Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Azure

Reply

between a rock and a hard place azure vdiscovery

New Member
Posts: 1
12525     0

Hello All I tried setting up vdiscovery and got the following error   ERROR: PycURL"

 

It looks like the market place infoblox vm has an expired cert for login.microsoftonline.com

 

I found the following information  

 

If the "ERROR: PycURL" error is displayed when you run a vDiscovery job, it is possible that the cloud provider has updated their certificate. You need to download the latest certificate from the cloud provider website and upload it to NIOS. For example, for AWS, download the certificates from https://www.amazontrust.com/repository/. For information see Error while running job.

 

any one know if like AWS there is a repo for AZURE that i can access for the azure service endpoint  cert ?

https://login.microsoftonline.com/*

 

Re: between a rock and a hard place azure vdiscovery

[ Edited ]
New Member
Posts: 5
12525     0

I came here to post the exact same question!

 

Re: between a rock and a hard place azure vdiscovery

Adviser
Posts: 109
12525     0

If you look at the full message, you may also see a message about the system being unable to get the local issuer certificate. In the Infoblox.log (from the Support Bundle), this may look like the following:

 

[2017/05/26 08:23:34.472] (26894 <py>/infoblox/dns/bin/cdiscovery_executor) cloud_discovery_executor.py:353 run(): [Error while running Job]: initialize or call AZURE cdiscovery driver ERROR: PycURL error: (60, 'SSL certificate problem: unable to get local issuer certificate') ret=DRIVER_ERROR

 

If this matches up with what you are seeing, this is a byproduct of changes that Azure has made. Previously, the same certificates were used across different services but this has changed over time. Because vDiscovery uses secure connections, this causes the certificate handshake to fail.

 

As Infoblox has become aware of these changes, these new certificates have been added with updates to NIOS and in the latest NIOS 8.4 release, you are even able to update these certificates yourself. If you are able to upgrade, this should resolve this issue for you.

 

Regards,

Tony

Re: between a rock and a hard place azure vdiscovery

[ Edited ]
New Member
Posts: 5
12526     0

Thanks

Re: between a rock and a hard place azure vdiscovery

Adviser
Posts: 109
12526     0

That error is different from what you would expect for a certificate issue. Make sure that the system time for your Infoblox server(s) is correct, check for any network security devices that might be causing issues with the HTTPS connection to login.microsoftonline.com, and that NIOS is resolving login.microsoftonline.com to the correct address.

 

Beyond that, a Traffic Capture run while reproducing the issue and a Support Bundle may also be required to troubleshoot this further. I would recommend consulting with Infoblox Support so that they can help go through this with you.

 

Regards,

Tony

Re: between a rock and a hard place azure vdiscovery

New Member
Posts: 2
12526     0

There may be some more traffic on this thread as the intermediate and root have changed again for the Azure endpoint. If you are on NIOS 8.2.2+, 8.3.0+, 8.4 or 8.5, you can upload the certificates to NIOS yourself by going to Grid -> Grid Manager and then selecting certificates -> "Manage CA Certificates" from the toolbar. From here you can add the new certs. After adding the certs, the jobs should run again.

Re: between a rock and a hard place azure vdiscovery

[ Edited ]
Techie
Posts: 6
12526     0

@tommymdempsey is correct.

 

More than likely the certs you are using expired or they got revoked.  We just went though this and you can add the new intermediate/root CAs to your NIOS instance and it will work again.  

 

You should be able to download them from whatever URL you are making the call to, web page should report this if you get the right one:

 

AADSTS900561: The endpoint only accepts POST, OPTIONS requests. Received a GET request.

 Installed them and were back in business. 

Re: between a rock and a hard place azure vdiscovery

New Member
Posts: 1
12526     0

Hello,

@dns3000 

I currently have the same problem with my certificate "

[Error while running Job]: initialize or call AZURE cdiscovery driver ERROR: PycURL error: (60, 'SSL certificate problem: unable to get local issuer certificate') ret=DRIVER_ERROR

".
However, I don't know how to change the certificate.

Thank you in advance

Re: between a rock and a hard place azure vdiscovery

Superuser
Posts: 65
12526     0

Hi fsal,

 

To add the new certificates, go to the URL of your OAuth token endpoint, for example: https://login.microsoftonline.com/<tenant_id>/oauth2/token. The <tenant_id> will be your Azure tenant ID. From that site, download the intermediate and root certificates; you should end up with files like: stamp2-login-microsoftonline-com.pem. 
 
In your Infoblox Grid Manager UI, go to the Grid - Grid Manager tab. In the toolbar, open the Certificates dropdown and select Manage CA Certificates. In the CA Certificates dialog that opens, click the + button and upload both the new certificates.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You