Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1507158

Summary: When connecting through a proxy, subscription-manager does not provide Host: in http CONNECT header
Product: Red Hat Enterprise Linux 7 Reporter: Patrick Toal <ptoal>
Component: subscription-managerAssignee: Jiri Hnidek <jhnidek>
Status: CLOSED ERRATA QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: medium Docs Contact: Filip Hanzelka <fhanzelk>
Priority: medium    
Version: 7.4CC: asakpal, csnyder, jhnidek, jsefler, khowell, ptoal, rjerrido, skallesh
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: subscription-manager-1.20.8-1 Doc Type: Release Note
Doc Text:
*subscription-manager* now works with proxies that expect the "Host" header Previously, the *subscription-manager* utility was not compatible with proxies that expect the "Host" header because it did not include the "Host" header when connecting. With this update, *subscription-manager* includes the "Host" header when connecting and is compatible with these proxies.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 09:52:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick Toal 2017-10-27 21:18:20 UTC 
Description of problem:
When configuring subscription-manager to connect through a proxy, the call to the httplib does not provide a 'Host:' header.  This causes some proxy servers to reject the tunnel connection request with the following error: 
Error during registration: Tunnel connection failed: 400

Version-Release number of selected component (if applicable):


How reproducible: Requires an http proxy that relies on Host: header.


Steps to Reproduce:
1. Configure http proxy host and port in rhsm.conf to point to a proxy that requires a Host: header in the HTTP CONNECT request.
2. execute subscription-manager to connect to redhat.com


Actual results:
2017-10-20 11:59:11,237 [ERROR] subscription-manager:15522:MainThread @managercli.py:177 - Error during registration: Tunnel connection failed: 400
2017-10-20 11:59:11,237 [ERROR] subscription-manager:15522:MainThread @managercli.py:178 - Tunnel connection failed: 400
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1184, in _do_command
    owner_key = self._determine_owner_key(admin_cp)
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1336, in _determine_owner_key
    owners = cp.getOwnerList(self.username)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1118, in getOwnerList
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 646, in request_get
    return self._request("GET", method, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 672, in _request
    info=info, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 528, in _request
    conn.request(request_type, handler, body=body, headers=final_headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
 File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1227, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 810, in connect
    self._tunnel()
  File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel
    message.strip()))

Expected results:
No error, and successful request.

Additional info:

The following patch results in correct functionality in the customer environment.  There may be other functions in the library that also require the addition of the Host header.



[root@ptoal-rhel7 rhsm]# diff -c /usr/lib64/python2.7/site-packages/rhsm/connection.py /tmp/connection.py 

*** /usr/lib64/python2.7/site-packages/rhsm/connection.py	2017-06-07 15:58:38.000000000 -0400
--- /tmp/connection.py	2017-10-27 13:54:55.062915973 -0400
***************
*** 499,505 ****
  
          if self.proxy_hostname and self.proxy_port:
              log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port))
!             proxy_headers = {'User-Agent': self.user_agent}
              if self.proxy_user and self.proxy_password:
                  proxy_headers['Proxy-Authorization'] = _encode_auth(self.proxy_user, self.proxy_password)
              conn = httplib.HTTPSConnection(self.proxy_hostname, self.proxy_port, context=context, timeout=self.timeout)
--- 499,505 ----
  
          if self.proxy_hostname and self.proxy_port:
              log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port))
!             proxy_headers = {'User-Agent': self.user_agent, 'Host' : '%s:%s' % (self.host, safe_int(self.ssl_port)}
              if self.proxy_user and self.proxy_password:
                  proxy_headers['Proxy-Authorization'] = _encode_auth(self.proxy_user, self.proxy_password)
              conn = httplib.HTTPSConnection(self.proxy_hostname, self.proxy_port, context=context, timeout=self.timeout)
Comment 5 Shwetha Kallesh 2018-01-12 07:26:28 UTC 
Reproducer:


[root@bkr-hv01-guest01 ~]# subscription-manager  version
server type: This system is currently not registered.
subscription management server: Unknown
subscription management rules: Unknown
subscription-manager: 1.19.21-1.el7
python-rhsm: 1.19.9-1.el7

[root@bkr-hv01-guest01 ~]# subscription-manager  register --force
Registering to: 10.76.99.37:8443/candlepin
Username: admin
Password: 
Network error, unable to connect to server. Please see /var/log/rhsm/rhsm.log for more information.



2018-01-12 02:25:02,698 [INFO] subscription-manager:1521:MainThread @managercli.py:518 - X-Correlation-ID: 15b03fe1adf84b8398aab3ae7173c3dd
2018-01-12 02:25:02,698 [INFO] subscription-manager:1521:MainThread @managercli.py:407 - Client Versions: {'python-rhsm': '1.19.9-1.el7', 'subscription-manager': '1.19.21-1.el7'}
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @managercli.py:407 - Client Versions: {'python-rhsm': '1.19.9-1.el7', 'subscription-manager': '1.19.21-1.el7'}
2018-01-12 02:25:02,712 [INFO] subscription-manager:1521:MainThread @managercli.py:382 - Consumer Identity name=None uuid=None
2018-01-12 02:25:02,713 [INFO] subscription-manager:1521:MainThread @managercli.py:382 - Consumer Identity name=None uuid=None
2018-01-12 02:25:07,620 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=basic username=admin
2018-01-12 02:25:07,667 [INFO] subscription-manager:1521:MainThread @dmiinfo.py:73 - Using dmidecode dump file: /dev/mem
2018-01-12 02:25:09,042 [ERROR] subscription-manager:1521:MainThread @managercli.py:177 - Error during registration: Tunnel connection failed: 409 Conflict
2018-01-12 02:25:09,042 [ERROR] subscription-manager:1521:MainThread @managercli.py:178 - Tunnel connection failed: 409 Conflict
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1184, in _do_command
    owner_key = self._determine_owner_key(admin_cp)
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1336, in _determine_owner_key
    owners = cp.getOwnerList(self.username)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1118, in getOwnerList
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 646, in request_get
    return self._request("GET", method, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 672, in _request
    info=info, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 528, in _request
    conn.request(request_type, handler, body=body, headers=final_headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1227, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 810, in connect
    self._tunnel()
  File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel
    message.strip()))
error: Tunnel connection failed: 409 Conflict
Comment 6 Shwetha Kallesh 2018-01-12 07:28:04 UTC 
Verification:

[root@dell-per630-01 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.0-1
subscription management rules: 5.26
subscription-manager: 1.20.9-1.el7



[root@dell-per630-01 ~]# subscription-manager register --force
Registering to: 10.76.99.37:8443/candlepin
Username: admin
Password: 
Organization: admin
The system has been registered with ID: 0db8802e-877f-4c24-93e6-696351397886
The registered system name is: dell-per630-01.khw.lab.eng.bos.redhat.com


2018-01-12 02:21:19,394 [ERROR] subscription-manager:41976:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @managercli.py:452 - X-Correlation-ID: 39c31a96e3cc4639a8bda0f0746f8a69
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:19,402 [INFO] subscription-manager:41976:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:21:19,402 [INFO] subscription-manager:41976:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:19,412 [INFO] subscription-manager:41976:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:19,413 [INFO] subscription-manager:41976:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:28,505 [ERROR] subscription-manager:41981:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2018-01-12 02:21:28,511 [INFO] subscription-manager:41981:MainThread @managercli.py:452 - X-Correlation-ID: a4162d0d1d314af1ab3cc2b39f14e123
2018-01-12 02:21:28,511 [INFO] subscription-manager:41981:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:28,522 [INFO] subscription-manager:41981:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:28,523 [INFO] subscription-manager:41981:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:32,267 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=basic username=admin
2018-01-12 02:21:35,066 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=6842a86b-659f-4876-ae75-b7c4cb4d609a, request="GET /candlepin/users/admin/owners"
2018-01-12 02:21:39,798 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=e9ea3420-a9aa-4888-8872-8eab8347aa67, request="GET /candlepin/"
2018-01-12 02:21:39,832 [INFO] subscription-manager:41981:MainThread @dmiinfo.py:75 - Using dmidecode dump file: /dev/mem
2018-01-12 02:21:47,166 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=a293b927-28be-49ed-97ad-134e96f178a9, request="POST /candlepin/consumers?owner=admin"
2018-01-12 02:21:47,168 [INFO] subscription-manager:41981:MainThread @managerlib.py:71 - Consumer created: dell-per630-01.khw.lab.eng.bos.redhat.com (0db8802e-877f-4c24-93e6-696351397886)
2018-01-12 02:21:47,169 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:50,042 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=418e1ce7-516f-4c12-b258-a86ffd73681b, request="GET /candlepin/"
2018-01-12 02:21:51,917 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=801dfc2c-3e29-4abb-b356-c7b733b40875, request="GET /candlepin/status"
2018-01-12 02:21:51,918 [INFO] subscription-manager:41981:MainThread @managercli.py:352 - Server Versions: {'rules-version': u'5.26', 'candlepin': u'2.3.0-1', 'server-type': u'Red Hat Subscription Management'}
2018-01-12 02:21:53,789 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=2fbe689d-bc59-4dce-a8a5-d6add9172bb9, request="GET /candlepin/"
2018-01-12 02:21:53,789 [INFO] subscription-manager:41981:MainThread @cache.py:410 - Server does not support packages, skipping profile upload.
2018-01-12 02:21:53,809 [INFO] subscription-manager:41981:MainThread @dmiinfo.py:75 - Using dmidecode dump file: /dev/mem
2018-01-12 02:21:56,756 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=ccb20f39-91b9-496a-a517-842acd518b11, request="GET /candlepin/status"
2018-01-12 02:21:56,757 [INFO] subscription-manager:41981:MainThread @managercli.py:1175 - System registered, updating entitlements if needed
2018-01-12 02:21:58,698 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=29bba2f9-8c06-44c7-8481-b95b06b3d2c6, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/certificates/serials"
2018-01-12 02:21:58,698 [INFO] subscription-manager:41981:MainThread @entcertlib.py:131 - certs updated:
Total updates: 0
Found (local) serial# []
Expected (UEP) serial# []
Added (new)
  <NONE>
Deleted (rogue):
  <NONE>
2018-01-12 02:22:00,637 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=556e9c5b-f2b9-4fcb-bb5d-9badb6dda584, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/compliance"
2018-01-12 02:22:00,638 [INFO] subscription-manager:41981:MainThread @cert_sorter.py:205 - Product status: valid_products= partial_products= expired_products= unentitled_producs=69 future_products= valid_until=None
2018-01-12 02:22:00,676 [INFO] rhsmd:41963:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:22:02,591 [INFO] rhsmd:41963:MainThread @connection.py:586 - Response: status=200, requestUuid=e06b8c93-8951-4d13-8551-d7e30dc30c6e, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/compliance"
2018-01-12 02:22:02,592 [INFO] rhsmd:41963:MainThread @cert_sorter.py:205 - Product status: valid_products= partial_products= expired_products= unentitled_producs=69 future_products= valid_until=None
Comment 9 Patrick Toal 2018-03-19 14:56:29 UTC 
Confirmed that it is Blue Coat ProxySG, but was unable to get config from customer.
Comment 11 errata-xmlrpc 2018-04-10 09:52:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0681