Refresh of RPM repository fails on older SLES installations

[matthiasblaesing]

Installation of Amazon Corretto on SLES 12.5 fails when the repositories are refreshed. The issue seems to be, that the repository returns an access denied error for the URL:

https://yum.corretto.aws/x86_64/media.1/media

In newer versions rpm seems to ignore the access denied error, but the version from SLES 12.5 shows this behaviour:

XXXXXXX@YYYYYYY:/home/XXXXXXX> sudo zypper addrepo https://yum.corretto.aws/corretto.repo                                                                                                                      
Adding repository 'Amazon Corretto' ......................................................................................................................................................................................................[done]
Repository 'Amazon Corretto' successfully added

URI         : https://yum.corretto.aws/x86_64
Enabled     : Yes                            
GPG Check   : Yes                            
Autorefresh : No                             
Priority    : 99 (default priority)          

Repository priorities are without effect. All enabled repositories share the same priority.
XXXXXXX@YYYYYYY:/home/XXXXXXX> sudo zypper refresh                                                                                                                                                                                           
Retrieving repository 'Amazon Corretto' metadata .........................................................................................................................................................................................[done]
Building repository 'Amazon Corretto' cache ..............................................................................................................................................................................................[done]
Repository 'SLE-Module-Web-Scripting12-Pool' is up to date.                                                                                                                                                                                     
Repository 'SLE-Module-Web-Scripting12-Updates' is up to date.                                                                                                                                                                                  
Repository 'SLE-SDK12-SP5-Pool' is up to date.                                                                                                                                                                                                  
Repository 'SLE-SDK12-SP5-Updates' is up to date.                                                                                                                                                                                               
Repository 'SLES12-SP5-Pool' is up to date.                                                                                                                                                                                                     
Repository 'SLES12-SP5-Updates' is up to date.                                                                                                                                                                                                  
Repository 'adoptopenjdk' is up to date.                                                                                                                                                                                                        
Repository 'Network Utilities (SLE_12)' is up to date.                                                                                                                                                                                          
Repository 'Server Monitoring Software (SLE_12)' is up to date.                                                                                                                                                                                 
All repositories have been refreshed.
XXXXXXX@YYYYYYY:/home/XXXXXXX> sudo zypper refresh
Permission to access 'https://yum.corretto.aws/x86_64/media.1/media' denied.
Abort, retry, ignore? [a/r/i/...? shows all options] (a): a                                                                                                                                                                                     
ABORT request: Aborting requested by user
XXXXXXX@YYYYYYY:/home/XXXXXXX> sudo zypper -v refresh
Verbosity: 1
Initializing Target
Specified repositories: 
Checking whether to refresh metadata for Amazon Corretto
Retrieving: repomd.xml ...................................................................................................................................................................................................................[done]
Permission to access 'https://yum.corretto.aws/x86_64/media.1/media' denied.
Abort, retry, ignore? [a/r/i/...? shows all options] (a): a                                                                                                                                                                                     
ABORT request: Aborting requested by user
XXXXXXX@YYYYYYY:/home/XXXXXXX> 

To Reproduce

1. Instead of SLES 12.5 OpenSuse 42.3 (freely available with similar base distribution) can be used to reproduce: http://ftp5.gwdg.de/pub/opensuse/discontinued/distribution/leap/42.3/iso/openSUSE-Leap-42.3-DVD-x86_64.iso
2. Create a VM from the above download (or from a local SLES 12.5 copy)
3. Run sudo zypper addrepo https://yum.corretto.aws/corretto.repo
4. Run sudo zypper refresh and accept the unknown repository key
5. Run sudo zypper -v refresh

Result:

If refresh is forced, it will work, but that is not a good state to run in production.

Expected behavior

No error is reported, the repository data is up-to-date.

Additional infos

This issue from SuSE diagnoses, that the server should return a 404 for a non existing path and not 403, which sound reasonable:

https://bugzilla.opensuse.org/show_bug.cgi?id=1032348

Maybe the directory settings just need to be changed, so that not existing files are reported as not existing files.

[lutkerd]

Thank you for bringing this to our attention.

We will investigate and see if we can change this behavior without causing other issues.

[matthiasblaesing]

To work around this issue I now used a local apache server to filter out the broken URL. I create a local proxy (first line ensures the media.1/media url generates a 404, and in other cases proxies to the repository):

        ProxyPass /corretto/x86_64/media.1/media https://HOSTNAME/notexisting
        ProxyPass /corretto https://yum.corretto.aws

and use that with the corresponding repo definition:

[AmazonCorretto]
name=Amazon Corretto
baseurl=https://HOSTNAME/corretto/$basearch
enabled=1
gpgkey=https://yum.corretto.aws/corretto.key
gpgcheck=1

While that works, it is not a solution for a production system.