How to access Red Hat Subscription Manager (RHSM) through a firewall or proxy

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 8 (and later)
  • Red Hat Enterprise Linux 7 (and later)
  • Red Hat Enterprise Linux 6.1 (and later)
  • Red Hat Enterprise Linux 5.8 (and later)
  • Red Hat Subscription Management (RHSM)
  • Red Hat Satellite 5.6 and 5.7 (if migrated from RHN -> RHSM)
  • Red Hat Satellite 5.8
  • Red Hat Satellite 6

Issue

  • How do I configure my system so that yum can access Red Hat Subscription Management (RHSM) through a firewall or proxy?
  • What URLs and ports do I need to configure in my proxy server to access RHSM?
  • How do I access RHSM (yum) through a firewall?
  • Not able to register due to network error
  • Red Hat Satellite 6 is unable to sync content from Red Hat. I suspect it is the company firewall blocking the traffic. What hostnames do I need to give to the network security team to allow content syncing?
  • Our network team says they need IP addresses to enable them to allow our Red Hat Satellite 6 installation to talk to the Content Delivery Network. We cannot use host names and must use IP address or ranges.

Resolution

It is necessary to allow the following host names and ports on the outgoing network firewall to enable yum and subscription-manager to access Red Hat subscription services and Content Delivery Network (This remains the same for issues with Satellite 5.8 and Satellite 6+ syncing):

  • subscription.rhn.redhat.com:443 [https] AND subscription.rhsm.redhat.com:443 [https] (This is the new default address in newer versions of RHEL 7)
  • cdn.redhat.com:443 [https]
  • *.akamaiedge.net:443 [https] OR *.akamaitechnologies.com:443 [https]

It is not recommended to specify the IP addresses because the packages are distributed through the Akamai network and the IP addresses are subject to change. However, if your firewall is unable to use host name filtering, Red Hat provides a pool of IP addresses that should provide CDN delivery.

  • For pulling container images need to whitelist aws domain as per article aws

Note: If the system is behind an HTTP proxy, add the details in /etc/rhsm/rhsm.conf as follows:

# an http proxy server to use (enter server FQDN)
proxy_hostname = myproxy.example.com 

# port for http proxy server
proxy_port = 8080

# user name for authenticating to an http proxy, if needed
proxy_user = proxy_username

# password for basic http proxy auth, if needed
proxy_password = proxy_password

Root Cause

  • Firewall or proxy is not configured for access to RHSM.
  • Some firewalls or organizations can not use hostnames and might need more granular control.

Diagnostic Steps

Some example of errors seen when Subscription-Manager was not able to access the above URLs due to firewall and/or proxies

  • Seeing this error (in /var/log/rhsm/rhsm.log) when trying to run 'subscription-manager register':
2014-04-16 18:07:53,063 [INFO]  @connection.py:657 - Connection Built: host: subscription.rhn.redhat.com, port: 443, handler: /subscription
2014-04-16 18:07:53,108 [DEBUG]  @connection.py:420 - Loading CA PEM certificates from: /etc/rhsm/ca/
2014-04-16 18:07:53,108 [DEBUG]  @connection.py:402 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem'
2014-04-16 18:07:53,109 [DEBUG]  @connection.py:402 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem'
2014-04-16 18:07:53,109 [DEBUG]  @connection.py:426 - Using proxy: proxy.example.com:3128
2014-04-16 18:07:53,109 [DEBUG]  @connection.py:441 - Making request: GET https://subscription.rhn.redhat.com:443/subscription/
2014-04-16 18:07:53,173 [ERROR]  @utils.py:361 - Error while checking server version: [Errno 111] Connection refused
2014-04-16 18:07:53,174 [ERROR]  @utils.py:363 - [Errno 111] Connection refused
Traceback (most recent call last):
  File "/usr/share/rhsm/subscription_manager/utils.py", line 341, in get_server_versions
    if cp.supports_resource("status"):
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 683, in supports_resource
    self._load_supported_resources()
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 670, in _load_supported_resources
    resources_list = self.conn.request_get("/")
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 541, in request_get
    return self._request("GET", method)
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 448, in _request
    conn.request(request_type, handler, body=body, headers=headers)
  File "/usr/lib64/python2.6/httplib.py", line 914, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request
    self.endheaders()
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 200, in endheaders
    httpslib.HTTPSConnection.endheaders(self)
  File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders
    self._send_output()
  File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.6/httplib.py", line 739, in send
    self.connect()
  File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 192, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.6/httplib.py", line 720, in connect
    self.timeout)
  File "/usr/lib64/python2.6/socket.py", line 567, in create_connection
    raise error, msg
error: [Errno 111] Connection refused

... solution was to add the client machine IP to the corporate firewall to allow access to subscription.rhn.redhat.com.

  • Seeing this error when running running yum:
[root@rhsm ~]# yum update
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Error: failed to retrieve repodata/89cb7993fa65f2293e1b188014e0266343598f276e1af053c3189f6db6b488b1-primary.xml.gz from rhel-x86_64-server-6
error was [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 407 Proxy Authentication Required"

... the solution was to add proxy information to /etc/rhsm/rhsm.conf

  • Seeing this error when registering system behind firewall to RHSM:
Unable to verify server's identity: (104, 'Connection reset by peer')
  • tcpdump output shows that firewall has rules in 'WEB Filter' that possibly obstruct / modifies packets send to server .
  1. Check the time setting on the system

SSL depends on appropriate date and time ranges. Make sure, system has the current time and date.

# grep ZONE /etc/sysconfig/clock

The time should match between the TZ time and the current date/time

# date

RHEL5 and RHEL6:

# ntpq -p

RHEL7:

# chronyd sources

or

# chronyd tracking
(To check for any jitter)
  1. Check intranet and proxy configuration

Make sure that the local network has appropriate routes and SSL proxy rules are set, to be able to connect to the outside network.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

19 Comments

Do you know any firewall which is accepting hostnames instead of IPs? I know none.
This because an external DNS change would then change the firewall policies without changing anything in the firewall itself.
What you say only applies to filtering proxies, not to firewalls.
For firewalls, you have to manually check (and regularly update) what is listed at https://access.redhat.com/site/node/11214

The URL's defined are for proxy configuration, to allow access to specific URL's not firewall. You have to allow the satellite to communicate on port tcp/443 in the firewall, and let the Proxy handle what URL's is allowed.

Hi,
I have a problem with this article. Our firewall is allowing access to *.redhat.com and *.akamaiedge.net

But apperently yum is trying to access cdn.redhat.com and here come troubles:

[root@bilbo ~]# host cdn.redhat.com
cdn.redhat.com is an alias for cac.cdn.redhat.com.edgekey.net.
cac.cdn.redhat.com.edgekey.net is an alias for e4177.cd.akamaiedge.net.
e4177.cd.akamaiedge.net has address 95.101.64.251
[root@bilbo ~]# host 95.101.64.251
Host 251.64.101.95.in-addr.arpa. not found: 3(NXDOMAIN)

There is no revdns for IP therefore it is blocking traffic.

How to address it?

Is it possible to register the machine mannually instead of using the command subscription-manager ?

Hi team.

Could you also clarify which ports are needed for a Satellite 6 deployment, i.e. can we just exchange akami for the satellite 6 URL and the traffic is contained to port 443?

many thanks

Chris

https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/location-aware.html

How can I tell rhsm to use the system proxy info rather that having to edit the rhsm.conf file every time my proxy password changes?

Here is the error I am getting .
Am I supposed to be using my RedHat account login or something else?

[root@brclnxaa ~]# subscription-manager register
Username: aeeichen
Password:
Unable to verify server's identity: (104, 'Connection reset by peer')
[root@brclnxaa ~]#

Same - getting "Unable to verify server's identity: (104, 'Connection reset by peer')" on RHEL 5.3. Installed all necessary package dependencies, even latest YUM for 5.x. There's something else missing. Proxy is properly configured, as I have gone through this process with another RHEL 5 32-bit system.

It is a fact that Redhat needs a "Linux to use NTLM authentication " solution. Oracle Linux has no problem. Right now the solution is to download and use a product called CNTLM. Not much fun. Please provide a solution where you only have to update a file with your proxy server.

Seeing these errors against Satellite 6.1 when FW is open.

Do you to the reason currently, subscription.rhsm.redhat.com is used for entitlement certificates, can you please update the hostnames?

I realized that even after setting the proxy, it sometimes tries to go directly to the firewall (after checking the firewall traffic log). I had to allow access to xmlrpc.rhn.redhat.com on 443/tcp port so that the system could properly update. After doing this the update worked just fine. Hope it helps someone. I'm using redhat-5 btw.

SELinux can also block rhsm or rhsmcertd from connecting to CDN or Satellite:

type=AVC msg=audit(1492831094.462:2686): avc:  denied  { name_connect } for  pid=26849 comm="rhsmcertd-worke" dest=8012 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:foreman_proxy_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1492831094.462:2686): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffcb23a3210 a2=10 a3=d items=0 ppid=1098 pid=26849 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)

This is expected behavior, as you can see it is only allowed to connect to standard http and https ports or to standard http/https caching ports:

# sesearch -A --allow -s rhsmcertd_t | grep http
   allow rhsmcertd_t http_cache_port_t : tcp_socket name_connect ; 
   allow daemon httpd_sys_content_t : dir { getattr search open } ; 
   allow rhsmcertd_t http_port_t : tcp_socket name_connect ; 

In order to fix that, you either need to use one of standard http cache ports:

# semanage port -l | grep http_cache_port_t
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130

Or you need to assign new port number to SELinux port type:

# semanage port -a -t http_cache_port_t -p tcp 9999

Where 9999 is desired port number of the HTTP proxy in use. The command above will immediately fix the issue, no need to restart anything, you can keep running rhsmcertd in enforcing mode.

This solution does not seem to work for socks5 proxy.

For security reasons my company does not support https proxy, and only allows socks5 though a 2 factor auth session. The box I'm trying to register is not just one hop off the Internet, but has to go though a chain of firewalls and proxy servers to get out. I can verify with curl and the socks5: protocol that I can reach https://subscription.rhn.redhat.com but I can't get subscription-manager to accept it. Any one have a work around?

Hi Steven,

I would suggest to Open a case [1] in which you can share your configuration and your needs. From there, we can see how we can help you with the actual product or make sure we have an RFE in place to address this need in the future.

[1] https://access.redhat.com/support

what was the proxy information added ?? "the solution was to add proxy information to /etc/rhsm/rhsm.conf"

Please be more specific

ctrl+f "Note: If the system is behind an HTTP proxy"

Time appropriate greetings folks,
I wanted to know for which purpose each of the FQDN mentioned in this KB are used for. So I asked Support and would like to share the answer with you here.

The URL subscription.rhsm.redhat.com:443 is used to register RHEL 7 an newer to the Customer Portal. Because the IP address currently in use may or may not change it is recommended to use the FQDN in your firewall.

If properly registered and subscribed systems are cut off from access to subscription.rhsm.redhat.com:443 the systems's status will be shown as 'disconnected' or 'unknown'. The check-in times for contacting RHSM are every 4 hours by default. When this happens you won't be able to download packages using dnf or yum from repos that are configured in /etc/{dnf,yum}.repos.d/redhat.repo and provided from cdn.redhat.com, *.akamaiedge.net or *.akamaitechnologies.com.

To be able to download packages from repos configured in /etc/{dnf,yum}.repos.d/redhat.repo of course in any case you will need access to cdn.redhat.com, *.akamaiedge.net or *.akamaitechnologies.com. You wouln'd need access to these FQDNs when using repos hosted on your LAN only.

In case you are looking for solutions on how to create repos on your LAN you might find the following URLs useful: