Problem:
Failed to fetch a free IP from proxy foreman-xx (https:// foreman.test.net:8443): ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::NotFound]: 404 Not Found) for proxy https://foreman-test.net:8443/dhcp Expected outcome:
As dhcp_infoblox plugin enforce ssl verification our foreman not getting response from infoblox.
Same plugin (older version working fine on older foreman)
Is there any option to ignore ssl verfication ?
We have 2 infoblox servers and have one(1) url infoblox.labs.test.net (servers active passive).
Self signed certificate (not expired and valid)
Any other option to consider?
Please advice
Foreman and Proxy versions:
3.4 / Foreman and Proxy plugin versions:
rubygem-smart_proxy_dhcp_infoblox-0.0.16-7.fm3_3.el8.noarch Distribution and version:
Centos 8 Other relevant data:
I am not aware of any option to disable certificate validation.
My recommendation would be to import the signing CA (or the infoblox cert itself) into your Foreman server’s trust store. Get the certificate file (pem encoded) and place it in /etc/pki/ca-trust/source/anchors/ on your Foreman server. Then run update-ca-trust --extract; update-ca-trust. This should solve your issue.
Thanks for the reply
I tried that option, unfortunately that didn’t work.
Could it be as we have 2 infoblox servers (active, passive) and got one web url (actual hostname and fqdn(certificate) are different), is that the issue?
interestingly older version foreman working fine with same infoblox server
Afaik, SSL validation has been turned on in one plugin version and has been enforced since. So it’s no surprise it worked in an older version.
That might be the issue. We have 2 Infoblox in a cluster and that works well, but we have a gridmaster running with a fixed URL that we connect to. I can confirm that the SSL validation will not work if the fqdn you connect to is different from the one in the certificate (we have had that once too, and we needed to adjust our config by switching from IP to DNS FQDN).
Afaik, you need to create the cert for infoblox.labs.test.net, that should solve your issue.
But I am not managing our infoblox myself, so I can not tell you exactly how this is done on our site. All I know is the cert must be for the same domain name that you are connecting to, which should be the URL of your gridmaster.
Thanks again,
We were using Rocky 8, we switched to Ubuntu 20.04 and cert issue solved (curl working fine, fetching network info from infoblox). However foreman still not getting IP info from infoblox, I added multiple VLAN that is working with old foreman (exactly same info from old foreman)
Failed to fetch a free IP from proxy foreman-1.labs.test.net (https://foreman-1.labs.test.net:8443): ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::BadRequest]: 400 Bad Request) for proxy https://foreman-1.labs.test.net:8443/dhcp
/var/log/syslog showing foreman-1 CRON[19721]: (foreman) CMD ( cd ${FOREMAN_HOME} && /usr/sbin/foreman-rake ldap:refresh_usergroups 2>&1 | gawk ‘{ print strftime("[%Y-%m-%d %H:%M:%S]"), $0 }’ >>/var/log/foreman/cron.log)
Dec 8 11:03:27 foreman-ba1 smart-proxy[439]: /usr/lib/ruby/vendor_ruby/faraday.rb:68: warning: Capturing the given block using Proc.new is deprecated; use &block instead
/var/log/foreman
Processing by SubnetsController#freeip as JSON
2022-12-08T11:03:27 [I|app|96a0e3b6] Parameters: {“subnet_id”=>“2”, “host_mac”=>"", “organization_id”=>“1”, “location_id”=>“2”, “taken_ips”=>["", “”]}
2022-12-08T11:03:27 [W|app|96a0e3b6] Failed to fetch a free IP from proxy foreman-1.labs.test.net (https://foreman-1.labs.test.net:8443): ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::BadRequest]: 400 Bad Request) for proxy https://foreman-1.labs.test.net:8443/dhcp: ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::BadRequest]: 400 Bad Request) for proxy https://foreman-1.labs.test.net:8443/dhcp
From this part of the logs, you can see that you still have a SSL issue. I am not very experienced with Ubuntu, so I can’t tell you why curl is working and smart-proxy is not. Still I would suggest you redo your infoblox SSL setup. If you have not done so yet, maybe put all the possible names (the two infoblox servers, the gridmaster Server, and any aliases/cnames you might have) into the certs subject alt names.
Patching the code is of course a possible solution if it solves your issue. Just keep in mind: If it breaks, you get to keep both parts
I would recommend documenting that patch on your side, since you will have to reapply that if an update to the plugin comes out.
Looking at the sourcecode you posted, you maybe could also set an environment variable in the foreman-proxy service file or even better a SystemD override file.