05-30-2019 07:29 AM
I manage a grid of Infoblox appliances which services our enterprise. I've done many upgrades as a very long time customer of Infoblox. This latest release, 8.4.2, includes a new feature with a nice short description.
HSTS Support for Infoblox GUI (RFE-7286) Infoblox has introduced a new browser mechanism called HTTP Strict Transport
Security (HSTS) to prevent an attacker from intercepting and modifying network
This sounds harmless enough, right? If you are connecting to your grid manager today in your favorite browser and you have some issue with your certificate (maybe using a short name, IP address, etc.), then after you upgrade, you wll no longer be able to connect as you have been!!! HTTP Strict Transport Security (HSTS) requires that the name in the certificate match the name in the URL. In the past, you could click to override the setting and often the browser would even remember this setting for you!
In my case, we take a backup of the production grid and force restore it to a lab appliance. This allows us to test new scripts, CSV imports, and ugprades before we hit the production system. The issue here is that when we restore the production grid on the lab appliance, the name in the certificate no longer matches. Until recently, Infoblox did not support SAN, or Subject Alternative Names, so you could only configure one hostname in your certificate!
This could also impact WAPI access to your grid!
My suggestion is that if you have not issued a certificate lately with SAN configured, you might want to consider reissueing the certificate! And add all additional names to the SAN section (as long as you're on 8.3 or later).