Bug 1971995

Following an internal team discussion, we decided to improve some of the error messages to print more information on what actually happened. This should be hopefully helpful and actionable for users.

In particular, this BZ will cover the following cases:


* "Network error, unable to connect to server. Please see ..."

This represents a number of network related issues.

For any error related to the network name resolution, the proposed error message is:
| Network error: <error message> (error code <error code>)

for example:
| Network error: Name or service not known (error code -2)

For any error related to the network connection itself, the proposed error message is:
| Connection error: <error message> (error code <error code>)

for example:
| Connection error: Connection refused (error code 111)

In both cases, the error message/code is as reported by the low level network bits in the Linux stack.


* "Network error. Please check the connection details, ..."

Despite the "network” mention, this represents a reply from the server in case the content cannot be parsed as JSON, and the HTTP error code is different than 200, 202, 204, 304, 401, 403, 404, 410, 429, 500, 502, 503, 504.

In case there is a content in the server reply, the proposed error message is:
| Unknown server reply (HTTP error code <error code>: <error message>):
| <content>

for example:
| Unknown server reply (HTTP error code 400: Bad Request):
| <html>
| <body>
| [etc]

In case there is no content in the server reply, the proposed error message is:
| Unknown server reply (HTTP error code <error code>: <error message>)

for example:
| Unknown server reply (HTTP error code 400: Bad Request)


* "Proxy connection failed, please check your settings."

This represents errors related to the connection to the proxy server.

For any error related to the network name resolution of the proxy server, the proposed error message is:
| Proxy error: proxy_hostname:proxy_port: <error message> (error code <error code>)

for example:
| Proxy error: proxy_hostname:proxy_port: Name or service not known (error code -2)

For any error related to the connection to the proxy server, the proposed error message is:
| Proxy error: unable to connect to proxy_hostname:proxy_port: <error message> (error code <error code>)

for example:
| Proxy error: unable to connect to proxy_hostname:proxy_port: Connection refused (error code 111)

The error message/code is as reported by the low level network bits in the Linux stack.


* "Unable to reach the server at <host>:<port>/<path>”

This error is printed when the initial connection to the entitlement server cannot be established; usually they refer to proxy errors.

For any error related to the connection to the proxy server, the proposed error message is:
| Unable to reach the server at hostname:port/path: <error message>

for example:
| Unable to reach the server at hostname:port/path: Tunnel connection failed: 500 Unable to connect
| Unable to reach the server at hostname:port/path: Tunnel connection failed: 407 Proxy Authentication Required


* "Bad CA certificate: <file>”

This error is printed when any of the .pem files in the CA directory of subscription-manager (the default is /etc/rhsm/ca/) is not a valid PEM file with certificates. This generally should not happen, unless a custom faulty certificate is added to that directory.

The proposed error message is:
| Bad CA certificate: <file>: <error message>

for example:
| Bad CA certificate: <file>: [X509] no certificate or crl found (_ssl.c:3771)

The error message is what is reported by the Python ssl module or OpenSSL directly.


* "System certificates corrupted. Please reregister."

This error is printed when any of the products .pem files in /etc/pki/product-default/ is not a valid PEM file with certificates. This generally should not happen, as the certificates in that directory are provided by Red Hat.

The proposed error message is:
| Bad product certificate: <file>: <error message>

for example:
| Bad product certificate: <file>: [X509] no certificate or crl found (_ssl.c:3771)

The error message is what is reported by the Python ssl module or OpenSSL directly.

*** Bug 1712796 has been marked as a duplicate of this bug. ***

Note: The changes introduced by this RFE are informational (not functional), hence there are many string changes that include dynamic reasons and codes as returned by the server that were previously buried in the rhsm.log file and are now presented to the user on the command line.  These design details were presented in comment 2.

Here is one simple example of the information presented by subscription-manager on the command line before and after the changes for this RFE...

BEFORE fix for RFE Bug 1971995:
[root@rhel87 ~]# rpm -q subscription-manager
subscription-manager-1.28.32-1.el8.aarch64
[root@rhel87 ~]# subscription-manager register --proxy=foo
Proxy connection failed, please check your settings.
[root@rhel87 ~]# 

AFTER fix for RFE Bug 1971995:
[root@rhel88 ~]# rpm -q subscription-manager
subscription-manager-1.28.35-1.el8.aarch64
[root@rhel88 ~]# subscription-manager register --proxy=foo
Proxy error: unable to connect to foo:3128: Name or service not known (error code -2)
[root@rhel88 ~]# 

VERIFIED: The new message explains with detail that the system was "unable to connect to foo:3128" which includes the poorly specified proxy server "foo" and a reason why it was poor "Name or service not known".  An error code was also shared.  This new informative message exceeds the original "Proxy connection failed, please check your settings".

Moving to VERIFIED based on the automated test results in comment 12 and comment 13 above.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2984