Subscription Management (and DNF) through SSL Inspection

Latest response

Has anyone managed to get subscription-management or dnf working (on RHEL8) through a firewall doing SSL inspection?

I've installed our root cert, and curl works fine - but following this solution's troubleshooting doesn't, as it specifies a specific CA cert. It goes on to say simply disable SSL inspection - but unfortunately there's some security push-back given the scope of the URLs that it's requesting (*.akamaiedge.net and *.akamaitechnologies.com specifically).

Have tried insecure = 1 in rhsm.conf, no dice.

[root@rheltest ~]# subscription-manager register --username xxx --password yyy --auto-attach;
Registering to: subscription.rhsm.redhat.com:443/subscription
Unable to verify server's identity: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:897)

Appreciate any insight on this.

Thanks.

Responses

I have the same issue and have not been able to resolve as of yet, but we think it has something to do with our self signed cert and it thinking that there is a man in the middle kind of issue presenting due to our self signed cert....

There is supposed to be a way to Set to 1 to disable certificate validation: insecure = 0 in the /etc/rhsm/rhsm.conf, that may help. Not really the fix I want, but will test...

Same result as you, insecure = 1 in rhsm.conf, no dice either....

I did a bit more digging after posting this and found this article:

https://access.redhat.com/solutions/4465881

So, we ended up disabling inspection for the required endpoints. Not ideal, but means to an end.

I can see their point of view, but enterprise environments rely on SSL inspection to maintain security and this a less-than-ideal solution. Hopefully they change their stance in the future!

Ben,

Thank you for that information. We will be doing the same with the network and security teams to move this forward.

Consider putting in a ticket, it's good that you got some good info from others, but please consider submitting a case with Red Hat because if there's an issue, it helps for more people to submit cases. They often fix things based on the tickets they get on issues. If you find a bug, consider filing a bug report at bugzilla.redhat.com.

Regards,
RJ