Hi. I have created CentOS yum repos proxy and it working fine. But when I created for Red Hat yum proxy, it doesn’t work. We have valid Red Hat subscription actually. Is it because Red Hat not allow 3rd party to connect their server or Nexus doesnt support this?
Thank you
From client error message:
[root@uat ~]# yum install nc
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register. http://192.168.65.111:8081/repository/yum-rhel7-proxy/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article
You’d need to expand the variables $releasever and $basearch appropriately for this to work. But I think you’re going to run into another problem. Client side SSL certificates aren’t working in Repo 3, and I believe that will be needed to get access to that repository. We’ve bumped up the priority of this issue in our backlog:
I am also trying to create a Red Hat yum proxy and have the same problem, where I get a HTTP 403 returned. I am assuming this is because cdn.redhat requires authentication - in particular I think it expects you to pass it sslclientcert, sslclientkey, sslcacert (see How to authenticate to https://cdn.redhat.com - Red Hat Customer Portal). sslclientkey and sslclientcert are found in /etc/pki/entitlement on your Red Hat system and I believe are generated as part of your RHN subscription.
Presumably, Nexus does not pass these details forward (I have defined these fields in my local nexus.repo file but see no evidence of them being provided to the cdn endpoint).
I’d be interested to know if I’m approaching this the wrong way, or if there is an alternative method that allows you to sync Red Hat repositories with Nexus. I have searched through a lot of articles but haven’t found much to suggest this is possible.
Steve, I am trying to build the same exact type of repo in Nexus to CDN.redhat.com. Apparently we have to take the entitlement certs from red hat, and somehow get a CA cert from red hat, and then use a command like this:
openssl pkcs12 -export -in content-rhel7.crt -inkey content-rhel7.key -out rhel.p12 -name clientKeystore -CAfile cdn.redhat.com-chain.crt -caname cdn.redhat.com
Then we ahve to import that p12 file into the java keystore:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore rhel.p12 -srcstoretype PKCS12 -srcstorepass password -alias clientKeystore
Then you update the nexus.vmoptions file with:
-Djavax.net.ssl.keyStore=/path/to/keystore.jks
-Djavax.net.ssl.keyStorePassword=changeit
I have not gotten this to work yet. I’m still trying to get my certs from Red Hat. Specifically the CA file, since my red hat boxes have never reached the internet, i’ve only manually registered them into the red hat portal. Red Hat of course points me to Sonatype support. I’m still working with Sonatype to find a solution. I’ll let you know how it goes.
Sonatype has an internal ticket for investigation, if you’d like to watch that: https://issues.sonatype.org/browse/NEXUS-22699
I suspect it’ll result in changes to documentation.
Respectfully forgot about this thread, so probably safer to follow there.
-Joe
Hi, Followed URL steps but still not working with yum-proxy for RHEL. Used Entitlement certificate as recommended by Red Hat. Any advise, would be much appreciated.
Can you give more detail to “not working”? Same issues as above?
Maybe folks who did the doc will know but I can’t hope to troubleshoot with this level of detail.
Thanks,
Joe
On RHEL 7 test server. Followed docs steps as close as possible. I wasn’t clear about how to make the RM server access key part. Maybe it’s just something simple?.
Right, so the keystuff it’s requesting is the stuff you got in Step 4.
Step 5&6 could be swapped in order if that makes more sense to you. Or perhaps step 6 could just say “from step 4” to make more clear.
Hope that helps,
Joe
We’re glad you’ve been able to get one repo working. To better understand the problem you’re having with the others and how we can help you resolve them, please could you clarify the following.
You said in your last message: ‘…others fail with same error i.e 14/404’. Do you mean other RM (Repository Manager) instances i.e do you have multiple Repository Manager instances running on separate boxes/machines or do you have multiple RHEL Yum proxy repository configurations within the same RM instance?
Note: in the documentation, step 4 is only for when you have an existing keystore you’re using with RM. If not, you can skip to step 5 after completing step 3. (We’ll update the documentation accordingly to make this clearer)