How to configure HTTP/HTTPS proxy for host-metering service ?

Environment

• Red Hat Enterprise Linux Server - Extended Life Cycle Support
• Red Hat Enterprise Linux 7.9
• Red Hat Cloud Access
• Microsoft Azure
• Amazon Web Services (AWS)

Issue

• How to configure proxy for host-metering service?

• Host-metering service is not using the proxy and failing with error:

  Jun 13 11:19:18 ip-xxx-xx-xx-xx host-metering[xxxx]: Cannot notify: missing HostId
  Jun 13 11:29:18 ip-xxx-xx-xx-xx host-metering[xxxx]: Cannot notify: missing HostId
  

Resolution

• Use the following steps to add the proxy details for host-metering service on Red Hat Enterprise Linux 7.9.

  • It is necessary to allow the following hostnames and ports through the corporate firewall and proxy:

  cert.console.redhat.com:443
  subscription.rhn.redhat.com:443
  subscription.rhsm.redhat.com:443 
  cdn.redhat.com:443
  *.akamaiedge.net:443 
  *.akamaitechnologies.com:443       
  

  • Create a file under /etc/systemd/system/host-metering.service.d and add the proxy setting to override any changes while the daemon is reloaded:-

            # mkdir -p /etc/systemd/system/host-metering.service.d
    
            # vi /etc/systemd/system/host-metering.service.d/proxy.conf
             [Service]
             Environment=HTTP_PROXY=http://proxy.example.com:proxy_port
             Environment=HTTPS_PROXY=http://proxy.example.com:proxy_port
    

  • Restart the host-metering service:-

     # systemctl daemon-reload
     # systemctl restart host-metering.service
    

  • Check the status of the service using the systemctl status host-metering to ensure that the proper data is reported through the proxy:

     # systemctl status host-metering 
     ● host-metering.service - Host metering service
     Loaded: loaded (/usr/lib/systemd/system/host-metering.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-06-05 10:44:53 CDT; 1 weeks 1 days ago
     Main PID: xxxx (host-metering)
     Tasks: 8
     Memory: 17.9M
     CGroup: /system.slice/host-metering.service
     └─xxxx /usr/bin/host-metering daemon
     Jun 13 11:44:55 ip-xxx-xx-xx-xx host-metering[xxxx]: Notification successful - sent 1 sample(s)
     Jun 13 11:54:55 ip-xxx-xx-xx-xx host-metering[xxxx]: Notification successful - sent 1 sample(s)
     Jun 13 12:04:56 ip-xxx-xx-xx-xx host-metering[xxxx]: Notification successful - sent 1 sample(s)
     Jun 13 12:14:55 ip-xxx-xx-xx-xx host-metering[xxxx]: Notification successful - sent 1 sample(s)
     Jun 13 12:24:55 ip-xxx-xx-xx-xx host-metering[xxxx]: Notification successful - sent 1 sample(s)
    

Root Cause

• Proxy entry/parameter was not properly identified by the host-metering service due to which the service was not able to use the proxy.

Diagnostic Steps

• Check the drop-in file under /etc/systemd/system/host-metering.service.d/proxy.conf:-

   # cat /etc/systemd/system/host-metering.service.d/proxy.conf
  

• Getting the following error in journalctl -u host-metering as below:

  # journalctl -u host-metering
  Jun 17 12:47:42 ip-xxx-xx-xx-xx host-metering[xxxx]: Notification [2 sample(s)]: recoverable notify error: Post "https://cert.console.redhat.com/api/rhel-telemetry/v1/receive": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
  Jun 17 12:57:42 ip-xxx-xx-xx-xx host-metering[xxxx]: Notification [3 sample(s)]: recoverable notify error: Post "https://cert.console.redhat.com/api/rhel-telemetry/v1/receive": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
  

• Check the connectivity :

    # curl -vvv https://cert.console.redhat.com/api/rhel-telemetry/v1/receive
  * About to connect() to proxy proxy.example.com port xxxx (#0)
  * Trying xxx.xx.xx.xxx...
  * Connected to proxy.example.com (xxx.xx.xx.xxx) port xxxx (#0)
  * Establish HTTP proxy tunnel to cert.console.redhat.com:443
  > CONNECT cert.console.redhat.com:443 HTTP/1.1
  > Host: cert.console.redhat.com:443
  > User-Agent: curl/7.29.0
  > Proxy-Connection: Keep-Alive
  >
  < HTTP/1.1 200 Connection established
  <
  * Proxy replied OK to CONNECT request
  * Initializing NSS with certpath: sql:/etc/pki/nssdb
  * CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  * NSS: client certificate not found (nickname not specified)
  * SSL connection using TLSE_ECDSA_WITH_SHA384
  * Server certificate:
  * subject: CN=entitlement.mtls.redhat.com,O="Red Hat, Inc.",L=Raleigh,ST=North Carolina,C=US
  * start date: May 14 00:00:00 2024 GMT
  * expire date: Sep 17 23:59:59 2024 GMT
  * common name: entitlement.mtls.redhat.com
  * issuer: CN=xxxxxxx TLS RSA SHA256 2020 CA1,O=xxxxxx,C=US
  > GET /api/rhel-telemetry/v1/receive HTTP/1.1
  > User-Agent: curl/7.29.0
  > Host: cert.console.redhat.com
  > Accept: */*
  >
  < HTTP/1.1 403 Forbidden
  < Content-Type: text/plain; charset=utf-8
  < x-content-type-options: nosniff
  < Content-Length: 100
  < Date: Wed, 19 Jun 2024 09:24:01 GMT
  < Connection: keep-alive
  < Set-Cookie: xxxxxxxxx; path=/; HttpOnly; Secure; SameSite=None
  < x-rh-edge-request-id: 2fe5230
  < x-rh-edge-reference-id: 0.958f7b5c.1718789041.2fe5230
  < x-rh-edge-cache-status: NotCacheable from child
  < X-Frame-Options: SAMEORIGIN
  < Strict-Transport-Security: max-age=31536000; includeSubDomains
  <
  subject is empty. Organisation and Common Name name must be sent in request header x-rh-certauth-cn
  * Connection #0 to host proxy.example.com left intact
  

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.