Why do I receive errors when I use yum on my EC2 instance that runs Amazon Linux 1, Amazon Linux 2, or Amazon Linux 2023?

Short description

To determine what error occurred, use the output messages of the yum command. You might receive one of the following common error messages:

• "Connection timed out ABCD milliseconds"
• "HTTP Error 403 - Forbidden"
• "Could not resolve host: abcdexyz.$awsregion.$awsdomain"
• "HTTP Error 407 - Proxy Authentication Required"
• "Resolving timed out after 5000 milliseconds"

Resolution

Connection timed out ABCD milliseconds

To troubleshoot this issue, verify that the security group attached to your instance allows outbound HTTP or HTTPS traffic. Also verify that the network access control lists (network ACLs) associated with your instance's subnet allow outbound HTTP or HTTPS traffic.

The following example shows a custom network ACL that allows outbound traffic on port 80 and 443:

Inbound rules
Rule#    Type                    Protocol    Port Range    Source        Allow/Deny
100      Custom TCP Rule         TCP (6)     1024-65535    0.0.0.0/0     ALLOW
101      Custom TCP Rule         TCP (6)     1024-65535    ::/0          ALLOW
*        ALL Traffic             ALL         ALL           ::/0          DENY
*        ALL Traffic             ALL         ALL           0.0.0.0/0     DENY

Outbound rules
Rule #    Type                   Protocol    Port Range    Source       Allow/Deny
100       HTTP (80)              TCP (6)     80            0.0.0.0/0    ALLOW
101       HTTPS (443)            TCP (6)     443           0.0.0.0/0    ALLOW
102       HTTP (80)              TCP (6)     80            ::/0         ALLOW
103       HTTPS (443)            TCP (6)     443           ::/0         ALLOW
*         ALL Traffic            ALL         ALL           ::/0         DENY
*         ALL Traffic            ALL         ALL           0.0.0.0/0    DENY

To access Amazon Linux repositories, your instance must use one of the following internet access settings based on your configuration:

• For an instance in a public subnet, use an internet gateway.
• For an instance in a private subnet, use a NAT gateway, or a NAT instance.
• For an instance in a public or private subnet, use an Amazon Simple Storage Service (Amazon S3) virtual private cloud (VPC) endpoint.
• For an instance in a private subnet with a proxy, add the following parameters to the configuration file to configure yum to use a proxy:

  proxy=http://proxy-server-IP-address:proxy_port
  proxy_username=proxy-user-name
  proxy_password=proxy-password

  Note: If you already configured the proxy and are using the same configuration file, then the proxy password is visible in plaintext in the file. Replace proxy-port with the port that your proxy uses, proxy-user-name with your proxy username, and proxy-password with your proxy password. For more information, see Using yum with a proxy server on the Fedora Project website. For Amazon Linux 1 and Amazon Linux 2, modify the /etc/yum.conf file. For Amazon Linux 2023, modify the /etc/dnf/dnf.conf file.

After you configure your instance, run the following curl command to make sure that the instance can access the repository.

Amazon Linux 2023:

curl -I al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com

Amazon Linux 1:

curl -I repo.us-east-1.amazonaws.com

Amazon Linux 2:

curl -I amazonlinux.us-east-1.amazonaws.com

Note: In the preceding commands, replace us-east-1 with your instance's AWS Region.

The curl command is preinstalled on all Amazon Machine Images (AMIs). However, you can't access the Amazon Linux repositories without credentials, and the curl command can't take the credentials of a yum repository. When you run the curl command, you receive an access denied error message similar to the following example:

$ curl -I amazonlinux.us-east-1.amazonaws.com
HTTP/1.1 403 Forbidden
x-amz-bucket-region: us-east-1
x-amz-request-id: xxxxxxxx
x-amz-id-2: xxxxxxxxxxxxx=
Content-Type: application/xml
Date: Thu, 17 Nov 2022 16:59:59 GMT
Server: AmazonS3

Use the curl command to test whether the timeout issue is still occurring. The example error message shows that the network is reachable and the timeout issue is no longer occurring,

HTTP Error 403 - Forbidden

You use a VPC endpoint

If you use an Amazon S3 VPC endpoint, then make sure that the attached policy allows the s3:GetObject API call based on your Linux version.

Amazon Linux 2023: arn:aws:s3:::al2023-repos-region-de612dc2/*

Amazon Linux 1: arn:aws:s3:::packages.region.amazonaws.com/* and arn:aws:s3:::repo.region.amazonaws.com/*

Amazon Linux 2: arn:aws:s3:::amazonlinux.region.amazonaws.com/ and arn:aws:s3:::amazonlinux-2-repos-region/

Note: In the preceding resources, replace region with your instance's Region.

For more information, see Gateway endpoints for Amazon S3.

You use a proxy

If you use a proxy to access Amazon Linux repositories, then verify that the .amazonaws.com subdomain is on the allowlist in your proxy configuration.

You use an unsupported repository

You might receive the following error: "Error: Failed to download metadata for repo 'amazonlinux': GPG verification is activated, but GPG signature is not available. This may be an error or the repository does not support GPG verification". This is a known issue that occurs when you activate repo_gpgcheck in the repository files under the /etc/yum.repos.d/ directory, for example repository.repo files or /etc/yum.conf. Amazon Linux 2023 repositories don't have metadata signing activated. Also, if you use this configuration for unsupported repositories, then package installations or operating system (OS) updates might fail. As a workaround, open the repository repo file and set the value of repo_gpgcheck for the repository to 0. For example, set the value to repo_gpgcheck=0.

For more information about this situation, see [Bug] - not able to install/upgrade packages after activating repo_gpgcheck on the GitHub website.

Could not resolve host: abcdexyz.$awsregion.$awsdomain

The /etc/yum/vars directory must include the awsdomain and awsregion variables. To verify that the /etc/yum/vars directory defines your custom yum variables, run the following commands:

$ cat /etc/yum/vars/awsregion
us-east-1

$ cat /etc/yum/vars/awsdomain
amazonaws.com

Note: Replace us-east-1 with your instance's Region.

The instance must resolve the domain name of the Amazon Linux repositories. To verify your instance's DNS resolution, run the following commands:

$ dig amazonlinux.us-east-1.amazonaws.com

$ dig repo.us-east-1.amazonaws.com

$ dig al2023-repos-us-east-1-de612dc2

Note: Replace us-east-1 with your instance's Region.

Note that queries to the Amazon provided DNS server at the 169.254.169.253 IPv4 address and the fd00:ec2::253 IPv6 address succeed. Queries to the Amazon provided DNS server at the reserved IP address at the base of the VPC IPv4 network range plus two also succeed. The IPv6 address is accessible only on Nitro-based EC2 instances.

HTTP Error 407 - Proxy Authentication Required

This issue occurs when your proxy can't complete the request because yum or dnf doesn't have the correct authentication credentials for your proxy server. To configure yum or dnf to use a proxy, modify the configuration file with the following parameters:

proxy=http://proxy-server-IP-address:proxy_port
proxy_username=proxy-user-name
proxy_password=proxy-password

Note: If you already configured the proxy and are using the same configuration file, then the proxy password is visible in plaintext in the file. Replace proxy-port with the port that your proxy uses, proxy-user-name with your proxy username, and proxy-password with your proxy password. For Amazon Linux 1 and Amazon Linux 2, modify the /etc/yum.conf file. For Amazon Linux 2023, modify the /etc/dnf/dnf.conf file.

Timed out issues

Run the following command to verify that the /etc/resolv.conf file has the correct IP address for your DNS server:

cat /etc/resolv.conf 
nameserver YourDNSIP

To modify the default timeout period of 5000 ms, modify the timeout value in the yum configuration file. For more information, see yum.conf on the die.net website. For Amazon Linux 2023, change the metadata_expire value in /etc/yum.repos.d/amazonlinux.repo to modify the timeout period.

To use a dig command to check the query time, run the following command:

$ dig repo.us-east-1.amazonaws.com | grep time

Note: Replace us-east-1 with your instance's Region.