Bug 1654531
| Summary: | Unable to access redhat repos with http proxy due to wrong protocol written to redhat.repo (RHEL8 beta only) | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Prathamesh Chavan <prchavan> | |
| Component: | subscription-manager | Assignee: | candlepin-bugs | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Red Hat subscription-manager QE Team <rhsm-qe> | |
| Severity: | high | Docs Contact: | Ioanna Gkioka <igkioka> | |
| Priority: | high | |||
| Version: | 8.0 | CC: | ahogbin, ajanorka, alexander.lackner, blc, candlepin-bugs, cdonnell, csnyder, dmach, flloreda, hhei, igkioka, james.antill, jamills, jeharris, jgalipea, jmracek, jsefler, khowell, kkohli, ktordeur, mblaha, mmcgrath, mschibli, mzjamsheer123, pdwyer, prjagtap, rbertolj, redakkan, rhsm-qe, rjerrido, sababu, skallesh, snejoshi, wasfv, wchadwic, wpoteat, xuli, yacao, yferszt | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | 8.0 | Flags: | rule-engine:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
.`dnf` and `yum` can now access the repos regardless of `subscription-manager` values
Previously, the `dnf` or `yum` commands ignored the `https://` prefix from a URL added by the *subscription-manager* service. The updated `dnf` or `yum` commands do not ignore invalid `https://` URLs. As a consequence,
`dnf` and `yum` failed to access the repos. To fix the problem, a new configuration variable, `proxy_scheme` has been added to the `/etc/rhsm/rhsm.conf` file and the value can be set to either `http` or `https`. If no value is specified, *subscription-manager* set `http` by default which is more commonly used.
Note that if the proxy uses `http`, most users should not change anything in the configuration in `/etc/rhsm/rhsm.conf`. If the proxy uses `https`, users should update the value of `proxy_scheme` to `https`. Then, in both cases, users need to run the `subscription-manager repos --list` command or wait for the `rhsmcertd` daemon process to regenerate the `/etc/yum.repos.d/redhat.repo` properly.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1815108 (view as bug list) | Environment: | ||
| Last Closed: | 2019-06-14 01:37:39 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1623566, 1815108 | |||
In the support case 02260980, the customer removed the proxy information from the /etc/rhsm/rhsm.conf file and he is able to access the repositories which is weird. Given this error: SSL connect error for https://cdn.redhat.com/content/beta/rhel8/8/x86_64/baseos/os/repodata/repomd.xml [error:1408F10B:SSL routines:ssl3_get_record:wrong version number] is something trying to use SSLv3 (known insecure, and been deprecated for some time now)? blocker+ per Dec 13th blocker meeting *** Bug 1654715 has been marked as a duplicate of this bug. *** *** Bug 1651316 has been marked as a duplicate of this bug. *** Reproducing the failure on RHEL 8 beta system:
===============================================
# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.12-1
subscription management rules: 5.30
subscription-manager: 1.23.8-1.el8
[root@ibm-x3650m4-01-vm-01 ~]# subscription-manager register --auto-attach
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: stage_test_***
Password:
The system has been registered with ID: dcbf5453-a68c-4860-add6-f91d9a157613
The registered system name is: ibm-x3650m4-01-vm-01.lab.eng.bos.redhat.com
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64 Beta
Status: Subscribed
[root@ibm-x3650m4-01-vm-01 ~]# subscription-manager repos --list-enabled
+----------------------------------------------------------+
Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID: rhel-8-for-x86_64-appstream-beta-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs)
Repo URL: https://cdn.redhat.com/content/beta/rhel8/8/x86_64/appstream/os
Enabled: 1
Repo ID: rhel-8-for-x86_64-baseos-beta-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs)
Repo URL: https://cdn.redhat.com/content/beta/rhel8/8/x86_64/baseos/os
Enabled: 1
[root@ibm-x3650m4-01-vm-01 ~]# yum repolist
Updating Subscription Management repositories.
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) 0.0 B/s | 0 B 00:00
Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs) 0.0 B/s | 0 B 00:00
Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-beta-rpms', ignoring this repo.
Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-beta-rpms', ignoring this repo.
Moving back to MODIFIED status. The additional pull request https://github.com/candlepin/subscription-manager/pull/2037 should fix the scenario reported in Bug 1676942 which blocks the VERIFICATION of this bug. Here is a re-test of comment 35 (excluding a fix in comment 36) with a squid server (auto-services.usersys.redhat.com) that has been configured with an ssl port (3131) and a ssl cert (squid_https_cert.pem), but first I'll start by re-testing no proxy, then a non-ssl configured port on the squid server, and thirdly a true ssl configured proxy. [root@kvm-01-guest19 ~]# rpm -q subscription-manager dnf libdnf libcurl subscription-manager-1.23.8-26.el8.x86_64 dnf-4.0.9.2-4.el8.noarch libdnf-0.22.5-4.el8.x86_64 libcurl-7.61.1-8.el8.x86_64 _____________________________________________________ Step 0. Configure a non-ssl proxy server and a ssl proxy (details not shown). Needed from this setup will be a ssl cert (squid_https_cert.pem) from the proxy server in subsequent step 3. _____________________________________________________ Step 1. register the RHEL system without any proxy [root@kvm-01-guest19 ~]# subscription-manager register --serverurl=subscription.rhsm.stage.redhat.com:443/subscription --username=stage_auto_testuser --auto-attach --baseurl=https://cdn.stage.redhat.com Registering to: subscription.rhsm.stage.redhat.com:443/subscription Password: The system has been registered with ID: 1fc5c7c5-4053-4cc3-bb8c-d4ae2b42fee5 The registered system name is: kvm-01-guest19.lab.eng.rdu2.redhat.com Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 High Touch Beta Status: Subscribed [root@kvm-01-guest19 ~]# dnf repolist --disablerepo=beaker* Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStream HTB (RPMs) 1.7 MB/s | 13 MB 00:08 Red Hat Enterprise Linux 8 for x86_64 - BaseOS HTB (RPMs) 1.6 MB/s | 7.4 MB 00:04 Last metadata expiration check: 0:00:21 ago on Thu 14 Feb 2019 03:49:57 PM EST. repo id repo name status rhel-8-for-x86_64-appstream-htb-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream HTB (RPMs) 7,730 rhel-8-for-x86_64-baseos-htb-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS HTB (RPMs) 3,394 [root@kvm-01-guest19 ~]# grep rhel-8-for-x86_64-baseos-htb-rpms /etc/yum.repos.d/redhat.repo -A12 [rhel-8-for-x86_64-baseos-htb-rpms] name = Red Hat Enterprise Linux 8 for x86_64 - BaseOS HTB (RPMs) baseurl = https://cdn.stage.redhat.com/content/htb/rhel8/8/x86_64/baseos/os enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/99772019693099844-key.pem sslclientcert = /etc/pki/entitlement/99772019693099844.pem metadata_expire = 86400 enable_metadata = 1 ^^^ VERIFIED: No proxy setting are between the repo and the CDN as expected and we successfully reach the CDN as evidenced in the dnf repolist package count for repo rhel-8-for-x86_64-baseos-htb-rpms _____________________________________________________ Step 2. configure the RHEL system for a non-ssl proxy and re-attempt access to the cdn [root@kvm-01-guest19 ~]# dnf clean all Updating Subscription Management repositories. 103 files removed [root@kvm-01-guest19 ~]# subscription-manager config --server.proxy_hostname=auto-services.usersys.redhat.com --server.proxy_user=redhat --server.proxy_password=redhat --server.proxy_port=3127 --server.proxy_scheme=http [root@kvm-01-guest19 ~]# dnf repolist --disablerepo=beaker* Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStream HTB (RPMs) 1.7 MB/s | 13 MB 00:07 Red Hat Enterprise Linux 8 for x86_64 - BaseOS HTB (RPMs) 1.6 MB/s | 7.4 MB 00:04 Last metadata expiration check: 0:00:02 ago on Thu 14 Feb 2019 04:02:22 PM EST. repo id repo name status rhel-8-for-x86_64-appstream-htb-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream HTB (RPMs) 7,730 rhel-8-for-x86_64-baseos-htb-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS HTB (RPMs) 3,394 [root@kvm-01-guest19 ~]# [root@kvm-01-guest19 ~]# grep rhel-8-for-x86_64-baseos-htb-rpms /etc/yum.repos.d/redhat.repo -A15 [rhel-8-for-x86_64-baseos-htb-rpms] name = Red Hat Enterprise Linux 8 for x86_64 - BaseOS HTB (RPMs) baseurl = https://cdn.stage.redhat.com/content/htb/rhel8/8/x86_64/baseos/os enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/99772019693099844-key.pem sslclientcert = /etc/pki/entitlement/99772019693099844.pem metadata_expire = 86400 enable_metadata = 1 proxy = http://auto-services.usersys.redhat.com:3127 proxy_username = redhat proxy_password = redhat ^^^ VERIFIED: With a non-ssl enabled proxy server on port 3127, the entitled repo can successfully reach content on the CDN. Notice that the scheme on the proxy setting in the repo matches the new --server.proxy_scheme="http" configuration set by subscription-manager. _____________________________________________________ Step 3. configure the RHEL system to use a true ssl proxy and re-attempt access to the cdn [root@kvm-01-guest19 ~]# dnf clean all Updating Subscription Management repositories. 16 files removed [root@kvm-01-guest19 ~]# subscription-manager config --server.proxy_hostname=auto-services.usersys.redhat.com --server.proxy_user=redhat --server.proxy_password=redhat --server.proxy_port=3131 --server.proxy_scheme=https [root@kvm-01-guest19 ~]# dnf repolist --disablerepo=beaker* Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStream HTB (RPMs) 0.0 B/s | 0 B 00:00 Red Hat Enterprise Linux 8 for x86_64 - BaseOS HTB (RPMs) 0.0 B/s | 0 B 00:00 Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-htb-rpms', ignoring this repo. Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-htb-rpms', ignoring this repo. ^^^^ FAILED: as expected because I neglected to fetch the ssl cert from the proxy server [root@kvm-01-guest19 ~]# scp root.redhat.com:/etc/squid/ssl_cert/squid_https_cert.pem /etc/pki/ca-trust/source/anchors/squid_https_cert.pem The authenticity of host 'auto-services.usersys.redhat.com (10.16.6.78)' can't be established. ECDSA key fingerprint is SHA256:0W9p/SMuH4eX6OOnkbC0gEcBLvavPGh1mTgCUaRkaPc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'auto-services.usersys.redhat.com,10.16.6.78' (ECDSA) to the list of known hosts. root.redhat.com's password: squid_https_cert.pem 100% 3063 146.8KB/s 00:00 [root@kvm-01-guest19 ~]# update-ca-trust extract [root@kvm-01-guest19 ~]# dnf repolist --disablerepo=beaker* Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStream HTB (RPMs) 1.9 MB/s | 13 MB 00:06 Red Hat Enterprise Linux 8 for x86_64 - BaseOS HTB (RPMs) 1.8 MB/s | 7.4 MB 00:04 Last metadata expiration check: 0:00:01 ago on Thu 14 Feb 2019 04:15:45 PM EST. repo id repo name status rhel-8-for-x86_64-appstream-htb-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream HTB (RPMs) 7,730 rhel-8-for-x86_64-baseos-htb-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS HTB (RPMs) 3,394 [root@kvm-01-guest19 ~]# grep rhel-8-for-x86_64-baseos-htb-rpms /etc/yum.repos.d/redhat.repo -A15 [rhel-8-for-x86_64-baseos-htb-rpms] name = Red Hat Enterprise Linux 8 for x86_64 - BaseOS HTB (RPMs) baseurl = https://cdn.stage.redhat.com/content/htb/rhel8/8/x86_64/baseos/os enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/99772019693099844-key.pem sslclientcert = /etc/pki/entitlement/99772019693099844.pem metadata_expire = 86400 enable_metadata = 1 proxy = https://auto-services.usersys.redhat.com:3131 proxy_username = redhat proxy_password = redhat VERIFIED: With a ssl enabled proxy server on port 3131 and a trusted copy of the proxy server's ssl cert on my RHEL system, a ssl configured proxy setting between the repo and the CDN can successfully reach content on the CDN, Notice that the scheme on the proxy setting in the repo matches the new --server.proxy_scheme="https" configuration set by subscription-manager. Waiting on a new build of subscription-manager to that includes the fix in comment 36 to land in a RHEL compose for final verification of this bug. *** Bug 1676942 has been marked as a duplicate of this bug. *** Using nightly RHEL compose RHEL-8.0.0-20190220.n.0 with the following subscription-manager version to complete the verification of this bug... [root@kvm-01-guest15 ~]# rpm -q subscription-manager subscription-manager-1.23.8-28.el8.x86_64 [root@kvm-01-guest15 ~]# rpm -q subscription-manager --changelog | grep 1654531 - 1654531: Add default for proxy_scheme in rhsm.conf (csnyder) - 1654531: Add proxy_scheme to rhsm.conf (csnyder) - 1654531: Make default repolist proxy to http protocol when not specified [root@kvm-01-guest15 ~]# [root@kvm-01-guest15 ~]# grep proxy /etc/rhsm/rhsm.conf # an http proxy server to use proxy_hostname = # The scheme to use for the proxy when updating repo definitions, if needed proxy_scheme = http <================= VERIFIED fix for comment 36 # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = # host/domain suffix blacklist for proxy, if needed no_proxy = [root@kvm-01-guest15 ~]# [root@kvm-01-guest15 ~]# subscription-manager config | grep proxy no_proxy = [] proxy_hostname = [] proxy_password = [] proxy_port = [] proxy_scheme = [http] <================= VERIFIED fix for comment 36 proxy_user = [] [root@kvm-01-guest15 ~]# Note: The surrounding brackets on [http] indicate a default value for proxy_scheme is in use as needed to fix this bug. Additional Info: When rhsm.conf is configured with a true ssl proxy server, you may still run into bug 1677765 Unfortunately, the message "Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-beta-rpms', ignoring this repo." (or similar) is a symptom with several possible underlying issues as causes. This bug addressed one such issue which affected RHEL8 beta, which was resolved in the G.A. release of RHEL 8.0. If a similar symptom is seen on G.A. releases of RHEL 8.0, it is due to some other issue. (In reply to Kevin Howell from comment #52) > Unfortunately, the message "Failed to synchronize cache for repo > 'rhel-8-for-x86_64-appstream-beta-rpms', ignoring this repo." (or similar) > is a symptom with several possible underlying issues as causes. This bug > addressed one such issue which affected RHEL8 beta, which was resolved in > the G.A. release of RHEL 8.0. If a similar symptom is seen on G.A. releases > of RHEL 8.0, it is due to some other issue. This is seen in RHEL8 GA. So shall I open a separate Bug for RHEL8 GA? -Anuja Hi Anuja, There are several bugs open already that for a customer would result in the same error but are caused by different issues. @John Sefler, can you please add a comment to this bug with the links to those bugs? That way support can figure out which one is the cause and link to the appropriate customer case. This will also allow the subscription manager subsystem team to prioritize appropriately :D Thanks! Jenny Hi , Team
please fix it.
tail -f /var/log/rhsm/rhsm.log
self.content = self.__generate()
File "/usr/lib64/python3.6/site-packages/rhsm/profile.py", line 76, in __generate
base.fill_sack()
File "/usr/lib/python3.6/site-packages/dnf/base.py", line 400, in fill_sack
self._add_repo_to_sack(r)
File "/usr/lib/python3.6/site-packages/dnf/base.py", line 135, in _add_repo_to_sack
repo.load()
File "/usr/lib/python3.6/site-packages/dnf/repo.py", line 568, in load
raise dnf.exceptions.RepoError(str(e))
dnf.exceptions.RepoError: Failed to synchronize cache for repo 'rhui-client-config-server-8'
Jamseer, This bug has been closed and was directed toward RHEL 8 Beta only. If you are still encountering specific issues, please open a new bugzilla to track those issues and provide as much detail as possible about the environment used and errors and ecountered. (Provide full logs if at all possible.) Thanks. |
Description of problem: ----------------------- Even after cleaning the cache and checking the network connectivity for any issues, the 'dnf repolist' command exists with an error : # dnf repolist Updating Subscription Management repositories. Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) 0.0 B/s | 0 B 00:00 Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs) 0.0 B/s | 0 B 00:00 Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-beta-rpms', ignoring this repo. Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-beta-rpms', ignoring this repo. Version-Release number of selected component (if applicable): ------------------------------------------------------------- dnf-4.0.4-1.el8.noarch How reproducible: ----------------- [root@4 ~]# rm -rf /var/cache/yum/* [root@4 ~]# rm -rf /var/cache/dnf/* [root@4 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ Product Name: Red Hat Enterprise Linux for x86_64 Beta Product ID: 486 Version: 8.0 Beta Arch: x86_64 Status: Subscribed Status Details: Starts: 11/19/2018 Ends: 11/19/2019 [root@4 ~]# dnf repolist Updating Subscription Management repositories. Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) 0.0 B/s | 0 B 00:00 Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs) 0.0 B/s | 0 B 00:00 Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-beta-rpms', ignoring this repo. Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-beta-rpms', ignoring this repo. [root@4 ~]# dnf check-update Updating Subscription Management repositories. Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) 0.0 B/s | 0 B 00:00 Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs) 0.0 B/s | 0 B 00:00 Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-beta-rpms', ignoring this repo. Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-beta-rpms', ignoring this repo. Steps to Reproduce: ------------------- - Clear the dnf cache. - Check the status of the subscription present on the system. - Execute the 'dnf repolist' command Actual results: --------------- # dnf repolist Updating Subscription Management repositories. Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) 0.0 B/s | 0 B 00:00 Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs) 0.0 B/s | 0 B 00:00 Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-beta-rpms', ignoring this repo. Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-beta-rpms', Expected results: ----------------- # dnf repolist Updating Subscription Management repositories. Updating Subscription Management repositories. Last metadata expiration check: 18:31:18 ago on Wed 28 Nov 2018 01:22:06 PM IST. repo id repo name status rhel-8-for-x86_64-appstream-beta-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) 4,594 rhel-8-for-x86_64-baseos-beta-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs) 1,686 Additional info: ---------------- - The tcpdump of the system does not show any abnormalities in the network of the target systems.