How To Fix Yum Basic HTTP Authentication Behind a Proxy

Problem

When configuring a yum proxy via /etc/yum.conf a “yum check-update” fails on the rhel6-some-repo-x.y repository with:

[root@myhost yum.repos.d]# yum check-update
Loaded plugins: priorities, refresh-packagekit, rhnplugin, security
This system is receiving updates from RHN Classic or RHN Satellite.
http://REDACTED:REDACTED@yum.whatever.com/yum/base/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 400 Bad request"
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhel6-some-repo-x.y. Please verify its path and try again

Additional Information

The customer used a cloud-based proxy service (ZScaler) but has NOT implemented proxy authentication. The proxy is configured correctly in /etc/yum.conf

Troubleshooting

A packet capture indicated the following HTTP header when requesting the repository information:

GET http://REDACTED:REDACTED@yum.whatever.com/yum/base/repodata/repomd.xml HTTP/1.1
Authorization: Basic REDACTED
User-Agent: urlgrabber/3.9.1 yum/3.2.29
Host: yum.whatever.com
Accept: */*
Proxy-Connection: Keep-Alive

A GET HTTP request in this format is malformed and therefore return a “400 Bad request”

Further investigation revealed Yum's documentation recommends the following configuration when implementing HTTP authentication for a yum repository:

baseurl=http://yum.whatever.com/yum/base/
username=REDACTED
password=REDACTED

Running the “yum check-update” command again reveals a different error:

[root@myhost yum.repos.d]# yum check-update
Loaded plugins: priorities, refresh-packagekit, rhnplugin, security
This system is receiving updates from RHN Classic or RHN Satellite.
http://yum.whatever.com/yum/base/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 401 Authorization Required"
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhel6-some-repo-x.y. Please verify its path and try again

A packet capture shows the following HTTP request:

GET http://REDACTED:REDACTED@yum.whatever.com/yum/base/repodata/repomd.xml HTTP/1.1
Authorization: Basic REDACTED
User-Agent: urlgrabber/3.9.1 yum/3.2.29
Host: yum.whatever.com
Accept: */*
Proxy-Connection: Keep-Alive
Resolution:

Because there is “Basic” authentication but no credentials supplied, the web server responds with “401 Authorization Required”.

The problem was tracked to an incompatibility with yum-3.2.29-60 and python-urlgrabber-3.9.1-9.

More information:

This problem currently exists in RHEL 6.6 but may be resolved in a future version. It likely exists on any system with the python-urlgrabber-3.9.1-9 package.

Resolution

1. Modify /etc/yum.repos.d/rhel6-some-repo-x.y.repo to conform to yum's recommended standard of baseurl/username/password for both contained repositories.

2. Apply the patch as documented in the NEXUS URL:

2a. Copy the file urlgrabber.patch to the /root/ directory.

2b. Back up the existing grabber.py file:

cp /usr/lib/python2.6/site-packages/urlgrabber/grabber.py /root/urlgrabber_backup/head_node/grabber.py

2c. Patch the file:

patch /usr/lib/python2.6/site-packages/urlgrabber/grabber.py < /root/urlgrabber.patch

2d. Each command should return an output similar to below:

patching file /usr/lib/python2.6/site-packages/urlgrabber/grabber.py
Hunk #2 succeeded at 426 (offset -5 lines).
Hunk #3 succeeded at 828 (offset -6 lines).
Hunk #4 succeeded at 1253 (offset -9 lines).
Hunk #5 succeeded at 1349 (offset -9 lines).

3. Re-run the “yum check-update” command. It should complete successfully.

howto/how_to_fix_yum_basic_auth_behind_a_proxy.txt · Last modified: 2015/03/24 21:33 by smark
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0