Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1507158 - When connecting through a proxy, subscription-manager does not provide Host: in http CONNECT header
When connecting through a proxy, subscription-manager does not provide Host: ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager (Show other bugs)
7.4
All Unspecified
medium Severity medium
: rc
: ---
Assigned To: Jiri Hnidek
Red Hat subscription-manager QE Team
Filip Hanzelka
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-27 17:18 EDT by Patrick Toal
Modified: 2018-04-10 05:52 EDT (History)
8 users (show)

See Also:
Fixed In Version: subscription-manager-1.20.8-1
Doc Type: Release Note
Doc Text:
*subscription-manager* now works with proxies that expect the "Host" header Previously, the *subscription-manager* utility was not compatible with proxies that expect the "Host" header because it did not include the "Host" header when connecting. With this update, *subscription-manager* includes the "Host" header when connecting and is compatible with these proxies.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 05:52:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Github candlepin/subscription-manager/pull/1735 None None None 2017-11-27 04:41 EST
Red Hat Product Errata RHBA-2018:0681 None None None 2018-04-10 05:52 EDT

  None (edit)
Description Patrick Toal 2017-10-27 17:18:20 EDT 
Description of problem:
When configuring subscription-manager to connect through a proxy, the call to the httplib does not provide a 'Host:' header.  This causes some proxy servers to reject the tunnel connection request with the following error: 
Error during registration: Tunnel connection failed: 400

Version-Release number of selected component (if applicable):


How reproducible: Requires an http proxy that relies on Host: header.


Steps to Reproduce:
1. Configure http proxy host and port in rhsm.conf to point to a proxy that requires a Host: header in the HTTP CONNECT request.
2. execute subscription-manager to connect to redhat.com


Actual results:
2017-10-20 11:59:11,237 [ERROR] subscription-manager:15522:MainThread @managercli.py:177 - Error during registration: Tunnel connection failed: 400
2017-10-20 11:59:11,237 [ERROR] subscription-manager:15522:MainThread @managercli.py:178 - Tunnel connection failed: 400
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1184, in _do_command
    owner_key = self._determine_owner_key(admin_cp)
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1336, in _determine_owner_key
    owners = cp.getOwnerList(self.username)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1118, in getOwnerList
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 646, in request_get
    return self._request("GET", method, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 672, in _request
    info=info, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 528, in _request
    conn.request(request_type, handler, body=body, headers=final_headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
 File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1227, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 810, in connect
    self._tunnel()
  File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel
    message.strip()))

Expected results:
No error, and successful request.

Additional info:

The following patch results in correct functionality in the customer environment.  There may be other functions in the library that also require the addition of the Host header.



[root@ptoal-rhel7 rhsm]# diff -c /usr/lib64/python2.7/site-packages/rhsm/connection.py /tmp/connection.py 

*** /usr/lib64/python2.7/site-packages/rhsm/connection.py	2017-06-07 15:58:38.000000000 -0400
--- /tmp/connection.py	2017-10-27 13:54:55.062915973 -0400
***************
*** 499,505 ****
  
          if self.proxy_hostname and self.proxy_port:
              log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port))
!             proxy_headers = {'User-Agent': self.user_agent}
              if self.proxy_user and self.proxy_password:
                  proxy_headers['Proxy-Authorization'] = _encode_auth(self.proxy_user, self.proxy_password)
              conn = httplib.HTTPSConnection(self.proxy_hostname, self.proxy_port, context=context, timeout=self.timeout)
--- 499,505 ----
  
          if self.proxy_hostname and self.proxy_port:
              log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port))
!             proxy_headers = {'User-Agent': self.user_agent, 'Host' : '%s:%s' % (self.host, safe_int(self.ssl_port)}
              if self.proxy_user and self.proxy_password:
                  proxy_headers['Proxy-Authorization'] = _encode_auth(self.proxy_user, self.proxy_password)
              conn = httplib.HTTPSConnection(self.proxy_hostname, self.proxy_port, context=context, timeout=self.timeout)
Comment 5 Shwetha Kallesh 2018-01-12 02:26:28 EST 
Reproducer:


[root@bkr-hv01-guest01 ~]# subscription-manager  version
server type: This system is currently not registered.
subscription management server: Unknown
subscription management rules: Unknown
subscription-manager: 1.19.21-1.el7
python-rhsm: 1.19.9-1.el7

[root@bkr-hv01-guest01 ~]# subscription-manager  register --force
Registering to: 10.76.99.37:8443/candlepin
Username: admin
Password: 
Network error, unable to connect to server. Please see /var/log/rhsm/rhsm.log for more information.



2018-01-12 02:25:02,698 [INFO] subscription-manager:1521:MainThread @managercli.py:518 - X-Correlation-ID: 15b03fe1adf84b8398aab3ae7173c3dd
2018-01-12 02:25:02,698 [INFO] subscription-manager:1521:MainThread @managercli.py:407 - Client Versions: {'python-rhsm': '1.19.9-1.el7', 'subscription-manager': '1.19.21-1.el7'}
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:25:02,699 [INFO] subscription-manager:1521:MainThread @managercli.py:407 - Client Versions: {'python-rhsm': '1.19.9-1.el7', 'subscription-manager': '1.19.21-1.el7'}
2018-01-12 02:25:02,712 [INFO] subscription-manager:1521:MainThread @managercli.py:382 - Consumer Identity name=None uuid=None
2018-01-12 02:25:02,713 [INFO] subscription-manager:1521:MainThread @managercli.py:382 - Consumer Identity name=None uuid=None
2018-01-12 02:25:07,620 [INFO] subscription-manager:1521:MainThread @connection.py:822 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=basic username=admin
2018-01-12 02:25:07,667 [INFO] subscription-manager:1521:MainThread @dmiinfo.py:73 - Using dmidecode dump file: /dev/mem
2018-01-12 02:25:09,042 [ERROR] subscription-manager:1521:MainThread @managercli.py:177 - Error during registration: Tunnel connection failed: 409 Conflict
2018-01-12 02:25:09,042 [ERROR] subscription-manager:1521:MainThread @managercli.py:178 - Tunnel connection failed: 409 Conflict
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1184, in _do_command
    owner_key = self._determine_owner_key(admin_cp)
  File "/usr/lib/python2.7/site-packages/subscription_manager/managercli.py", line 1336, in _determine_owner_key
    owners = cp.getOwnerList(self.username)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1118, in getOwnerList
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 646, in request_get
    return self._request("GET", method, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 672, in _request
    info=info, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 528, in _request
    conn.request(request_type, handler, body=body, headers=final_headers)
  File "/usr/lib64/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1227, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 810, in connect
    self._tunnel()
  File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel
    message.strip()))
error: Tunnel connection failed: 409 Conflict
Comment 6 Shwetha Kallesh 2018-01-12 02:28:04 EST 
Verification:

[root@dell-per630-01 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.0-1
subscription management rules: 5.26
subscription-manager: 1.20.9-1.el7



[root@dell-per630-01 ~]# subscription-manager register --force
Registering to: 10.76.99.37:8443/candlepin
Username: admin
Password: 
Organization: admin
The system has been registered with ID: 0db8802e-877f-4c24-93e6-696351397886
The registered system name is: dell-per630-01.khw.lab.eng.bos.redhat.com


2018-01-12 02:21:19,394 [ERROR] subscription-manager:41976:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @managercli.py:452 - X-Correlation-ID: 39c31a96e3cc4639a8bda0f0746f8a69
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:19,401 [INFO] subscription-manager:41976:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:19,402 [INFO] subscription-manager:41976:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:21:19,402 [INFO] subscription-manager:41976:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:19,412 [INFO] subscription-manager:41976:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:19,413 [INFO] subscription-manager:41976:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:28,505 [ERROR] subscription-manager:41981:MainThread @identity.py:145 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 2] No such file or directory: '/etc/pki/consumer/key.pem'
2018-01-12 02:21:28,511 [INFO] subscription-manager:41981:MainThread @managercli.py:452 - X-Correlation-ID: a4162d0d1d314af1ab3cc2b39f14e123
2018-01-12 02:21:28,511 [INFO] subscription-manager:41981:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=none
2018-01-12 02:21:28,512 [INFO] subscription-manager:41981:MainThread @managercli.py:341 - Client Versions: {'subscription-manager': '1.20.9-1.el7'}
2018-01-12 02:21:28,522 [INFO] subscription-manager:41981:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:28,523 [INFO] subscription-manager:41981:MainThread @managercli.py:317 - Consumer Identity name=None uuid=None
2018-01-12 02:21:32,267 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=basic username=admin
2018-01-12 02:21:35,066 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=6842a86b-659f-4876-ae75-b7c4cb4d609a, request="GET /candlepin/users/admin/owners"
2018-01-12 02:21:39,798 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=e9ea3420-a9aa-4888-8872-8eab8347aa67, request="GET /candlepin/"
2018-01-12 02:21:39,832 [INFO] subscription-manager:41981:MainThread @dmiinfo.py:75 - Using dmidecode dump file: /dev/mem
2018-01-12 02:21:47,166 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=a293b927-28be-49ed-97ad-134e96f178a9, request="POST /candlepin/consumers?owner=admin"
2018-01-12 02:21:47,168 [INFO] subscription-manager:41981:MainThread @managerlib.py:71 - Consumer created: dell-per630-01.khw.lab.eng.bos.redhat.com (0db8802e-877f-4c24-93e6-696351397886)
2018-01-12 02:21:47,169 [INFO] subscription-manager:41981:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:21:50,042 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=418e1ce7-516f-4c12-b258-a86ffd73681b, request="GET /candlepin/"
2018-01-12 02:21:51,917 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=801dfc2c-3e29-4abb-b356-c7b733b40875, request="GET /candlepin/status"
2018-01-12 02:21:51,918 [INFO] subscription-manager:41981:MainThread @managercli.py:352 - Server Versions: {'rules-version': u'5.26', 'candlepin': u'2.3.0-1', 'server-type': u'Red Hat Subscription Management'}
2018-01-12 02:21:53,789 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=2fbe689d-bc59-4dce-a8a5-d6add9172bb9, request="GET /candlepin/"
2018-01-12 02:21:53,789 [INFO] subscription-manager:41981:MainThread @cache.py:410 - Server does not support packages, skipping profile upload.
2018-01-12 02:21:53,809 [INFO] subscription-manager:41981:MainThread @dmiinfo.py:75 - Using dmidecode dump file: /dev/mem
2018-01-12 02:21:56,756 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=ccb20f39-91b9-496a-a517-842acd518b11, request="GET /candlepin/status"
2018-01-12 02:21:56,757 [INFO] subscription-manager:41981:MainThread @managercli.py:1175 - System registered, updating entitlements if needed
2018-01-12 02:21:58,698 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=29bba2f9-8c06-44c7-8481-b95b06b3d2c6, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/certificates/serials"
2018-01-12 02:21:58,698 [INFO] subscription-manager:41981:MainThread @entcertlib.py:131 - certs updated:
Total updates: 0
Found (local) serial# []
Expected (UEP) serial# []
Added (new)
  <NONE>
Deleted (rogue):
  <NONE>
2018-01-12 02:22:00,637 [INFO] subscription-manager:41981:MainThread @connection.py:586 - Response: status=200, requestUuid=556e9c5b-f2b9-4fcb-bb5d-9badb6dda584, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/compliance"
2018-01-12 02:22:00,638 [INFO] subscription-manager:41981:MainThread @cert_sorter.py:205 - Product status: valid_products= partial_products= expired_products= unentitled_producs=69 future_products= valid_until=None
2018-01-12 02:22:00,676 [INFO] rhsmd:41963:MainThread @connection.py:868 - Connection built: http_proxy=squid-proxy.usersys.redhat.com:3128 host=10.76.99.37 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-01-12 02:22:02,591 [INFO] rhsmd:41963:MainThread @connection.py:586 - Response: status=200, requestUuid=e06b8c93-8951-4d13-8551-d7e30dc30c6e, request="GET /candlepin/consumers/0db8802e-877f-4c24-93e6-696351397886/compliance"
2018-01-12 02:22:02,592 [INFO] rhsmd:41963:MainThread @cert_sorter.py:205 - Product status: valid_products= partial_products= expired_products= unentitled_producs=69 future_products= valid_until=None
Comment 9 Patrick Toal 2018-03-19 10:56:29 EDT 
Confirmed that it is Blue Coat ProxySG, but was unable to get config from customer.
Comment 11 errata-xmlrpc 2018-04-10 05:52:05 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0681
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.