How to update packages with (yum/up2date/satellite-sync/rhn_register) on a server registered via RHN Classic through a firewall

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
  • Red Hat Network
  • Red Hat Satellite 5.x
  • Internet access filtered by proxy or firewall

Issue

  • How do I configure my system so that up2date, yum, or satellite-sync can access RHN channels through a firewall or proxy?
  • What URLs and ports do I need to configure in my proxy server to access RHN Classic Hosted or Red Hat Satelite 5?
  • Network error when registering a server with rhn_register or rhnreg_ks.
  • Having issues with my subscription certificate on a machine behind a firewall.
  • When trying to update packages with yum, the following error is seen:

    There was an error communicating with RHN.
    RHN channel support will be disabled.
    Error communicating with server. The message was:
    Unable to connect to the host and port specified
    

Resolution

  • For up2date, yum, rhn_register, and satellite-sync to work correctly, the firewall must allow connections to:

    • rhn.redhat.com on port 80 (http)
    • rhn.redhat.com on port 443 (https)
    • xmlrpc.rhn.redhat.com on port 80 (http)
    • xmlrpc.rhn.redhat.com on port 443 (https)
    • content-xmlrpc.rhn.redhat.com on port 80 (http)
    • content-xmlrpc.rhn.redhat.com on port 443 (https)
    • content-web.rhn.redhat.com on port 80 (http)
    • content-web.rhn.redhat.com on port 443 (https)
    • cdn.redhat.com on port 80 (http)
    • cdn.redhat.com on port 443 (https)

For Red hat Subscription Management, see How to access Red Hat Subscription Manager (RHSM) through a firewall or proxy

  • Red Hat Satellite 5.x needs additional access to (click here for Satellite 6.x):

    • satellite.rhn.redhat.com on port 443 (https)
    • satellite.rhn.redhat.com on port 80 (http)
    • content-satellite.rhn.redhat.com on port 80 (http)
    • content-satellite.rhn.redhat.com on port 443 (https)

Note: IP addresses for servers are not permanent. Please use the domain names instead. This is partly because we distribute them through a Content Delivery Service by Akamai. For this reason, it is necessary to allow the following ports/hostnames on firewall for proper yum operation:

* *.akamaiedge.net on port 443 [https]
  • If the network cannot be opened to the above hostnames and ports, and RHN Classic is being used, location aware updates can be disabled as a workaround. This will not work with RHSM, which requires a different set of hostnames through the firewall.
  • If FTP is used as opposed to HTTP, then outbound port 20 (FTP) will need to be opened. To determine if FTP is used, see the output of grep -i ftp:///etc/yum.repos.d/*.

Root Cause

  • A Red Hat Enterprise Linux server (if registered via RHN Classic instead of RHSM) or Satellite 5 server must be able to connect back to RHN channels to download software updates.
  • If a firewall prohibits unlimited outbound connections, it is necessary to re-configure the firewall or use a proxy which allows access to the appropriate hosts and ports.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

12 Comments

New installation of RHEL 6.3 cannot even register for updates. (Firstboot registration fails). Firefox and curl also cannot access the network, even though it is possible to run nslookup successfully showing that the network is connected AND the DNS servers are available. Can connect to remote servers using Firefox IF I know the IP address. The Firefox message is "Cannot reach network" (or similar). It would appear that there is undocumented internal security on RHEL (?).

Hi John - you might also want to try sharing this issue in the RHEL group here on the customer portal: https://access.redhat.com/groups/red-hat-enterprise-linux

Thanks David. I was aware of this material before. I have more info after playing some more - for example when curl is pointed at a URL it DOES resolve the address but then reports "unable to connect to xxx.xxx.xxx.xxx Network Unreachable. I can plug in my laptop on the same connection, set it to the server's IP address, and connect to whatever I please so is NOT the hardware firewall that is blocking the connection. It "looks" like RHEL has installed and is running an internal software firewall with the wrong rules but so far I haven't been able to find it. iptables is not listed in the process list. I'll try the other forum suggested. Thanks again.

John

Is it possible to have your IP subnet that could be assigned to content-xmlrpc.rhn.redhat.com on port ?
Our firewall only understands IP's.

Dariusz

it isn't possible - we don't have at the time any system allowing us to actively track ip changes for all the servers used for content-* adresses. you'll have to update these rules manually, tracking IP changes with tools such a dig.

I had given up on this! The server works properly in production but so far as I can see, no Red Hat support features work. Maybe they aren't in our subscription, I don't know. I tried to run "yum check-update" and get no response - it just runs for a few seconds and ends. yum.log is empty. I checked messages and get <"prod03 rhsmd: This system is missing one or more valid entitlement certificates. Please run subscription-manager for more information."> So, I ran subscription-manager list and get <"Status: Not Subscribed"> subscription-manager subscribe auto gives <"Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status: Not Subscribed ">

and finally, subscription-manager register produces <"This system is already registered. Use --force to override">

So, I'm in a loop! RHEL system works as expected, I get no update or security error messages from Red Hat, (which surprises me a bit) and I guess eventually before the subscription expires I'll download whatever is the current release to pick up all the updates.

Would sure be nice to be able to "yum" some of the more useful utilities though - like telnet!

I had already seen that help page but I just confirmed that: 1) all URL's listed can be reached through the firewall. All give a 404 error (AND a crypto certificate error. Probably Red Hat uses self-signed certificates). 2) the correct URL's are in the up2date config file. 3) the following message appears each morning in the system log: [[Apr 15 03:26:15 prod03 rhsmd: This system is missing one or more valid entitlement certificates. Please run subscription-manager for more information.]] 4) subscription-manager list comes back with "Not Subscribed". MAN pages say I should run rhn_register so I did and it completes but subscription-manager still says "Not Subscribed".

I will report later on whether anything actually happens!

One relevant point, this is a server and nobody is generally logged in to see the retrieved updates and click on the icon as noted by the rhn_update tool.

Regards,

John

The same issue,when installing openblock in redhat,we should register the system with Red Hat Network,when installing Red Hat Enterprise Virtualization Manager,we also must register the system with Red Hat Network.

But at last it all can't register.please god help me to register!!

Hi Jay,

It looks like you're having some difficulty registering, this article is about a specific scenario but if you're having difficulty it would be best to open up a new support case with Red Hat at the following link: https://access.redhat.com/support/cases/new/ where we can collect some errors and information on your issue. Some good details you can provide to help us better understand the issue in your case is a layout of your infrastructure ( is there a proxy? Other networking considerations?) and if any specific error you're receiving when trying to register?

Thanks very much Jay.

Hi Kyle,
You may see rhsm.log,why SSLError: wrong version number?
In my redhat,openssl rpm is openssl-1.0.0-20.el6.x86_64;which version is right?

As this url'https://access.redhat.com/site/solutions/236813',i don't know how solve my question.please help me!

Thank you everybady!

My servers are only allowed to access sites on port 443. Is there a way to disable all the port 80 URLs used by RH? I think it's kind of insane that everything isn't SSL in the first place!