====== How To Fix Yum Basic HTTP Authentication Behind a Proxy ====== ===== Problem ===== When configuring a yum proxy via /etc/yum.conf a "yum check-update" fails on the rhel6-some-repo-x.y repository with: [root@myhost yum.repos.d]# yum check-update Loaded plugins: priorities, refresh-packagekit, rhnplugin, security This system is receiving updates from RHN Classic or RHN Satellite. http://REDACTED:REDACTED@yum.whatever.com/yum/base/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 400 Bad request" Trying other mirror. Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhel6-some-repo-x.y. Please verify its path and try again ===== Additional Information ===== The customer used a cloud-based proxy service (ZScaler) but has NOT implemented proxy authentication. The proxy is configured correctly in /etc/yum.conf ===== Troubleshooting ===== A packet capture indicated the following HTTP header when requesting the repository information: GET http://REDACTED:REDACTED@yum.whatever.com/yum/base/repodata/repomd.xml HTTP/1.1 Authorization: Basic REDACTED User-Agent: urlgrabber/3.9.1 yum/3.2.29 Host: yum.whatever.com Accept: */* Proxy-Connection: Keep-Alive A GET HTTP request in this format is malformed and therefore return a "400 Bad request" Further investigation revealed Yum's documentation recommends the following configuration when implementing HTTP authentication for a yum repository: baseurl=http://yum.whatever.com/yum/base/ username=REDACTED password=REDACTED Running the "yum check-update" command again reveals a different error: [root@myhost yum.repos.d]# yum check-update Loaded plugins: priorities, refresh-packagekit, rhnplugin, security This system is receiving updates from RHN Classic or RHN Satellite. http://yum.whatever.com/yum/base/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 401 Authorization Required" Trying other mirror. Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhel6-some-repo-x.y. Please verify its path and try again A packet capture shows the following HTTP request: GET http://REDACTED:REDACTED@yum.whatever.com/yum/base/repodata/repomd.xml HTTP/1.1 Authorization: Basic REDACTED User-Agent: urlgrabber/3.9.1 yum/3.2.29 Host: yum.whatever.com Accept: */* Proxy-Connection: Keep-Alive Resolution: Because there is "Basic" authentication but no credentials supplied, the web server responds with "401 Authorization Required". The problem was tracked to an incompatibility with yum-3.2.29-60 and python-urlgrabber-3.9.1-9. More information: * https://issues.sonatype.org/browse/NEXUS-6007 * https://bugzilla.redhat.com/show_bug.cgi?id=739860 This problem currently exists in RHEL 6.6 but may be resolved in a future version. It likely exists on any system with the python-urlgrabber-3.9.1-9 package. ===== Resolution ===== 1. Modify /etc/yum.repos.d/rhel6-some-repo-x.y.repo to conform to yum's recommended standard of baseurl/username/password for both contained repositories. 2. Apply the patch as documented in the NEXUS URL: 2a. Copy the file {{:howto:urlgrabber.patch|}} to the /root/ directory. 2b. Back up the existing grabber.py file: cp /usr/lib/python2.6/site-packages/urlgrabber/grabber.py /root/urlgrabber_backup/head_node/grabber.py 2c. Patch the file: patch /usr/lib/python2.6/site-packages/urlgrabber/grabber.py < /root/urlgrabber.patch 2d. Each command should return an output similar to below: patching file /usr/lib/python2.6/site-packages/urlgrabber/grabber.py Hunk #2 succeeded at 426 (offset -5 lines). Hunk #3 succeeded at 828 (offset -6 lines). Hunk #4 succeeded at 1253 (offset -9 lines). Hunk #5 succeeded at 1349 (offset -9 lines). 3. Re-run the "yum check-update" command. It should complete successfully.