- Red Hat Enterprise Linux 8 (and later)
- Red Hat Enterprise Linux 7 (and later)
- Red Hat Enterprise Linux 6.1 (and later)
- Red Hat Enterprise Linux 5.8 (and later)
- Red Hat Subscription Management (RHSM)
- Red Hat Satellite 5.6 and 5.7 (if migrated from RHN -> RHSM)
- Red Hat Satellite 5.8
- Red Hat Satellite 6
- How do I configure my system so that yum can access Red Hat Subscription Management (RHSM) through a firewall or proxy?
- What URLs and ports do I need to configure in my proxy server to access RHSM?
- How do I access RHSM (yum) through a firewall?
- Not able to register due to network error
- Red Hat Satellite 6 is unable to sync content from Red Hat. I suspect it is the company firewall blocking the traffic. What hostnames do I need to give to the network security team to allow content syncing?
- Our network team says they need IP addresses to enable them to allow our Red Hat Satellite 6 installation to talk to the Content Delivery Network. We cannot use host names and must use IP address or ranges.
It is necessary to allow the following host names and ports on the outgoing network firewall to enable yum and subscription-manager to access Red Hat subscription services and Content Delivery Network (This remains the same for issues with Satellite 5.8 and Satellite 6+ syncing):
- subscription.rhn.redhat.com:443 [https] AND subscription.rhsm.redhat.com:443 [https] (This is the new default address in newer versions of RHEL 7)
- cdn.redhat.com:443 [https]
- *.akamaiedge.net:443 [https] OR *.akamaitechnologies.com:443 [https]
It is not recommended to specify the IP addresses because the packages are distributed through the Akamai network and the IP addresses are subject to change. However, if your firewall is unable to use host name filtering, Red Hat provides a pool of IP addresses that should provide CDN delivery.
- For pulling container images need to whitelist aws domain as per article aws
Note: If the system is behind an HTTP proxy, add the details in
/etc/rhsm/rhsm.conf as follows:
# an http proxy server to use (enter server FQDN) proxy_hostname = myproxy.example.com # port for http proxy server proxy_port = 8080 # user name for authenticating to an http proxy, if needed proxy_user = proxy_username # password for basic http proxy auth, if needed proxy_password = proxy_password
- Firewall or proxy is not configured for access to RHSM.
- Some firewalls or organizations can not use hostnames and might need more granular control.
Some example of errors seen when Subscription-Manager was not able to access the above URLs due to firewall and/or proxies
- Seeing this error (in /var/log/rhsm/rhsm.log) when trying to run 'subscription-manager register':
2014-04-16 18:07:53,063 [INFO] @connection.py:657 - Connection Built: host: subscription.rhn.redhat.com, port: 443, handler: /subscription 2014-04-16 18:07:53,108 [DEBUG] @connection.py:420 - Loading CA PEM certificates from: /etc/rhsm/ca/ 2014-04-16 18:07:53,108 [DEBUG] @connection.py:402 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem' 2014-04-16 18:07:53,109 [DEBUG] @connection.py:402 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem' 2014-04-16 18:07:53,109 [DEBUG] @connection.py:426 - Using proxy: proxy.example.com:3128 2014-04-16 18:07:53,109 [DEBUG] @connection.py:441 - Making request: GET https://subscription.rhn.redhat.com:443/subscription/ 2014-04-16 18:07:53,173 [ERROR] @utils.py:361 - Error while checking server version: [Errno 111] Connection refused 2014-04-16 18:07:53,174 [ERROR] @utils.py:363 - [Errno 111] Connection refused Traceback (most recent call last): File "/usr/share/rhsm/subscription_manager/utils.py", line 341, in get_server_versions if cp.supports_resource("status"): File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 683, in supports_resource self._load_supported_resources() File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 670, in _load_supported_resources resources_list = self.conn.request_get("/") File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 541, in request_get return self._request("GET", method) File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 448, in _request conn.request(request_type, handler, body=body, headers=headers) File "/usr/lib64/python2.6/httplib.py", line 914, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request self.endheaders() File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 200, in endheaders httpslib.HTTPSConnection.endheaders(self) File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders self._send_output() File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output self.send(msg) File "/usr/lib64/python2.6/httplib.py", line 739, in send self.connect() File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 192, in connect HTTPConnection.connect(self) File "/usr/lib64/python2.6/httplib.py", line 720, in connect self.timeout) File "/usr/lib64/python2.6/socket.py", line 567, in create_connection raise error, msg error: [Errno 111] Connection refused
... solution was to add the client machine IP to the corporate firewall to allow access to subscription.rhn.redhat.com.
- Seeing this error when running running yum:
[root@rhsm ~]# yum update Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. This system is receiving updates from RHN Classic or RHN Satellite. Error: failed to retrieve repodata/89cb7993fa65f2293e1b188014e0266343598f276e1af053c3189f6db6b488b1-primary.xml.gz from rhel-x86_64-server-6 error was [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 407 Proxy Authentication Required"
... the solution was to add proxy information to /etc/rhsm/rhsm.conf
- Seeing this error when registering system behind firewall to RHSM:
Unable to verify server's identity: (104, 'Connection reset by peer')
- tcpdump output shows that firewall has rules in 'WEB Filter' that possibly obstruct / modifies packets send to server .
- Check the time setting on the system
SSL depends on appropriate date and time ranges. Make sure, system has the current time and date.
# grep ZONE /etc/sysconfig/clock
The time should match between the TZ time and the current date/time
RHEL5 and RHEL6:
# ntpq -p
# chronyd sources
# chronyd tracking (To check for any jitter)
- Check intranet and proxy configuration
Make sure that the local network has appropriate routes and SSL proxy rules are set, to be able to connect to the outside network.
- Red Hat Enterprise Linux
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.