Infoblox DNS-01 support

TonyM · May 20, 2020, 8:02pm

Would it be possible to add support for Infoblox DNS server for DNS-01 checks? This server commonly used in corporate and other networks.

I found a plugin for certbot here: https://github.com/cearl/certbot-plugins/blob/master/infoblox
I prefer to use Certify on our Windows servers, most of which I would not like to expose http to the web.
I could probably try to adapt one of the existing provider, but I’ve never coded .net before

More info:

webprofusion · May 21, 2020, 3:15am

Hi Tony, for the new version of Certify (v5) we’re starting to adopt some providers from the Posh-ACME project (powershell) this is because we want to avoid duplicate efforts in the community if we can. Looks like they have an Infoblox provider so yes, I’ll add that to the next v5 beta, it would be great if you could then test that out.

TonyM · May 21, 2020, 12:25pm

Sounds great, I would love to test it out.

webprofusion · May 25, 2020, 9:37am

Hi Tony, v5.0.8 (beta) is out now and adds a new Infoblox DNS provider (via Posh-ACME). I don’t have access to an Infloblox system to test against but try it out and see how you get on.

TonyM · May 26, 2020, 7:50pm

Ran into an issue that v5 requires Powershell 5.

Powershell/PoshACME DNS :: Invoke-RestMethod: A parameter cannot be found that matches parameter name 'UseBasicParsing'.
At C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Infoblox.ps1:36 char:84
+ ... ential $IBCred @script:UseBasic
+                    ~~~~~~~~~~~~~~~~

After I installed that, I temporarily had a self-signed certificate on the Infoblox server.

Powershell/PoshACME DNS :: Invoke-RestMethod: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
At C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Infoblox.ps1:36 char:21
+ ... $response = Invoke-RestMethod -Uri $recUrl -Method Get -Credential $I ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There is no option to allow invalid certs, so I worked to get at least a cert signed by our local CA applied to it.

Next, I got an invalid credentials error:

Powershell/PoshACME DNS :: Invoke-RestMethod: 

401 Authorization Required

Authorization Required
This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.


At C:\Program Files\CertifyTheWeb\Scripts\DNS\PoshACME\Plugins\Infoblox.ps1:36 char:21
+ ... $response = Invoke-RestMethod -Uri $recUrl -Method Get -Credential $I ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I verified I could login with the credentials and re-entered them. No luck.

I can privately supply you with some test credentials if you like.

TonyM · May 26, 2020, 8:49pm

Using admin credentials worked

It just seems the permissions I thought would work did not. I’ll continue to research what the proper permissions should be.

webprofusion · May 27, 2020, 12:04am

Hi Tony, thanks for testing!

I knew about the invalid cert issue but unfortunately we can’t use the same technique as posh-acme to avoid it (currently) as we don’t use the full posh-acme powershell scripts, just the DNS ones with our own wrapper.

Thanks for pointing out the v5 PowerShell dependency. That had the advantage of reducing our download size but I was hoping users on older versions of powershell would still be ok. I might have to think about that one!