Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1507158 - When connecting through a proxy, subscription-manager does not provide Host: in http CONNECT header
When connecting through a proxy, subscription-manager does not provide Host: ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager (Show other bugs)
7.4
All Unspecified
medium Severity medium
: rc
: ---
Assigned To: Jiri Hnidek
Red Hat subscription-manager QE Team
Filip Hanzelka
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-27 17:18 EDT by Patrick Toal
Modified: 2018-04-10 05:52 EDT (History)
8 users (show)

See Also:
Fixed In Version: subscription-manager-1.20.8-1
Doc Type: Release Note
Doc Text:
*subscription-manager* now works with proxies that expect the "Host" header Previously, the *subscription-manager* utility was not compatible with proxies that expect the "Host" header because it did not include the "Host" header when connecting. With this update, *subscription-manager* includes the "Host" header when connecting and is compatible with these proxies.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 05:52:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Github candlepin/subscription-manager/pull/1735 None None None 2017-11-27 04:41 EST
Red Hat Product Errata RHBA-2018:0681 None None None 2018-04-10 05:52 EDT

  None (edit)
Description Patrick Toal 2017-10-27 17:18:20 EDT
Description of problem:
When configuring subscription-manager to connect through a proxy, the call to the httplib does not provide a 'Host:' header.  This causes some proxy servers to reject the tunnel connection request with the following error: 
Error during registration: Tunnel connection failed: 400

Version-Release number of selected component (if applicable):


How reproducible: Requires an http proxy that relies on Host: header.


Steps to Reproduce:
1. Configure http proxy host and port in rhsm.conf to point to a proxy that requires a Host: header in the HTTP CONNECT request.
2. execute subscription-manager to connect to redhat.com


Actual results:
2017-10-20 11:59:11,237 [ERROR] subscription-manager:15522:MainThread @managercli.py:177 - Error during registration: Tunnel connection failed: 400
2017-10-20 11:59:11,237 [ERROR] subscription-manager:15522:MainThread @managercli.py:178 - Tunnel connection failed: 400
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1184, in _do_command
    owner_key = self._determine_owner_key(admin_cp)
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1336, in _determine_owner_key
    owners = cp.getOwnerList(self.username)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1118, in getOwnerList
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 646, in request_get
    return self._request("GET", method, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 672, in _request
    info=info, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 528, in _request
    conn.request(request_type, handler, body=body, headers=final_headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
 File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1227, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 810, in connect
    self._tunnel()
  File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel
    message.strip()))

Expected results:
No error, and successful request.

Additional info:

The following patch results in correct functionality in the customer environment.  There may be other functions in the library that also require the addition of the Host header.



[root@ptoal-rhel7 rhsm]# diff -c /usr/lib64/python2.7/site-packages/rhsm/connection.py /tmp/connection.py 

*** /usr/lib64/python2.7/site-packages/rhsm/connection.py	2017-06-07 15:58:38.000000000 -0400
--- /tmp/connection.py	2017-10-27 13:54:55.062915973 -0400
***************
*** 499,505 ****
  
          if self.proxy_hostname and self.proxy_port:
              log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port))
!             proxy_headers = {'User-Agent': self.user_agent}
              if self.proxy_user and self.proxy_password:
                  proxy_headers['Proxy-Authorization'] = _encode_auth(self.proxy_user, self.proxy_password)
              conn = httplib.HTTPSConnection(self.proxy_hostname, self.proxy_port, context=context, timeout=self.timeout)
--- 499,505 ----
  
          if self.proxy_hostname and self.proxy_port:
              log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port))
!             proxy_headers = {'User-Agent': self.user_agent, 'Host' : '%s:%s' % (self.host, safe_int(self.ssl_port)}
              if self.proxy_user and self.proxy_password:
                  proxy_headers['Proxy-Authorization'] = _encode_auth(self.proxy_user, self.proxy_password)
              conn = httplib.HTTPSConnection(self.proxy_hostname, self.proxy_port, context=context, timeout=self.timeout)
Comment 5 Shwetha Kallesh 2018-01-12 02:26:28 EST
Reproducer:


[root@bkr-hv01-guest01 ~]# subscription-manager  version
server type: This system is currently not registered.
subscription management server: Unknown
subscription management rules: Unknown
subscription-manager: 1.19.21-1.el7
python-rhsm: 1.19.9-1.el7

[root@bkr-hv01-guest01 ~]# subscription-manager  register --force
Registering to: 10.76.99.37:8443/candlepin
Username: admin
Password: 
Network error, unable to connect to server. Please see /var/log/rhsm/rhsm.log for more information.



2018-01-12 02:25:02,698 [INFO] subscription-manager:1521:MainThread @managercli.py:518 - X-Correlation-ID: 15b03fe1adf84b8398aab3ae7173c3dd
2018-01-12 02:25:02,698 [INFO] subscription-manager:1521:MainThread @managercli.py:407 - Client Versions: {'python-rhsm': '1.19.9-1.el7', 'subscription-manager': '1.19.21-1.el7'}
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @managercli.py:407 - Client Versions: {'python-rhsm': '1.19.9-1.el7', 'subscription-manager': '1.19.21-1.el7'}
2018-01-12 02:25:02,712 [INFO] subscription-manager:1521:MainThread @managercli.py:382 - Consumer Identity name=None uuid=None
2018-01-12 02:25:02,713 [INFO] subscription-manager:1521:MainThread @managercli.py:382 - Consumer Identity name=None uuid=None
2018-01-12 02:25:07,620 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=basic username=admin
2018-01-12 02:25:07,667 [INFO] subscription-manager:1521:MainThread @dmiinfo.py:73 - Using dmidecode dump file: /dev/mem
2018-01-12 02:25:09,042 [ERROR] subscription-manager:1521:MainThread @managercli.py:177 - Error during registration: Tunnel connection failed: 409 Conflict
2018-01-12 02:25:09,042 [ERROR] subscription-manager:1521:MainThread @managercli.py:178 - Tunnel connection failed: 409 Conflict
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1184, in _do_command
    owner_key = self._determine_owner_key(admin_cp)
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1336, in _determine_owner_key
    owners = cp.getOwnerList(self.username)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1118, in getOwnerList
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 646, in request_get
    return self._request("GET", method, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 672, in _request
    info=info, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 528, in _request
    conn.request(request_type, handler, body=body, headers=final_headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1227, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 810, in connect
    self._tunnel()
  File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel
    message.strip()))
error: Tunnel connection failed: 409 Conflict
Comment 6 Shwetha Kallesh 2018-01-12 02:28:04 EST
Verification:

[root@dell-per630-01 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.0-1
subscription management rules: 5.26
subscription-manager: 1.20.9-1.el7



[root@dell-per630-01 ~]# subscription-manager register --force
Registering to: 10.76.99.37:8443/candlepin
Username: admin
Password: 
Organization: admin
The system has been registered with ID: 0db8802e-877f-4c24-93e6-696351397886
The registered system name is: dell-per630-01.khw.lab.eng.bos.redhat.com


2018-01-12 02:21:19,394 [ERROR] subscription-manager:41976:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @managercli.py:452 - X-Correlation-ID: 39c31a96e3cc4639a8bda0f0746f8a69
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:19,402 [INFO] subscription-manager:41976:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:21:19,402 [INFO] subscription-manager:41976:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:19,412 [INFO] subscription-manager:41976:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:19,413 [INFO] subscription-manager:41976:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:28,505 [ERROR] subscription-manager:41981:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2018-01-12 02:21:28,511 [INFO] subscription-manager:41981:MainThread @managercli.py:452 - X-Correlation-ID: a4162d0d1d314af1ab3cc2b39f14e123
2018-01-12 02:21:28,511 [INFO] subscription-manager:41981:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:28,522 [INFO] subscription-manager:41981:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:28,523 [INFO] subscription-manager:41981:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:32,267 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=basic username=admin
2018-01-12 02:21:35,066 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=6842a86b-659f-4876-ae75-b7c4cb4d609a, request="GET /candlepin/users/admin/owners"
2018-01-12 02:21:39,798 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=e9ea3420-a9aa-4888-8872-8eab8347aa67, request="GET /candlepin/"
2018-01-12 02:21:39,832 [INFO] subscription-manager:41981:MainThread @dmiinfo.py:75 - Using dmidecode dump file: /dev/mem
2018-01-12 02:21:47,166 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=a293b927-28be-49ed-97ad-134e96f178a9, request="POST /candlepin/consumers?owner=admin"
2018-01-12 02:21:47,168 [INFO] subscription-manager:41981:MainThread @managerlib.py:71 - Consumer created: dell-per630-01.khw.lab.eng.bos.redhat.com (0db8802e-877f-4c24-93e6-696351397886)
2018-01-12 02:21:47,169 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:50,042 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=418e1ce7-516f-4c12-b258-a86ffd73681b, request="GET /candlepin/"
2018-01-12 02:21:51,917 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=801dfc2c-3e29-4abb-b356-c7b733b40875, request="GET /candlepin/status"
2018-01-12 02:21:51,918 [INFO] subscription-manager:41981:MainThread @managercli.py:352 - Server Versions: {'rules-version': u'5.26', 'candlepin': u'2.3.0-1', 'server-type': u'Red Hat Subscription Management'}
2018-01-12 02:21:53,789 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=2fbe689d-bc59-4dce-a8a5-d6add9172bb9, request="GET /candlepin/"
2018-01-12 02:21:53,789 [INFO] subscription-manager:41981:MainThread @cache.py:410 - Server does not support packages, skipping profile upload.
2018-01-12 02:21:53,809 [INFO] subscription-manager:41981:MainThread @dmiinfo.py:75 - Using dmidecode dump file: /dev/mem
2018-01-12 02:21:56,756 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=ccb20f39-91b9-496a-a517-842acd518b11, request="GET /candlepin/status"
2018-01-12 02:21:56,757 [INFO] subscription-manager:41981:MainThread @managercli.py:1175 - System registered, updating entitlements if needed
2018-01-12 02:21:58,698 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=29bba2f9-8c06-44c7-8481-b95b06b3d2c6, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/certificates/serials"
2018-01-12 02:21:58,698 [INFO] subscription-manager:41981:MainThread @entcertlib.py:131 - certs updated:
Total updates: 0
Found (local) serial# []
Expected (UEP) serial# []
Added (new)
  <NONE>
Deleted (rogue):
  <NONE>
2018-01-12 02:22:00,637 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=556e9c5b-f2b9-4fcb-bb5d-9badb6dda584, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/compliance"
2018-01-12 02:22:00,638 [INFO] subscription-manager:41981:MainThread @cert_sorter.py:205 - Product status: valid_products= partial_products= expired_products= unentitled_producs=69 future_products= valid_until=None
2018-01-12 02:22:00,676 [INFO] rhsmd:41963:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:22:02,591 [INFO] rhsmd:41963:MainThread @connection.py:586 - Response: status=200, requestUuid=e06b8c93-8951-4d13-8551-d7e30dc30c6e, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/compliance"
2018-01-12 02:22:02,592 [INFO] rhsmd:41963:MainThread @cert_sorter.py:205 - Product status: valid_products= partial_products= expired_products= unentitled_producs=69 future_products= valid_until=None
Comment 9 Patrick Toal 2018-03-19 10:56:29 EDT
Confirmed that it is Blue Coat ProxySG, but was unable to get config from customer.
Comment 11 errata-xmlrpc 2018-04-10 05:52:05 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0681

Note You need to log in before you can comment on or make changes to this bug.