Red Hat Yum proxy support in Nexus?

Hi. I have created CentOS yum repos proxy and it working fine. But when I created for Red Hat yum proxy, it doesn’t work. We have valid Red Hat subscription actually. Is it because Red Hat not allow 3rd party to connect their server or Nexus doesnt support this?

Thank you

From client error message:

[root@uat ~]# yum install nc
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
http://192.168.65.111:8081/repository/yum-rhel7-proxy/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article

[Errno 14] yum fails with HTTP/HTTPS Error 404 - Red Hat Customer Portal

Does https://cdn.redhat.com/content/dist/rhel/entitlement-7/releases/$releasever/$basearch/scaleablefilesystem/os/repodata/repomd.xml exist? Access to repomd is required and it’s complaining it can’t find it.
I don’t recall any other reports of Redhat not working.
-Joe

Hi Joe

Im not so sure myself, coz the baseurl i copied from redhat access page.
Also I check again in my /etc/yum.repos.d/redhat.repo, the enabled repo is
https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os/

and I try curl to that link but returned permission denied.

maybe do you have the baseurl that actually working? can you share if possible?
Thank you

You’d need to expand the variables $releasever and $basearch appropriately for this to work. But I think you’re going to run into another problem. Client side SSL certificates aren’t working in Repo 3, and I believe that will be needed to get access to that repository. We’ve bumped up the priority of this issue in our backlog:

Hi
I expand the variable as you suggested

https://cdn.redhat.com/content/dist/rhel/server/7Server/x86_64/os/

So far I did not getting the ‘handshake-failure’ issue, but HTTP/1.1 403 Forbidden instead.

2019-09-24 19:43:02,072+0800 DEBUG [qtp40223173-152] admin org.sonatype.nexus.httpclient.outbound - https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml < HTTP/1.1 403 Forbidden @ 180.3 ms

I am also trying to create a Red Hat yum proxy and have the same problem, where I get a HTTP 403 returned. I am assuming this is because cdn.redhat requires authentication - in particular I think it expects you to pass it sslclientcert, sslclientkey, sslcacert (see How to authenticate to https://cdn.redhat.com - Red Hat Customer Portal). sslclientkey and sslclientcert are found in /etc/pki/entitlement on your Red Hat system and I believe are generated as part of your RHN subscription.

Presumably, Nexus does not pass these details forward (I have defined these fields in my local nexus.repo file but see no evidence of them being provided to the cdn endpoint).

I’d be interested to know if I’m approaching this the wrong way, or if there is an alternative method that allows you to sync Red Hat repositories with Nexus. I have searched through a lot of articles but haven’t found much to suggest this is possible.

2 Likes

Steve, I am trying to build the same exact type of repo in Nexus to CDN.redhat.com. Apparently we have to take the entitlement certs from red hat, and somehow get a CA cert from red hat, and then use a command like this:
openssl pkcs12 -export -in content-rhel7.crt -inkey content-rhel7.key -out rhel.p12 -name clientKeystore -CAfile cdn.redhat.com-chain.crt -caname cdn.redhat.com

Then we ahve to import that p12 file into the java keystore:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore rhel.p12 -srcstoretype PKCS12 -srcstorepass password -alias clientKeystore

Then you update the nexus.vmoptions file with:
-Djavax.net.ssl.keyStore=/path/to/keystore.jks
-Djavax.net.ssl.keyStorePassword=changeit

Then restart nexus service.
Then configure a yum proxy repo for RHEL in the Nexus GUI. Use a URL such as:
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os

I have not gotten this to work yet. I’m still trying to get my certs from Red Hat. Specifically the CA file, since my red hat boxes have never reached the internet, i’ve only manually registered them into the red hat portal. Red Hat of course points me to Sonatype support. I’m still working with Sonatype to find a solution. I’ll let you know how it goes.

1 Like

Thanks for the info Greg. Be interesting to see how you get on :slight_smile:

Sonatype has an internal ticket for investigation, if you’d like to watch that: https://issues.sonatype.org/browse/NEXUS-22699
I suspect it’ll result in changes to documentation.
Respectfully forgot about this thread, so probably safer to follow there.
-Joe

oh, great! thx, just in case, i’m ready to help with testing if u need.

morning!
Since that issue closed without providing any info, can you give us any info?
i’ve updated nexus, searched in docs but no new info)

See here: https://help.sonatype.com/display/NXRM3/Proxying+RHEL+Yum+Repositories

Rich

1 Like

Hi, Followed URL steps but still not working with yum-proxy for RHEL. Used Entitlement certificate as recommended by Red Hat. Any advise, would be much appreciated.

Can you give more detail to “not working”? Same issues as above?
Maybe folks who did the doc will know but I can’t hope to troubleshoot with this level of detail.
Thanks,
Joe

Hi,
Error received is the same ;

http://xx.xx.xx.xx:8081/repository/RHEL7server/repodata/repomd.xml: [Errno 14] H TTP Error 404 - Not Found

On RHEL 7 test server. Followed docs steps as close as possible. I wasn’t clear about how to make the RM server access key part. Maybe it’s just something simple?.

Regards,

David

Which step was confusing to you? 6?
-Joe

Hi Joe,

Yes step 6, step 5 relates to the client server but 6 seems to refer to the RM server folder?

Regards,

David.

Right, so the keystuff it’s requesting is the stuff you got in Step 4.
Step 5&6 could be swapped in order if that makes more sense to you. Or perhaps step 6 could just say “from step 4” to make more clear.
Hope that helps,
Joe

Hi Joe,

Got one repo working - Server (reset Red Hat cert in nexusrm again) ; others fail with the same error i.e. 14/404 .

Will keep trying to see if it works.

Regards,

David

1 Like

Hi David,

We’re glad you’ve been able to get one repo working. To better understand the problem you’re having with the others and how we can help you resolve them, please could you clarify the following.

You said in your last message: ‘…others fail with same error i.e 14/404’. Do you mean other RM (Repository Manager) instances i.e do you have multiple Repository Manager instances running on separate boxes/machines or do you have multiple RHEL Yum proxy repository configurations within the same RM instance?

Note: in the documentation, step 4 is only for when you have an existing keystore you’re using with RM. If not, you can skip to step 5 after completing step 3. (We’ll update the documentation accordingly to make this clearer)

Regards
Olu