Hide Forgot
Description of problem: When configuring subscription-manager to connect through a proxy, the call to the httplib does not provide a 'Host:' header. This causes some proxy servers to reject the tunnel connection request with the following error: Error during registration: Tunnel connection failed: 400 Version-Release number of selected component (if applicable): How reproducible: Requires an http proxy that relies on Host: header. Steps to Reproduce: 1. Configure http proxy host and port in rhsm.conf to point to a proxy that requires a Host: header in the HTTP CONNECT request. 2. execute subscription-manager to connect to redhat.com Actual results: 2017-10-20 11:59:11,237 [ERROR] subscription-manager:15522:MainThread @managercli.py:177 - Error during registration: Tunnel connection failed: 400 2017-10-20 11:59:11,237 [ERROR] subscription-manager:15522:MainThread @managercli.py:178 - Tunnel connection failed: 400 Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1184, in _do_command owner_key = self._determine_owner_key(admin_cp) File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1336, in _determine_owner_key owners = cp.getOwnerList(self.username) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1118, in getOwnerList return self.conn.request_get(method) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 646, in request_get return self._request("GET", method, headers=headers) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 672, in _request info=info, headers=headers) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 528, in _request conn.request(request_type, handler, body=body, headers=final_headers) File "/usr/lib64/python2.7/httplib.py", line 1017, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 826, in send self.connect() File "/usr/lib64/python2.7/httplib.py", line 1227, in connect HTTPConnection.connect(self) File "/usr/lib64/python2.7/httplib.py", line 810, in connect self._tunnel() File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel message.strip())) Expected results: No error, and successful request. Additional info: The following patch results in correct functionality in the customer environment. There may be other functions in the library that also require the addition of the Host header. [root@ptoal-rhel7 rhsm]# diff -c /usr/lib64/python2.7/site-packages/rhsm/connection.py /tmp/connection.py *** /usr/lib64/python2.7/site-packages/rhsm/connection.py 2017-06-07 15:58:38.000000000 -0400 --- /tmp/connection.py 2017-10-27 13:54:55.062915973 -0400 *************** *** 499,505 **** if self.proxy_hostname and self.proxy_port: log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port)) ! proxy_headers = {'User-Agent': self.user_agent} if self.proxy_user and self.proxy_password: proxy_headers['Proxy-Authorization'] = _encode_auth(self.proxy_user, self.proxy_password) conn = httplib.HTTPSConnection(self.proxy_hostname, self.proxy_port, context=context, timeout=self.timeout) --- 499,505 ---- if self.proxy_hostname and self.proxy_port: log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port)) ! proxy_headers = {'User-Agent': self.user_agent, 'Host' : '%s:%s' % (self.host, safe_int(self.ssl_port)} if self.proxy_user and self.proxy_password: proxy_headers['Proxy-Authorization'] = _encode_auth(self.proxy_user, self.proxy_password) conn = httplib.HTTPSConnection(self.proxy_hostname, self.proxy_port, context=context, timeout=self.timeout)
Reproducer: [root@bkr-hv01-guest01 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: Unknown subscription management rules: Unknown subscription-manager: 1.19.21-1.el7 python-rhsm: 1.19.9-1.el7 [root@bkr-hv01-guest01 ~]# subscription-manager register --force Registering to: 10.76.99.37:8443/candlepin Username: admin Password: Network error, unable to connect to server. Please see /var/log/rhsm/rhsm.log for more information. 2018-01-12 02:25:02,698 [INFO] subscription-manager:1521:MainThread @managercli.py:518 - X-Correlation-ID: 15b03fe1adf84b8398aab3ae7173c3dd 2018-01-12 02:25:02,698 [INFO] subscription-manager:1521:MainThread @managercli.py:407 - Client Versions: {'python-rhsm': '1.19.9-1.el7', 'subscription-manager': '1.19.21-1.el7'} 2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False 2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none 2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @managercli.py:407 - Client Versions: {'python-rhsm': '1.19.9-1.el7', 'subscription-manager': '1.19.21-1.el7'} 2018-01-12 02:25:02,712 [INFO] subscription-manager:1521:MainThread @managercli.py:382 - Consumer Identity name=None uuid=None 2018-01-12 02:25:02,713 [INFO] subscription-manager:1521:MainThread @managercli.py:382 - Consumer Identity name=None uuid=None 2018-01-12 02:25:07,620 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=basic username=admin 2018-01-12 02:25:07,667 [INFO] subscription-manager:1521:MainThread @dmiinfo.py:73 - Using dmidecode dump file: /dev/mem 2018-01-12 02:25:09,042 [ERROR] subscription-manager:1521:MainThread @managercli.py:177 - Error during registration: Tunnel connection failed: 409 Conflict 2018-01-12 02:25:09,042 [ERROR] subscription-manager:1521:MainThread @managercli.py:178 - Tunnel connection failed: 409 Conflict Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1184, in _do_command owner_key = self._determine_owner_key(admin_cp) File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1336, in _determine_owner_key owners = cp.getOwnerList(self.username) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1118, in getOwnerList return self.conn.request_get(method) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 646, in request_get return self._request("GET", method, headers=headers) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 672, in _request info=info, headers=headers) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 528, in _request conn.request(request_type, handler, body=body, headers=final_headers) File "/usr/lib64/python2.7/httplib.py", line 1017, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 826, in send self.connect() File "/usr/lib64/python2.7/httplib.py", line 1227, in connect HTTPConnection.connect(self) File "/usr/lib64/python2.7/httplib.py", line 810, in connect self._tunnel() File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel message.strip())) error: Tunnel connection failed: 409 Conflict
Verification: [root@dell-per630-01 ~]# subscription-manager version server type: Red Hat Subscription Management subscription management server: 2.3.0-1 subscription management rules: 5.26 subscription-manager: 1.20.9-1.el7 [root@dell-per630-01 ~]# subscription-manager register --force Registering to: 10.76.99.37:8443/candlepin Username: admin Password: Organization: admin The system has been registered with ID: 0db8802e-877f-4c24-93e6-696351397886 The registered system name is: dell-per630-01.khw.lab.eng.bos.redhat.com 2018-01-12 02:21:19,394 [ERROR] subscription-manager:41976:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem' 2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @managercli.py:452 - X-Correlation-ID: 39c31a96e3cc4639a8bda0f0746f8a69 2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'} 2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False 2018-01-12 02:21:19,402 [INFO] subscription-manager:41976:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none 2018-01-12 02:21:19,402 [INFO] subscription-manager:41976:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'} 2018-01-12 02:21:19,412 [INFO] subscription-manager:41976:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None 2018-01-12 02:21:19,413 [INFO] subscription-manager:41976:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None 2018-01-12 02:21:28,505 [ERROR] subscription-manager:41981:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem' 2018-01-12 02:21:28,511 [INFO] subscription-manager:41981:MainThread @managercli.py:452 - X-Correlation-ID: a4162d0d1d314af1ab3cc2b39f14e123 2018-01-12 02:21:28,511 [INFO] subscription-manager:41981:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'} 2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False 2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none 2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'} 2018-01-12 02:21:28,522 [INFO] subscription-manager:41981:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None 2018-01-12 02:21:28,523 [INFO] subscription-manager:41981:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None 2018-01-12 02:21:32,267 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=basic username=admin 2018-01-12 02:21:35,066 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=6842a86b-659f-4876-ae75-b7c4cb4d609a, request="GET /candlepin/users/admin/owners" 2018-01-12 02:21:39,798 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=e9ea3420-a9aa-4888-8872-8eab8347aa67, request="GET /candlepin/" 2018-01-12 02:21:39,832 [INFO] subscription-manager:41981:MainThread @dmiinfo.py:75 - Using dmidecode dump file: /dev/mem 2018-01-12 02:21:47,166 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=a293b927-28be-49ed-97ad-134e96f178a9, request="POST /candlepin/consumers?owner=admin" 2018-01-12 02:21:47,168 [INFO] subscription-manager:41981:MainThread @managerlib.py:71 - Consumer created: dell-per630-01.khw.lab.eng.bos.redhat.com (0db8802e-877f-4c24-93e6-696351397886) 2018-01-12 02:21:47,169 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False 2018-01-12 02:21:50,042 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=418e1ce7-516f-4c12-b258-a86ffd73681b, request="GET /candlepin/" 2018-01-12 02:21:51,917 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=801dfc2c-3e29-4abb-b356-c7b733b40875, request="GET /candlepin/status" 2018-01-12 02:21:51,918 [INFO] subscription-manager:41981:MainThread @managercli.py:352 - Server Versions: {'rules-version': u'5.26', 'candlepin': u'2.3.0-1', 'server-type': u'Red Hat Subscription Management'} 2018-01-12 02:21:53,789 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=2fbe689d-bc59-4dce-a8a5-d6add9172bb9, request="GET /candlepin/" 2018-01-12 02:21:53,789 [INFO] subscription-manager:41981:MainThread @cache.py:410 - Server does not support packages, skipping profile upload. 2018-01-12 02:21:53,809 [INFO] subscription-manager:41981:MainThread @dmiinfo.py:75 - Using dmidecode dump file: /dev/mem 2018-01-12 02:21:56,756 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=ccb20f39-91b9-496a-a517-842acd518b11, request="GET /candlepin/status" 2018-01-12 02:21:56,757 [INFO] subscription-manager:41981:MainThread @managercli.py:1175 - System registered, updating entitlements if needed 2018-01-12 02:21:58,698 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=29bba2f9-8c06-44c7-8481-b95b06b3d2c6, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/certificates/serials" 2018-01-12 02:21:58,698 [INFO] subscription-manager:41981:MainThread @entcertlib.py:131 - certs updated: Total updates: 0 Found (local) serial# [] Expected (UEP) serial# [] Added (new) <NONE> Deleted (rogue): <NONE> 2018-01-12 02:22:00,637 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=556e9c5b-f2b9-4fcb-bb5d-9badb6dda584, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/compliance" 2018-01-12 02:22:00,638 [INFO] subscription-manager:41981:MainThread @cert_sorter.py:205 - Product status: valid_products= partial_products= expired_products= unentitled_producs=69 future_products= valid_until=None 2018-01-12 02:22:00,676 [INFO] rhsmd:41963:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False 2018-01-12 02:22:02,591 [INFO] rhsmd:41963:MainThread @connection.py:586 - Response: status=200, requestUuid=e06b8c93-8951-4d13-8551-d7e30dc30c6e, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/compliance" 2018-01-12 02:22:02,592 [INFO] rhsmd:41963:MainThread @cert_sorter.py:205 - Product status: valid_products= partial_products= expired_products= unentitled_producs=69 future_products= valid_until=None
Confirmed that it is Blue Coat ProxySG, but was unable to get config from customer.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0681