Bug 1507158
| Summary: | When connecting through a proxy, subscription-manager does not provide Host: in http CONNECT header | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrick Toal <ptoal> |
| Component: | subscription-manager | Assignee: | Jiri Hnidek <jhnidek> |
| Status: | CLOSED ERRATA | QA Contact: | Red Hat subscription-manager QE Team <rhsm-qe> |
| Severity: | medium | Docs Contact: | Filip Hanzelka <fhanzelk> |
| Priority: | medium | ||
| Version: | 7.4 | CC: | asakpal, csnyder, jhnidek, jsefler, khowell, ptoal, rjerrido, skallesh |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | subscription-manager-1.20.8-1 | Doc Type: | Release Note |
| Doc Text: |
*subscription-manager* now works with proxies that expect the "Host" header
Previously, the *subscription-manager* utility was not compatible with proxies that expect the "Host" header because it did not include the "Host" header when connecting. With this update, *subscription-manager* includes the "Host" header when connecting and is compatible with these proxies.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 09:52:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Reproducer:
[root@bkr-hv01-guest01 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: Unknown
subscription management rules: Unknown
subscription-manager: 1.19.21-1.el7
python-rhsm: 1.19.9-1.el7
[root@bkr-hv01-guest01 ~]# subscription-manager register --force
Registering to: 10.76.99.37:8443/candlepin
Username: admin
Password:
Network error, unable to connect to server. Please see /var/log/rhsm/rhsm.log for more information.
2018-01-12 02:25:02,698 [INFO] subscription-manager:1521:MainThread @managercli.py:518 - X-Correlation-ID: 15b03fe1adf84b8398aab3ae7173c3dd
2018-01-12 02:25:02,698 [INFO] subscription-manager:1521:MainThread @managercli.py:407 - Client Versions: {'python-rhsm': '1.19.9-1.el7', 'subscription-manager': '1.19.21-1.el7'}
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @managercli.py:407 - Client Versions: {'python-rhsm': '1.19.9-1.el7', 'subscription-manager': '1.19.21-1.el7'}
2018-01-12 02:25:02,712 [INFO] subscription-manager:1521:MainThread @managercli.py:382 - Consumer Identity name=None uuid=None
2018-01-12 02:25:02,713 [INFO] subscription-manager:1521:MainThread @managercli.py:382 - Consumer Identity name=None uuid=None
2018-01-12 02:25:07,620 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=basic username=admin
2018-01-12 02:25:07,667 [INFO] subscription-manager:1521:MainThread @dmiinfo.py:73 - Using dmidecode dump file: /dev/mem
2018-01-12 02:25:09,042 [ERROR] subscription-manager:1521:MainThread @managercli.py:177 - Error during registration: Tunnel connection failed: 409 Conflict
2018-01-12 02:25:09,042 [ERROR] subscription-manager:1521:MainThread @managercli.py:178 - Tunnel connection failed: 409 Conflict
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1184, in _do_command
owner_key = self._determine_owner_key(admin_cp)
File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1336, in _determine_owner_key
owners = cp.getOwnerList(self.username)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1118, in getOwnerList
return self.conn.request_get(method)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 646, in request_get
return self._request("GET", method, headers=headers)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 672, in _request
info=info, headers=headers)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 528, in _request
conn.request(request_type, handler, body=body, headers=final_headers)
File "/usr/lib64/python2.7/httplib.py", line 1017, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 826, in send
self.connect()
File "/usr/lib64/python2.7/httplib.py", line 1227, in connect
HTTPConnection.connect(self)
File "/usr/lib64/python2.7/httplib.py", line 810, in connect
self._tunnel()
File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel
message.strip()))
error: Tunnel connection failed: 409 Conflict
Verification:
[root@dell-per630-01 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.0-1
subscription management rules: 5.26
subscription-manager: 1.20.9-1.el7
[root@dell-per630-01 ~]# subscription-manager register --force
Registering to: 10.76.99.37:8443/candlepin
Username: admin
Password:
Organization: admin
The system has been registered with ID: 0db8802e-877f-4c24-93e6-696351397886
The registered system name is: dell-per630-01.khw.lab.eng.bos.redhat.com
2018-01-12 02:21:19,394 [ERROR] subscription-manager:41976:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @managercli.py:452 - X-Correlation-ID: 39c31a96e3cc4639a8bda0f0746f8a69
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:19,402 [INFO] subscription-manager:41976:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:21:19,402 [INFO] subscription-manager:41976:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:19,412 [INFO] subscription-manager:41976:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:19,413 [INFO] subscription-manager:41976:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:28,505 [ERROR] subscription-manager:41981:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2018-01-12 02:21:28,511 [INFO] subscription-manager:41981:MainThread @managercli.py:452 - X-Correlation-ID: a4162d0d1d314af1ab3cc2b39f14e123
2018-01-12 02:21:28,511 [INFO] subscription-manager:41981:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:28,522 [INFO] subscription-manager:41981:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:28,523 [INFO] subscription-manager:41981:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:32,267 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=basic username=admin
2018-01-12 02:21:35,066 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=6842a86b-659f-4876-ae75-b7c4cb4d609a, request="GET /candlepin/users/admin/owners"
2018-01-12 02:21:39,798 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=e9ea3420-a9aa-4888-8872-8eab8347aa67, request="GET /candlepin/"
2018-01-12 02:21:39,832 [INFO] subscription-manager:41981:MainThread @dmiinfo.py:75 - Using dmidecode dump file: /dev/mem
2018-01-12 02:21:47,166 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=a293b927-28be-49ed-97ad-134e96f178a9, request="POST /candlepin/consumers?owner=admin"
2018-01-12 02:21:47,168 [INFO] subscription-manager:41981:MainThread @managerlib.py:71 - Consumer created: dell-per630-01.khw.lab.eng.bos.redhat.com (0db8802e-877f-4c24-93e6-696351397886)
2018-01-12 02:21:47,169 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:50,042 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=418e1ce7-516f-4c12-b258-a86ffd73681b, request="GET /candlepin/"
2018-01-12 02:21:51,917 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=801dfc2c-3e29-4abb-b356-c7b733b40875, request="GET /candlepin/status"
2018-01-12 02:21:51,918 [INFO] subscription-manager:41981:MainThread @managercli.py:352 - Server Versions: {'rules-version': u'5.26', 'candlepin': u'2.3.0-1', 'server-type': u'Red Hat Subscription Management'}
2018-01-12 02:21:53,789 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=2fbe689d-bc59-4dce-a8a5-d6add9172bb9, request="GET /candlepin/"
2018-01-12 02:21:53,789 [INFO] subscription-manager:41981:MainThread @cache.py:410 - Server does not support packages, skipping profile upload.
2018-01-12 02:21:53,809 [INFO] subscription-manager:41981:MainThread @dmiinfo.py:75 - Using dmidecode dump file: /dev/mem
2018-01-12 02:21:56,756 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=ccb20f39-91b9-496a-a517-842acd518b11, request="GET /candlepin/status"
2018-01-12 02:21:56,757 [INFO] subscription-manager:41981:MainThread @managercli.py:1175 - System registered, updating entitlements if needed
2018-01-12 02:21:58,698 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=29bba2f9-8c06-44c7-8481-b95b06b3d2c6, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/certificates/serials"
2018-01-12 02:21:58,698 [INFO] subscription-manager:41981:MainThread @entcertlib.py:131 - certs updated:
Total updates: 0
Found (local) serial# []
Expected (UEP) serial# []
Added (new)
<NONE>
Deleted (rogue):
<NONE>
2018-01-12 02:22:00,637 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=556e9c5b-f2b9-4fcb-bb5d-9badb6dda584, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/compliance"
2018-01-12 02:22:00,638 [INFO] subscription-manager:41981:MainThread @cert_sorter.py:205 - Product status: valid_products= partial_products= expired_products= unentitled_producs=69 future_products= valid_until=None
2018-01-12 02:22:00,676 [INFO] rhsmd:41963:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:22:02,591 [INFO] rhsmd:41963:MainThread @connection.py:586 - Response: status=200, requestUuid=e06b8c93-8951-4d13-8551-d7e30dc30c6e, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/compliance"
2018-01-12 02:22:02,592 [INFO] rhsmd:41963:MainThread @cert_sorter.py:205 - Product status: valid_products= partial_products= expired_products= unentitled_producs=69 future_products= valid_until=None
Confirmed that it is Blue Coat ProxySG, but was unable to get config from customer. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0681 |
Description of problem: When configuring subscription-manager to connect through a proxy, the call to the httplib does not provide a 'Host:' header. This causes some proxy servers to reject the tunnel connection request with the following error: Error during registration: Tunnel connection failed: 400 Version-Release number of selected component (if applicable): How reproducible: Requires an http proxy that relies on Host: header. Steps to Reproduce: 1. Configure http proxy host and port in rhsm.conf to point to a proxy that requires a Host: header in the HTTP CONNECT request. 2. execute subscription-manager to connect to redhat.com Actual results: 2017-10-20 11:59:11,237 [ERROR] subscription-manager:15522:MainThread @managercli.py:177 - Error during registration: Tunnel connection failed: 400 2017-10-20 11:59:11,237 [ERROR] subscription-manager:15522:MainThread @managercli.py:178 - Tunnel connection failed: 400 Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1184, in _do_command owner_key = self._determine_owner_key(admin_cp) File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1336, in _determine_owner_key owners = cp.getOwnerList(self.username) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1118, in getOwnerList return self.conn.request_get(method) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 646, in request_get return self._request("GET", method, headers=headers) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 672, in _request info=info, headers=headers) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 528, in _request conn.request(request_type, handler, body=body, headers=final_headers) File "/usr/lib64/python2.7/httplib.py", line 1017, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 826, in send self.connect() File "/usr/lib64/python2.7/httplib.py", line 1227, in connect HTTPConnection.connect(self) File "/usr/lib64/python2.7/httplib.py", line 810, in connect self._tunnel() File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel message.strip())) Expected results: No error, and successful request. Additional info: The following patch results in correct functionality in the customer environment. There may be other functions in the library that also require the addition of the Host header. [root@ptoal-rhel7 rhsm]# diff -c /usr/lib64/python2.7/site-packages/rhsm/connection.py /tmp/connection.py *** /usr/lib64/python2.7/site-packages/rhsm/connection.py 2017-06-07 15:58:38.000000000 -0400 --- /tmp/connection.py 2017-10-27 13:54:55.062915973 -0400 *************** *** 499,505 **** if self.proxy_hostname and self.proxy_port: log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port)) ! proxy_headers = {'User-Agent': self.user_agent} if self.proxy_user and self.proxy_password: proxy_headers['Proxy-Authorization'] = _encode_auth(self.proxy_user, self.proxy_password) conn = httplib.HTTPSConnection(self.proxy_hostname, self.proxy_port, context=context, timeout=self.timeout) --- 499,505 ---- if self.proxy_hostname and self.proxy_port: log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port)) ! proxy_headers = {'User-Agent': self.user_agent, 'Host' : '%s:%s' % (self.host, safe_int(self.ssl_port)} if self.proxy_user and self.proxy_password: proxy_headers['Proxy-Authorization'] = _encode_auth(self.proxy_user, self.proxy_password) conn = httplib.HTTPSConnection(self.proxy_hostname, self.proxy_port, context=context, timeout=self.timeout)