03-18-2019 11:47 AM
Hello All I tried setting up vdiscovery and got the following error ERROR: PycURL"
It looks like the market place infoblox vm has an expired cert for login.microsoftonline.com
I found the following information
If the "ERROR: PycURL" error is displayed when you run a vDiscovery job, it is possible that the cloud provider has updated their certificate. You need to download the latest certificate from the cloud provider website and upload it to NIOS. For example, for AWS, download the certificates from https://www.amazontrust.com/repository/. For information see Error while running job.
any one know if like AWS there is a repo for AZURE that i can access for the azure service endpoint cert ?
03-26-2019 12:15 PM
If you look at the full message, you may also see a message about the system being unable to get the local issuer certificate. In the Infoblox.log (from the Support Bundle), this may look like the following:
[2017/05/26 08:23:34.472] (26894 <py>/infoblox/dns/bin/cdiscovery_executor) cloud_discovery_executor.py:353 run(): [Error while running Job]: initialize or call AZURE cdiscovery driver ERROR: PycURL error: (60, 'SSL certificate problem: unable to get local issuer certificate') ret=DRIVER_ERROR
If this matches up with what you are seeing, this is a byproduct of changes that Azure has made. Previously, the same certificates were used across different services but this has changed over time. Because vDiscovery uses secure connections, this causes the certificate handshake to fail.
As Infoblox has become aware of these changes, these new certificates have been added with updates to NIOS and in the latest NIOS 8.4 release, you are even able to update these certificates yourself. If you are able to upgrade, this should resolve this issue for you.
03-26-2019 04:26 PM
That error is different from what you would expect for a certificate issue. Make sure that the system time for your Infoblox server(s) is correct, check for any network security devices that might be causing issues with the HTTPS connection to login.microsoftonline.com, and that NIOS is resolving login.microsoftonline.com to the correct address.
Beyond that, a Traffic Capture run while reproducing the issue and a Support Bundle may also be required to troubleshoot this further. I would recommend consulting with Infoblox Support so that they can help go through this with you.
07-29-2020 10:42 AM
There may be some more traffic on this thread as the intermediate and root have changed again for the Azure endpoint. If you are on NIOS 8.2.2+, 8.3.0+, 8.4 or 8.5, you can upload the certificates to NIOS yourself by going to Grid -> Grid Manager and then selecting certificates -> "Manage CA Certificates" from the toolbar. From here you can add the new certs. After adding the certs, the jobs should run again.
07-29-2020 01:08 PM - edited 07-29-2020 01:14 PM
@tommymdempsey is correct.
More than likely the certs you are using expired or they got revoked. We just went though this and you can add the new intermediate/root CAs to your NIOS instance and it will work again.
You should be able to download them from whatever URL you are making the call to, web page should report this if you get the right one:
AADSTS900561: The endpoint only accepts POST, OPTIONS requests. Received a GET request.
Installed them and were back in business.