Subscription-manager command fails with the error "Tunnel connection failed: 407 authenticationrequired".

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
  • Red Hat Subscription-Manager
  • Red Hat Customer Portal

Issue

  • While attaching the subscription on the server it fails with the error "Tunnel connection failed: 407 authentication required".
  • Registering the server fails with "Tunnel connection failed: 407 Proxy Authorization Required".

Resolution

  • Set the proper proxy details in the /etc/rhsm/rhsm.conf file:

    proxy_hostname = 
proxy_port = 
proxy_user = 
proxy_password =

  • To bypass the NTLM authentication for the IP address assigned to the affected server.

  • Configure the proxy Access-control-list(ACL) for the affected system.

Root Cause

  • The proper proxy details were not configured in /etc/rhsm/rhsm.conf file, hence the server was not able to communicate with the proxy server and Red Hat CDN.
  • The proxy should not ask for NTLM authentication and provide a direct connection to the proxy.
  • It is recommended to use the BASIC authentication in the proxy as subscription-manager will not work properly if NTLM authentication is used with the proxy server.

Diagnostic Steps

  • Logs from /var/log/rhsm/rhsm.log:

    2024-01-01 14:38:02,307 [ERROR] rhsmd:58149:MainThread @cache.py:179 - Tunnel connection failed: 407 authenticationrequired
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/subscription_manager/cache.py", line 170, in update_check
self._sync_with_server(uep, consumer_uuid)
File "/usr/lib/python2.7/site-packages/subscription_manager/cache.py", line 522, in _sync_with_server
content_tags=self.tags)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1001, in updateConsumer
ret = self.conn.request_put(method, params)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 654, in request_put
return self._request("PUT", method, params, headers=headers)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 671, in _request
info=info, headers=headers)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 527, in _request
conn.request(request_type, handler, body=body, headers=final_headers)
File "/usr/lib64/python2.7/httplib.py", line 1017, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 826, in send
self.connect()
File "/usr/lib64/python2.7/httplib.py", line 1227, in connect
HTTPConnection.connect(self)
File "/usr/lib64/python2.7/httplib.py", line 810, in connect
self._tunnel()
File "/usr/lib64/python2.7/httplib.py", line 792, in _tunnel
message.strip()))
error: Tunnel connection failed: 407 authenticationrequired

  • On server, it is using the NTLM authentication to connect to the proxy:

    > Proxy-Connection: Keep-Alive
>
< HTTP/1.1 407 Proxy Authentication Required    <<-------- requesting auth
< Mime-Version: 1.0
< Date: Mon, 13 May 2024 04:50:01 EDT
< Via: 1.1 example.proxy.com:80 (Cisco-WSA/12.5.1-043)
< Content-Type: text/html
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: NTLM     <<-----------------
< Connection: close
< Proxy-Connection: close
< Content-Length: 2343
<
* Ignore 2343 bytes of response-body
* Received HTTP code 407 from proxy after CONNECT    <<----------------------
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 407 from proxy after CONNECT

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments