http://key:null@download.hpe/ is just the direct form of specifying http basic auth credentials. You should enter them into the upstream authorization fields for the repository. That’s where they belong. I don’t know why you think you have to pass them in the URL. It shouldn’t make a difference.
The problem is this bug: Bug #32994: Sync of content from an authenticated yum repository fails - Katello - Foreman
See also Katello 4.1: repo sync fails for repository requiring username/password
Basically, authenticated URL access seems to broken at the moment…