661876 – subscription-manager: cannot connect through a proxy that requires auth

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 661876 - subscription-manager: cannot connect through a proxy that requires auth

Summary: subscription-manager: cannot connect through a proxy that requires auth

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Adrian Likins
QA Contact:	J.C. Molet
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	Entitlement-Beta
TreeView+	depends on / blocked

Reported:	2010-12-09 20:52 UTC by J.C. Molet
Modified:	2011-05-19 13:38 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 13:38:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2011:0611	0	normal	SHIPPED_LIVE	new package: subscription-manager	2011-05-18 17:56:21 UTC

Description J.C. Molet 2010-12-09 20:52:30 UTC

Description of problem:

Using the subscription-manager cli tool, you cannot connect to the candlepin server if you are configured to connect through a proxy that requires authentication.

Version-Release number of selected component (if applicable):

[jmolet@x2112 ~]$ rpm -qa | egrep "subscription|^python-2|python-rhsm"
python-2.6.4-27.fc13.x86_64
python-rhsm-0.93.3-1.git.0.a79d99d.fc14.noarch
subscription-manager-gnome-0.93.3-1.git.0.a79d99d.fc14.x86_64
subscription-manager-0.93.3-1.git.0.a79d99d.fc14.x86_64

How reproducible:
always

Steps to Reproduce:
1. Find a machine with subscription-manager installed.
2. Configure subscription manager to connect through a proxy that requires auth.
3. try to register with subscription-manager (or do any network actions)
  
Actual results:

[root@x2112 rhsm]# subscription-manager register --username=testuser1 --password=password
Network error, unable to connect to server. Please see /var/log/rhsm/rhsm.log for more information.

log file /var/log/rhsm/rhsm.log:

2010-12-09 14:51:21,567 [INFO] __init__() @connection.py:274 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/rhsm/ca/, insecure = False
2010-12-09 14:51:21,567 [INFO] __init__() @connection.py:277 - Connection Established: host: mgmt4.rhq.lab.eng.bos.redhat.com, port: 8443, handler: /candlepin
2010-12-09 14:51:21,570 [INFO] _request() @connection.py:130 - loading ca pem certificates from: /etc/rhsm/ca/
2010-12-09 14:51:21,570 [INFO] _load_ca_certificates() @connection.py:111 - loading ca certificate '/etc/rhsm/ca/candlepin-stage.pem'
2010-12-09 14:51:21,570 [INFO] _load_ca_certificates() @connection.py:111 - loading ca certificate '/etc/rhsm/ca/fakamai-cp1.pem'
2010-12-09 14:51:21,571 [INFO] _load_ca_certificates() @connection.py:111 - loading ca certificate '/etc/rhsm/ca/redhat-uep.pem'
2010-12-09 14:51:21,571 [INFO] _load_ca_certificates() @connection.py:111 - loading ca certificate '/etc/rhsm/ca/candlepin-ca.pem'
2010-12-09 14:51:21,572 [INFO] _request() @connection.py:132 - work in insecure mode ?:False
2010-12-09 14:51:21,572 [INFO] _request() @connection.py:139 - using proxy mgmt5.rhq.lab.eng.bos.redhat.com:3128
2010-12-09 14:51:21,572 [INFO] _request() @connection.py:146 - handler: https://mgmt4.rhq.lab.eng.bos.redhat.com:8443/candlepin/consumers/7a7d2eb9-334c-462e-9dba-3eb5aebc5245
2010-12-09 14:51:22,400 [INFO] _request() @connection.py:160 - status code: 204
2010-12-09 14:51:22,401 [INFO] unregister() @managerlib.py:574 - Successfully un-registered.
2010-12-09 14:51:26,977 [INFO] __init__() @connection.py:274 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/rhsm/ca/, insecure = False
2010-12-09 14:51:26,977 [INFO] __init__() @connection.py:277 - Connection Established: host: mgmt4.rhq.lab.eng.bos.redhat.com, port: 8443, handler: /candlepin
2010-12-09 14:51:26,978 [INFO] __init__() @connection.py:263 - Using basic authentication as: testuser1
2010-12-09 14:51:26,978 [INFO] __init__() @connection.py:277 - Connection Established: host: mgmt4.rhq.lab.eng.bos.redhat.com, port: 8443, handler: /candlepin
2010-12-09 14:51:27,088 [INFO] _request() @connection.py:130 - loading ca pem certificates from: /etc/rhsm/ca/
2010-12-09 14:51:27,088 [INFO] _load_ca_certificates() @connection.py:111 - loading ca certificate '/etc/rhsm/ca/candlepin-stage.pem'
2010-12-09 14:51:27,089 [INFO] _load_ca_certificates() @connection.py:111 - loading ca certificate '/etc/rhsm/ca/fakamai-cp1.pem'
2010-12-09 14:51:27,089 [INFO] _load_ca_certificates() @connection.py:111 - loading ca certificate '/etc/rhsm/ca/redhat-uep.pem'
2010-12-09 14:51:27,090 [INFO] _load_ca_certificates() @connection.py:111 - loading ca certificate '/etc/rhsm/ca/candlepin-ca.pem'
2010-12-09 14:51:27,090 [INFO] _request() @connection.py:132 - work in insecure mode ?:False
2010-12-09 14:51:27,090 [INFO] _request() @connection.py:139 - using proxy mgmt5.rhq.lab.eng.bos.redhat.com:3128
2010-12-09 14:51:27,091 [INFO] _request() @connection.py:146 - handler: https://mgmt4.rhq.lab.eng.bos.redhat.com:8443/candlepin/consumers/
2010-12-09 14:51:27,323 [ERROR] handle_exception() @managercli.py:44 - exception caught in subscription-manager
2010-12-09 14:51:27,323 [ERROR] handle_exception() @managercli.py:45 - Proxy connection failed: 407
Traceback (most recent call last):
  File "/usr/sbin/subscription-manager", line 75, in <module>
    sys.exit(abs(main() or 0))
  File "/usr/sbin/subscription-manager", line 66, in main
    return managercli.CLI().main()
  File "/usr/share/rhsm/managercli.py", line 710, in main
    cmd.main()
  File "/usr/share/rhsm/managercli.py", line 146, in main
    self._do_command()
  File "/usr/share/rhsm/managercli.py", line 326, in _do_command
    facts=self.facts.get_facts())
  File "/usr/share/rhsm/connection.py", line 299, in registerConsumer
    return self.conn.request_post('/consumers/', params)
  File "/usr/share/rhsm/connection.py", line 183, in request_post
    return self._request("POST", method, params)
  File "/usr/share/rhsm/connection.py", line 152, in _request
    headers=self.headers)
  File "/usr/lib64/python2.6/httplib.py", line 898, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.6/httplib.py", line 935, in _send_request
    self.endheaders()
  File "/usr/share/rhsm/connection.py", line 66, in endheaders
    httpslib.HTTPSConnection.endheaders(self)
  File "/usr/lib64/python2.6/httplib.py", line 892, in endheaders
    self._send_output()
  File "/usr/lib64/python2.6/httplib.py", line 764, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.6/httplib.py", line 723, in send
    self.connect()
  File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 180, in connect
    raise socket.error, "Proxy connection failed: %d" % code
error: Proxy connection failed: 407


Expected results:

The client registers and successfully connects through the proxy.

Additional info:

This is starting to look like possibly a python 2.6 problem, and it doesn't look like it is actually passing the username/password for the proxy server to the proxy server.  I will also note, however, that the gui tool seems to successfully register using the same proxy settings.

Comment 1 Adrian Likins 2010-12-13 16:30:38 UTC

commit 8405d250762441819b75cc1a19b6f899d0c03012
Author: Adrian Likins <alikins>
Date:   Fri Dec 10 10:57:57 2010 -0500

    661876: fix a bug with cli not using config file proxy auth info



Looks like cli wasn't reading the auth info from the config on some commands
(like register).

Comment 2 J.C. Molet 2010-12-14 18:41:28 UTC

[root@x2112 rhsm]# rpm -qa | grep subscription
subscription-manager-gnome-0.93.3-1.git.19.7e709b6.fc14.x86_64
subscription-manager-0.93.3-1.git.19.7e709b6.fc14.x86_64

test1: proxying by editing rhsm.conf

[root@x2112 rhsm]# subscription-manager unregister
System has been un-registered.
[root@x2112 rhsm]# cat rhsm.conf | grep proxy
proxy_hostname = mgmt5.rhq.lab.eng.bos.redhat.com
proxy_user = redhat
proxy_password = redhat
proxy_port = 3128
[root@x2112 rhsm]# subscription-manager register --username=testuser1 --password=password
bff7d25d-ce13-44c7-81cb-5c488d15e93f testuser1


test successful.

=======================================

test2: proxying entirely via cli

[root@x2112 rhsm]# cat rhsm.conf | grep proxy
proxy_hostname = None
proxy_user = None
proxy_password = None
proxy_port = None
proxy_hostname = 
proxy_user = 
proxy_password = 
proxy_port = 
[root@x2112 rhsm]# subscription-manager unregister
This system is currently not registered.
[root@x2112 rhsm]# subscription-manager register --username=xeops --password=redhat --proxy=mgmt5.rhq.lab.eng.bos.redhat.com --proxyuser=redhat --proxypass=redhat
up redhat redhat
nl candlepin1.devlab.phx1.redhat.com:443
CONNECT candlepin1.devlab.phx1.redhat.com:443 HTTP/1.1
Host: candlepin1.devlab.phx1.redhat.com:443
Proxy-Authorization: Basic cmVkaGF0OnJlZGhhdA==

bf0ed0b4-927c-45d0-8fd5-62f561ef75d3 xeops
[root@x2112 rhsm]#


==========================

cli proxying works with this commit

Comment 3 errata-xmlrpc 2011-05-19 13:38:09 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0611.html

Note You need to log in before you can comment on or make changes to this bug.