Foreman 3.4 not fetching DHCP IP from infoblox server (SSL error)

Failed to fetch a free IP from proxy foreman-xx (https:// ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::NotFound]: 404 Not Found) for proxy
Expected outcome:
As dhcp_infoblox plugin enforce ssl verification our foreman not getting response from infoblox.
Same plugin (older version working fine on older foreman)

Is there any option to ignore ssl verfication ?

We have 2 infoblox servers and have one(1) url (servers active passive).
Self signed certificate (not expired and valid)

Any other option to consider?
Please advice

Foreman and Proxy versions:
3.4 /
Foreman and Proxy plugin versions:
Distribution and version:
Centos 8
Other relevant data:

I am not aware of any option to disable certificate validation.
My recommendation would be to import the signing CA (or the infoblox cert itself) into your Foreman server’s trust store. Get the certificate file (pem encoded) and place it in /etc/pki/ca-trust/source/anchors/ on your Foreman server. Then run update-ca-trust --extract; update-ca-trust. This should solve your issue.

Thanks for the reply
I tried that option, unfortunately that didn’t work.
Could it be as we have 2 infoblox servers (active, passive) and got one web url (actual hostname and fqdn(certificate) are different), is that the issue?

interestingly older version foreman working fine with same infoblox server


Afaik, SSL validation has been turned on in one plugin version and has been enforced since. So it’s no surprise it worked in an older version.

That might be the issue. We have 2 Infoblox in a cluster and that works well, but we have a gridmaster running with a fixed URL that we connect to. I can confirm that the SSL validation will not work if the fqdn you connect to is different from the one in the certificate (we have had that once too, and we needed to adjust our config by switching from IP to DNS FQDN).

Hi Areyus,

Thanks for the reply, could you help to recreate SSL cert.
Gridmaster URL:

I created self signed cert for : Added cert to local server using following command

update-ca-trust enable

openssl s_client -showcerts -connect </dev/null | \

openssl x509 -text >/etc/pki/ca-trust/source/anchors/infoblox.crt

update-ca-trust extract

But the result was same (Curl showing error: Self signed cert and invalid )

Recreated SSL (Common Name: same result.

Please advice how to proceed


Afaik, you need to create the cert for, that should solve your issue.
But I am not managing our infoblox myself, so I can not tell you exactly how this is done on our site. All I know is the cert must be for the same domain name that you are connecting to, which should be the URL of your gridmaster.

Thanks again,
We were using Rocky 8, we switched to Ubuntu 20.04 and cert issue solved (curl working fine, fetching network info from infoblox). However foreman still not getting IP info from infoblox, I added multiple VLAN that is working with old foreman (exactly same info from old foreman)
Failed to fetch a free IP from proxy ( ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::BadRequest]: 400 Bad Request) for proxy

/var/log/syslog showing foreman-1 CRON[19721]: (foreman) CMD ( cd ${FOREMAN_HOME} && /usr/sbin/foreman-rake ldap:refresh_usergroups 2>&1 | gawk ‘{ print strftime("[%Y-%m-%d %H:%M:%S]"), $0 }’ >>/var/log/foreman/cron.log)
Dec 8 11:03:27 foreman-ba1 smart-proxy[439]: /usr/lib/ruby/vendor_ruby/faraday.rb:68: warning: Capturing the given block using is deprecated; use &block instead

smart-proxy[439]: - - [08/Dec/2022:11:03:27 PST] “GET /dhcp/ HTTP/1.1” 400 95
Dec 8 11:03:27 foreman-1 smart-proxy[439]: - → /dhcp/
Dec 8 11:05:01 foreman-1 CRON[19753]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)

Processing by SubnetsController#freeip as JSON
2022-12-08T11:03:27 [I|app|96a0e3b6] Parameters: {“subnet_id”=>“2”, “host_mac”=>"", “organization_id”=>“1”, “location_id”=>“2”, “taken_ips”=>["", “”]}
2022-12-08T11:03:27 [W|app|96a0e3b6] Failed to fetch a free IP from proxy ( ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::BadRequest]: 400 Bad Request) for proxy ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::BadRequest]: 400 Bad Request) for proxy

2022-12-08T11:03:27 96a0e3b6 [I] Started GET /dhcp/ from=
2022-12-08T11:03:27 96a0e3b6 [I] GET
2022-12-08T11:03:27 96a0e3b6 [E] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)
2022-12-08T11:03:27 96a0e3b6 [W] Error details for SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate): Faraday::SSLError: SSL_connect returned=
1 errno=0 state=error: certificate verify failed (self signed certificate)

From this part of the logs, you can see that you still have a SSL issue. I am not very experienced with Ubuntu, so I can’t tell you why curl is working and smart-proxy is not. Still I would suggest you redo your infoblox SSL setup. If you have not done so yet, maybe put all the possible names (the two infoblox servers, the gridmaster Server, and any aliases/cnames you might have) into the certs subject alt names.

I changed following files
Disable ssl verification on


:host => settings[:server], :ssl_opts => { :verify => false },

#:host => settings[:server], :ssl_opts => { :verify => !ENV[‘FOREMAN_INFOBLOX_NOSSLVERIFY’] },

Patching the code is of course a possible solution if it solves your issue. Just keep in mind: If it breaks, you get to keep both parts :wink:
I would recommend documenting that patch on your side, since you will have to reapply that if an update to the plugin comes out.
Looking at the sourcecode you posted, you maybe could also set an environment variable in the foreman-proxy service file or even better a SystemD override file.