

areyus · December 1, 2022, 8:52am

I am not aware of any option to disable certificate validation.
My recommendation would be to import the signing CA (or the infoblox cert itself) into your Foreman server’s trust store. Get the certificate file (pem encoded) and place it in /etc/pki/ca-trust/source/anchors/ on your Foreman server. Then run update-ca-trust --extract; update-ca-trust. This should solve your issue.

binoy · December 1, 2022, 5:25pm

Thanks for the reply
I tried that option, unfortunately that didn’t work.
Could it be as we have 2 infoblox servers (active, passive) and got one web url (actual hostname and fqdn(certificate) are different), is that the issue?

interestingly older version foreman working fine with same infoblox server

Regards,
Binoy

areyus · December 2, 2022, 9:19am

Afaik, SSL validation has been turned on in one plugin version and has been enforced since. So it’s no surprise it worked in an older version.

That might be the issue. We have 2 Infoblox in a cluster and that works well, but we have a gridmaster running with a fixed URL that we connect to. I can confirm that the SSL validation will not work if the fqdn you connect to is different from the one in the certificate (we have had that once too, and we needed to adjust our config by switching from IP to DNS FQDN).

binoy · December 5, 2022, 5:32pm

Hi Areyus,

Thanks for the reply, could you help to recreate SSL cert.
Server1. ns1.labs.test.net
Server2.ns2.labs.test.net
Gridmaster URL: infoblox.labs.test.net

I created self signed cert for infoblox.labs.hpecorp.net : Added cert to local server using following command

update-ca-trust enable

openssl s_client -showcerts -connect infoblox.labs.test.net:443 </dev/null | \

openssl x509 -text >/etc/pki/ca-trust/source/anchors/infoblox.crt

update-ca-trust extract

But the result was same (Curl showing error: Self signed cert and invalid )

Recreated SSL (Common Name: ns1.labs.test.net) same result.

Please advice how to proceed

Thanks
Binoy

areyus · December 8, 2022, 8:57am

Afaik, you need to create the cert for infoblox.labs.test.net, that should solve your issue.
But I am not managing our infoblox myself, so I can not tell you exactly how this is done on our site. All I know is the cert must be for the same domain name that you are connecting to, which should be the URL of your gridmaster.

binoy · December 8, 2022, 7:12pm

Thanks again,
We were using Rocky 8, we switched to Ubuntu 20.04 and cert issue solved (curl working fine, fetching network info from infoblox). However foreman still not getting IP info from infoblox, I added multiple VLAN that is working with old foreman (exactly same info from old foreman)
Failed to fetch a free IP from proxy foreman-1.labs.test.net (https://foreman-1.labs.test.net:8443): ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::BadRequest]: 400 Bad Request) for proxy https://foreman-1.labs.test.net:8443/dhcp

/var/log/syslog showing foreman-1 CRON[19721]: (foreman) CMD ( cd ${FOREMAN_HOME} && /usr/sbin/foreman-rake ldap:refresh_usergroups 2>&1 | gawk ‘{ print strftime("[%Y-%m-%d %H:%M:%S]"), $0 }’ >>/var/log/foreman/cron.log)
Dec 8 11:03:27 foreman-ba1 smart-proxy[439]: /usr/lib/ruby/vendor_ruby/faraday.rb:68: warning: Capturing the given block using Proc.new is deprecated; use &block instead

smart-proxy[439]: 10.93.227.6 - - [08/Dec/2022:11:03:27 PST] “GET /dhcp/10.93.244.192/unused_ip?from=10.93.244.195&to=10.93.244.254 HTTP/1.1” 400 95
Dec 8 11:03:27 foreman-1 smart-proxy[439]: - → /dhcp/10.93.244.192/unused_ip?from=10.93.244.195&to=10.93.244.254
Dec 8 11:05:01 foreman-1 CRON[19753]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)

/var/log/foreman
Processing by SubnetsController#freeip as JSON
2022-12-08T11:03:27 [I|app|96a0e3b6] Parameters: {“subnet_id”=>“2”, “host_mac”=>"", “organization_id”=>“1”, “location_id”=>“2”, “taken_ips”=>["", “”]}
2022-12-08T11:03:27 [W|app|96a0e3b6] Failed to fetch a free IP from proxy foreman-1.labs.test.net (https://foreman-1.labs.test.net:8443): ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::BadRequest]: 400 Bad Request) for proxy https://foreman-1.labs.test.net:8443/dhcp: ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::BadRequest]: 400 Bad Request) for proxy https://foreman-1.labs.test.net:8443/dhcp

binoy · December 8, 2022, 7:18pm

/var/log/foreman-proxy/proxy.log
2022-12-08T11:03:27 96a0e3b6 [I] Started GET /dhcp/10.93.244.192/unused_ip from=10.93.244.195&to=10.93.244.254
2022-12-08T11:03:27 96a0e3b6 [I] GET https://infoblox.labs.test.net/wapi/v2.0/network?_max_results=1&_return_fields=comment%2Cextattrs%2Cnetwork%2Cnetwork_view%2Cnetwork_container&network
=10.93.244.192&network_view=default
2022-12-08T11:03:27 96a0e3b6 [E] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)
2022-12-08T11:03:27 96a0e3b6 [W] Error details for SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate): Faraday::SSLError: SSL_connect returned=
1 errno=0 state=error: certificate verify failed (self signed certificate)

areyus · December 9, 2022, 8:32am

From this part of the logs, you can see that you still have a SSL issue. I am not very experienced with Ubuntu, so I can’t tell you why curl is working and smart-proxy is not. Still I would suggest you redo your infoblox SSL setup. If you have not done so yet, maybe put all the possible names (the two infoblox servers, the gridmaster Server, and any aliases/cnames you might have) into the certs subject alt names.

binoy · December 13, 2022, 12:44am

I changed following files
Disable ssl verification on

/usr/share/gems/gems/smart_proxy_dhcp_infoblox-0.0.16/lib/smart_proxy_dhcp_infoblox/plugin_configuration.rb

:host => settings[:server], :ssl_opts => { :verify => false },
Original

#:host => settings[:server], :ssl_opts => { :verify => !ENV[‘FOREMAN_INFOBLOX_NOSSLVERIFY’] },

areyus · December 13, 2022, 8:43am

Patching the code is of course a possible solution if it solves your issue. Just keep in mind: If it breaks, you get to keep both parts
I would recommend documenting that patch on your side, since you will have to reapply that if an update to the plugin comes out.
Looking at the sourcecode you posted, you maybe could also set an environment variable in the foreman-proxy service file or even better a SystemD override file.