Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Cloud

Reply
Highlighted

between a rock and a hard place azure vdiscovery

Techie
Posts: 5
5306     0

Hello All I tried setting up vdiscovery and got the following error   ERROR: PycURL"

 

It looks like the market place infoblox vm has an expired cert for login.microsoftonline.com

 

I found the following information  

 

If the "ERROR: PycURL" error is displayed when you run a vDiscovery job, it is possible that the cloud provider has updated their certificate. You need to download the latest certificate from the cloud provider website and upload it to NIOS. For example, for AWS, download the certificates from https://www.amazontrust.com/repository/. For information see Error while running job.

 

any one know if like AWS there is a repo for AZURE that i can access for the azure service endpoint  cert ?

https://login.microsoftonline.com/*

 

Highlighted

Re: between a rock and a hard place azure vdiscovery

[ Edited ]
Techie
Posts: 3
5307     0

I came here to post the exact same question!

 

Highlighted

Re: between a rock and a hard place azure vdiscovery

Community Manager
Community Manager
Posts: 356
5307     0

If you look at the full message, you may also see a message about the system being unable to get the local issuer certificate. In the Infoblox.log (from the Support Bundle), this may look like the following:

 

[2017/05/26 08:23:34.472] (26894 <py>/infoblox/dns/bin/cdiscovery_executor) cloud_discovery_executor.py:353 run(): [Error while running Job]: initialize or call AZURE cdiscovery driver ERROR: PycURL error: (60, 'SSL certificate problem: unable to get local issuer certificate') ret=DRIVER_ERROR

 

If this matches up with what you are seeing, this is a byproduct of changes that Azure has made. Previously, the same certificates were used across different services but this has changed over time. Because vDiscovery uses secure connections, this causes the certificate handshake to fail.

 

As Infoblox has become aware of these changes, these new certificates have been added with updates to NIOS and in the latest NIOS 8.4 release, you are even able to update these certificates yourself. If you are able to upgrade, this should resolve this issue for you.

 

Regards,

Tony

Highlighted

Re: between a rock and a hard place azure vdiscovery

[ Edited ]
Techie
Posts: 3
5307     0

Thanks

Highlighted

Re: between a rock and a hard place azure vdiscovery

Community Manager
Community Manager
Posts: 356
5307     0

That error is different from what you would expect for a certificate issue. Make sure that the system time for your Infoblox server(s) is correct, check for any network security devices that might be causing issues with the HTTPS connection to login.microsoftonline.com, and that NIOS is resolving login.microsoftonline.com to the correct address.

 

Beyond that, a Traffic Capture run while reproducing the issue and a Support Bundle may also be required to troubleshoot this further. I would recommend consulting with Infoblox Support so that they can help go through this with you.

 

Regards,

Tony

Highlighted

Re: between a rock and a hard place azure vdiscovery

Techie
Posts: 4
5307     0

There may be some more traffic on this thread as the intermediate and root have changed again for the Azure endpoint. If you are on NIOS 8.2.2+, 8.3.0+, 8.4 or 8.5, you can upload the certificates to NIOS yourself by going to Grid -> Grid Manager and then selecting certificates -> "Manage CA Certificates" from the toolbar. From here you can add the new certs. After adding the certs, the jobs should run again.

Highlighted

Re: between a rock and a hard place azure vdiscovery

[ Edited ]
Techie
Posts: 7
5307     0

@tommymdempsey is correct.

 

More than likely the certs you are using expired or they got revoked.  We just went though this and you can add the new intermediate/root CAs to your NIOS instance and it will work again.  

 

You should be able to download them from whatever URL you are making the call to, web page should report this if you get the right one:

 

AADSTS900561: The endpoint only accepts POST, OPTIONS requests. Received a GET request.

 Installed them and were back in business. 

Showing results for 
Search instead for 
Do you mean 

Recommended for You