Red Hat Content Delivery Network (CDN) & Entitlement Network Modernization
Table of Contents
Summary
On January 14th, 2026 Red Hat will be making a number of changes to our CDN (cdn.redhat.com) and entitlement network (subscription.rhsm.redhat.com). If you maintain systems running Red Hat Enterprise Linux 7.3 or earlier or you configure your firewall to allowlist particular IP addresses to connect to Red Hat networks you will be required to make configuration changes before January 14th to avoid losing access to content.
Why are these changes happening?
While our current network configuration has received iterative updates over the years we’ve been running a relatively consistent environment for the past 10+ years. Continuing to strengthen the security of our network is important, but some older clients may not support those new features and could end up in a broken state unable to pull content. We take consideration to balance the improvement to the network and the number of customers affected based on usage analytics and the time has come to make some important changes. This doesn’t mean we’re leaving our older generation systems behind, but they may require some manual changes to continue functioning as before. Check the “What do I need to do?” section for more information on what could be required.
What is changing?
New CIDR lists - For customers that need to allowlist specific IPs in their firewall systems to talk with Red Hat services, we’re publishing a new set of IP addresses. Because of the modernization changes we’re making, this new list is smaller than previously and includes both IPv4 and IPv6 addresses, but clients will be required to support TLS Server Name Indication (SNI). The old CIDR list will remain to support the legacy deployment of the CDN and the Entitlement legacy deployment will share the same CIDR list as the Red Hat Insights platform. For a full list of IP addresses please review the CIDR list kbase article.
IPv6 - cdn.redhat.com and subscription.rhsm.redhat.com will begin announcing DNS for IPv6 as well as for the traditional IPv4. While we’ve supported IPv6 on our CDN in the past it required manually changing your system setups to point to cdn6.redhat.com. The cdn6.redhat.com network will remain as is, and systems can continue to use it. However, after these changes have been made we recommend reconfiguring them to use cdn.redhat.com.
Elliptic Curve (EC) certificates - When a client connects it will begin negotiations using a new Elliptic Curve certificate. This certificate type increases the strength of the encryption between the client and our network. If the client does not support Elliptic Curve certificates it will fall-back to the traditional RSA certificate. The legacy deployment will only serve RSA certificates.
TLS version compatibility - Our network will only support TLSv1.2 and higher. This will help prevent a number of security weaknesses in the earlier versions of the protocol.
Ciphers - Our supported cipher list will be updated to remove a few weak ciphers.
What do I need to do?
The majority of customers will not need to make any changes. If you manage systems that are running Red Hat Enterprise Linux 7.4 or later, 8.x, 9.x, and 10.x, your systems will begin pulling content using the enhanced security settings automatically without interruption.
If you allowlist specific IPs for your systems to reach external content you will need to update your firewalls to include the new CIDR list as described in the CIDR list kbase article.
If you manage systems that are running Red Hat Enterprise Linux 5, 6, or 7.x before 7.4 that connects directly to the Red Hat network (i.e. subscription.rhsm.redhat.com and cdn.redhat.com) you WILL need to reconfigure some of the RHSM settings to allow the system to pull from our legacy deployment.
For RHEL 7 users running versions before 7.4, upgrading to the latest RHEL7 version will allow you to use the new CDN/Entitlement network without the need to use the legacy deployment.
To reconfigure your system you can manually edit the configuration at /etc/rhsm/rhsm.conf to use the new hostnames like so:
[server]
hostname = subscription-legacy.rhsm.redhat.com
[rhsm]
baseurl = https://cdn-legacy.redhat.com
Alternatively, you can accomplish the same task using subscription-manager like so:
$ sudo subscription-manager config \
--server.hostname=subscription-legacy.rhsm.redhat.com \
--rhsm.baseurl=https://cdn-legacy.redhat.com
Impacted systems and environments that do not make these changes before the January 14th, 2026 cutover will lose access to the Red Hat CDN and not be able to receive updates.
Impacts to Satellite & Red Hat Update Infrastructure (RHUI)
Red Hat Satellite & Red Hat Update Infrastructure (RHUI) are unaffected by this change unless you have explicitly allow-listed IP addresses for the Red Hat CDN. If so, you will need to update your firewalls before the January 14th, 2026 cutover to include the new CIDR list as described in the CIDR list kbase article.
Impacts to customers running Red Hat’s Long Life Offering for RHEL6
Customers who are running RHEL 6 systems covered by the “Red Hat Enterprise Linux (Version 6) Extended Life Cycle Support Extension” family of subscriptions are directly affected by this change. Users who have these subscriptions AND have systems registered to Red Hat MUST reconfigure their systems, as described in the What do I need to do? Section.
Comments