Why do I receive errors when I use yum or dnf on my Amazon EC2 instance that runs Amazon Linux?

Short description

To identify the error that occurred, use the output message of the yum or dnf command that you ran on your EC2 instance.

You might receive one of the following error messages:

• "Connection timed out ABCD milliseconds"
• "HTTP Error 403 - Forbidden"
• "HTTP Error 407 - Proxy Authentication Required"
• "GPG verification is enabled, but GPG signature is not available"
• "Could not resolve host: abcdexyz.$awsregion.$awsdomain"
• "Resolving timed out after 5000 milliseconds"
• "Failed to download metadata for repo: Cannot prepare internal mirrorlist"
• "Error: Failed to download metadata for repo 'amazonlinux': GPG verification is enabled, but GPG signature is not available"
• "/usr/bin/python: bad interpreter: No such file or directory"
• "rpmdb: BDB0004 fop_read_meta: unexpected file type or format"
• "No package X available"

Resolution

Note: AL2023 uses the dnf command and AL2 uses the yum command. AL2 reaches end of life on June 30, 2026. Make sure to migrate to AL2023 before that date.

Take the following actions based on the error message that you received.

"Connection timed out ABCD milliseconds"

Make sure that your instance allows outbound HTTP and HTTPS traffic

Make sure that the instance's security group and network access control lists (network ACLs) allow outbound traffic on ports 80 (HTTP) and 443 (HTTPS). Also, make sure that the network ACLs allow inbound traffic on ephemeral ports 1024-65535.

Check the operating system (OS) firewall rules to confirm that no roles block outbound traffic on ports 80 or 443. Run the following commands for each firewall.

iptables:

sudo iptables -L -n

Firewalld:

sudo firewall-cmd --list-all

nftables:

sudo nft list ruleset

Check your network configuration settings

To access Amazon Linux repositories, you must use one of the following network configurations:

• For an instance in a public subnet, use an internet gateway.
  Note: The instance must have a public IP address or Elastic IP address.
• For an instance in a private subnet, use a NAT gateway or a NAT instance.
• For an instance in a private subnet without internet access, use an Amazon Simple Storage Service (Amazon S3) virtual private cloud (VPC) endpoint. With a VPC endpoint, you can directly reach the repository buckets.
• For an instance that uses a proxy, configure yum or dnf to use the proxy. Add the following parameters to the /etc/yum.conf file for AL2 instances and the /etc/dnf/dnf.conf file for AL2023 instances:

  proxy=http://proxy-server-IP-address:proxy_port
  proxy_username=proxy-user-name
  proxy_password=proxy-password

  Note: Replace proxy-port with the port that your proxy uses, proxy-user-name with your proxy username, and proxy-password with your proxy password. System-level environment variables such as http_proxy or https_proxy don't apply to yum or dnf. You must configure the proxy settings directly in the configuration file.

Check for issues with third-party repositories

An unreachable third-party repository in /etc/yum.repos.d/ can block all yum operations.

To identify the repository with issues, run the following command:

yum repolist -v

To temporarily deactivate the repository with issues, run the following command:

yum --disablerepo=reponame update.

Note: Replace reponame with the repository name.

Confirm that you can access the Amazon Linux repository

Run the following command based on your Amazon Linux version to confirm that you can reach the repository endpoint.

AL2023:

curl -I al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com

AL2:

curl -I amazonlinux.us-east-1.amazonaws.com 

Note: Replace us-east-1 with your instance's AWS Region. The preceding command tests only network reachability. A 403 response confirms that the repository is reachable. The "access denied" error is expected because curl doesn't have repository authentication credentials. If the command times out instead, then the network path to the repository is still blocked.

"HTTP Error 403 – Forbidden" or "HTTP Error 407 – Proxy Authentication Required"

Note: For paths that don't exist in an Amazon S3 bucket, you receive HTTP 403, not HTTP 404.

If your yum or dnf URL contains an incorrect path because of configuration issues, then you receive a 403 error. To troubleshoot this issue, take the following actions based on your configuration.

You use a VPC endpoint

If you use an Amazon S3 VPC endpoint, then make sure that the VPC endpoint policy has the required permissions. Allow s3:GetObject and s3:ListBucket on the following repository bucket Amazon Resource Names (ARNs) based on your Amazon Linux version.

AL2023:

arn:aws:s3:::al2023-repos-region-de612dc2

arn:aws:s3:::al2023-repos-region-de612dc2/*

AL2:

arn:aws:s3:::amazonlinux-2-repos-region

arn:aws:s3:::amazonlinux-2-repos-region/*

Note: Replace region with your instance's Region. If you have instances in multiple Regions, then make sure that the VPC endpoint policy in each Region includes the required permissions.

If you also use an AWS Identity and Access Management (IAM) instance profile, then confirm that the instance's IAM role has the required permissions.

Example permissions policy:

{
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:ListBucket"
  ],
  "Resource": [
    "arn:aws:s3:::al2023-repos-region-de612dc2",
    "arn:aws:s3:::al2023-repos-region-de612dc2/*"
  ]
}

Note: Replace region with your instance's Region.

For more information, see Gateway endpoints for Amazon S3.

You migrated from AL2 to AL2023

AL2023 uses different repository bucket URLs than AL2. After you migrate, update your proxy, firewall, and VPC endpoint policies to allow traffic to the new AL2023 URLs. AL2023 uses the al2023-repos-region-de612dc2.s3.dualstack.region.amazonaws.com format.

Note: Replace region with your Region. If your repository references cdn.amazonlinux.com, then the URL requires internet access. The URL doesn't work for instances in private subnets that have only a VPC endpoint. In this scenario, use the mirrorlist format. The default mirrorlist URL is mirrorlist=https://al2023-repos-$awsregion-de612dc2.s3.dualstack.$awsregion.$awsdomain/core/mirrors/$releasever/$basearch/mirror.list.

You have an incorrect release version variable

The /etc/dnf/vars/releasever file might contain an incorrect value such as 2023 instead of the fully versioned 2023.6.20250929 format. Or, the system-release package might be missing. In this scenario, dnf constructs a repository URL that's not valid and you receive a "403 Forbidden" error for the nonexistent path.

To resolve this issue, complete the following steps:

1. Run the following command to check the current release version:

   cat /etc/dnf/vars/releasever
   rpm -q system-release

2. If the system-release package is missing, then run the following command to set a temporary release version and reinstall the package:

   echo "latest" | sudo tee /etc/dnf/vars/releasever
   sudo dnf install system-release

3. Run the following command to remove the manually configured release version so that dnf uses the system default:

   sudo rm /etc/dnf/vars/releasever

4. (Optional) To update the repository version, run the following command:

   sudo dnf upgrade --releasever=latest

   Important: The preceding command allows the system-release package to control the version. If you manually set /etc/dnf/vars/releasever, then you must update the file each time that you upgrade to a later AL2023 release. You won't automatically receive security updates for newer versions. For more information about how releasever determines repository version, see Using Deterministic upgrades through versioned repositories.

You use a proxy

If you use a proxy to access Amazon Linux repositories, then check the following configurations:

• Make sure that the .amazonaws.com subdomain is on the allowlist in your proxy configuration.
• Make sure that the proxy doesn't perform SSL/TLS inspection on traffic to AWS repository endpoints.
  Note: Proxies that inspect SSL/TLS, such as Zscaler, can cause certificate trust failures and might block .rpm files by default.
• Make sure that the proxy configuration in /etc/yum.conf for AL2 or /etc/dnf/dnf.conf for AL2023 matches your proxy settings.

If you receive the "HTTP Error 407 – Proxy Authentication Required", then confirm that the proxy_username and proxy_password values are correct in the configuration file. Also, confirm that your proxy credentials haven't expired or been rotated.

To test your proxy connectivity, run the following command:

curl -I -x http://proxy-server:port https://al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com 

Note: Replace proxy-server with your proxy hostname or IP address, port with your proxy port, and us-east-1 with your instance's Region.

"GPG verification is enabled, but GPG signature is not available"

If you set repo_gpgcheck=1 in etc/yum.repos.d/amazonlinux.repo but the repository doesn't provide signed metadata, then you receive the "GPG signature is not available" error message.

By default, the AL2023 repository has repo_gpgcheck set to 0. If you or a security compliance tool updated the value to 1, then you encounter issues.

To resolve this issue, run the following command to set repo_gpgcheck to 0:

sudo sed -i 's/repo_gpgcheck=1/repo_gpgcheck=0/' /etc/yum.repos.d/amazonlinux.repo

Or, run the following command to perform a one-time update without a GPG check:

sudo dnf update --nogpgcheck

For more information about this issue, see [Bug] - not able to install/upgrade packages after activating repo_gpgcheck on the GitHub website.

"Could not resolve host"

If DNS can't resolve the repository hostname, then you receive the "Could not resolve host" error message. This issue occurs if the required variable files don't exist, or contain missing or incorrect values. The issue also occurs if your DNS configuration can't reach the hostname.

Check the yum or dnf variable files

Run the following commands based on your Amazon Linux version to check the files for missing or incorrect variables:

AL2023:

cat /etc/dnf/vars/awsregion
cat /etc/dnf/vars/awsdomain
cat /etc/dnf/vars/releasever

AL2:

cat /etc/yum/vars/awsregion
cat /etc/yum/vars/awsdomain
cat /etc/yum/vars/awsproto
cat /etc/yum/vars/amazonlinux
cat /etc/yum/vars/product
cat /etc/yum/vars/target

Make sure that the file values are correct. For example, awsregion must be your Region and awsdomain must be amazonaws.com.

If any of the files contain incorrect values, such as default for awsregion, then run the following command to update the value:

echo "us-east-1" | sudo tee /etc/dnf/vars/awsregion
echo "amazonaws.com" | sudo tee /etc/dnf/vars/awsdomain

Note: Replace us-east-1 with updated value and /etc/dnf/vars/awsregion with the file to update.

Verify DNS resolution

If the variable files are correct, then use the DNS provider that's provided by the VPC to test DNS resolution. Run the following command:

host al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com 169.254.169.253

Note: Replace us-east-1 with your instance's Region.

If the command resolves but fails and doesn't specify 169.254.169.253, then the issue is with your custom DNS configuration. Update your custom DNS server to forward queries for amazonaws.com domains to the 169.254.169.253 DNS resolver.

"Resolving timed out after 5000 milliseconds"

The default yum or dnf timeout is five seconds. If your DNS queries or repository connections take longer, then the request times out and you receive an error.

To increase the timeout time, increase the timeout value in /etc/yum.conf for AL2 or /etc/dnf/dnf.conf for AL2023.

Example value:

timeout=30

To adjust how often your configuration refreshes metadata, update the metadata_expire value in /etc/yum.repos.d/amzn2-core.repo for AL2 and /etc/yum.repos.d/amazonlinux.repo for AL2023.

For more information about available yum configuration options, see yum.conf on the die.net website.

Also, make sure that your IP address configuration is correct.

"Failed to download metadata for repo - Cannot prepare internal mirrorlist"

The "Cannot prepare internal mirrorlist" error occurs if your configuration references an unreachable or nonexistent repository. For example, the third-party repository files in /etc/yum.repos.d/ might point to unreachable servers. Or a repository file might reference a different OS version, such as a CentOS file on an Amazon Linux instance.

Run the following command to identify the repository with issues:

sudo yum repolist -v

To temporarily deactivate the repository, run the following command:

sudo yum --disablerepo=reponame update

Note: Replace reponame with the repository name.

To permanently deactivate the repository, run the following command:

sudo yum-config-manager --disable reponame

Or, run the following command to rename the repository file:

sudo mv /etc/yum.repos.d/problematic.repo /etc/yum.repos.d/problematic.repo.bak

Note: When you rename the repository but don't delete its configuration, other repositories can continue to function. However, the name change means that yum or dnf can't read the file.

"/usr/bin/python: bad interpreter: No such file or directory"

The "/usr/bin/python: bad interpreter" error occurs if the Python interpreter that's required by yum or dnf is missing or broken. On AL2, yum requires Python 2.7 (/usr/bin/python) and on AL2023, dnf requires Python 3.9 (/usr/bin/python3).

To resolve this issue on AL2023 instances, run the following command to deactivate any active repositories:

deactivate

Then, run the following command to reinstall the Python 3.9 package:

sudo dnf download python3.9
sudo rpm -ivh --nodeps python3.9-*.rpm

Important: Never change the /usr/bin/python3 symlink on AL2023 instances. If you must use a different Python version, then install it alongside the system Python and use virtual environments. For more information, see Python in AL2023.

To resolve this issue on AL2 instances, complete the following steps:

1. Create an Amazon Machine Image (AMI) backup of the instance.
   Note: The following resolution step ignores dependencies. If you have the wrong package version installed, then you might encounter issues. You can use the AMI to roll back your configuration if you encounter issues.

2. Run the following command to download the updated Python package:

   sudo yumdownloader --destdir=/tmp/ python
   sudo rpm -ivh --nodeps /tmp/python-2*.rpm

3. If the yum download fails, then download the Python RPM from a working instance. Then, use the secure copy protocol (SCP) to transfer the download to your instance.

"rpmdb: BDB0004 fop_read_meta: unexpected file type or format"

If the RPM database is corrupted, then you receive the "rpmdb: BDB0004"error message.

To resolve this issue, complete the following steps:

1. Run the following command to remove the stale database lock files:

   sudo rm -f /var/lib/rpm/__db*

2. Run the following command to rebuild the RPM database:

   sudo rpm --rebuilddb

3. Run the following command to clear the yum cache:

   sudo yum clean all
   sudo yum makecache

A cache clear removes corrupted or stale cached metadata and forces yum to redownload metadata from the repository.

If you still receive the "BDB0004" error or "cannot open Packages database" error, then the corruption can't be fixed with automatic repair. In this scenario, it's a best practice to launch a new instance from a new Amazon Linux AMI, and then migrate your workload.

"No package X available"

The "No package X available" error message occurs if yum or dnf can't find the requested package in any activated repository. This issue typically occurs if you exclude a package in yum.conf or dnf.conf. To check for this issue, check /etc/yum.conf for AL2 or /etc/dnf/dnf.conf for AL2023 for exclude= lines that block package installation

To temporarily override the exclusion and install the package, run the following command:

sudo dnf --disableexcludes=all install package-name

Note: Replace package-name with the package name. For AL2, replace dnf with yum. Some AMIs, such as Amazon Elastic Kubernetes Service (Amazon EKS) optimized AMIs, include exclusion rules by default. In this scenario, it's not a best practice to update the rules.

You might also receive the error if the package isn't available in the Amazon Linux repository. Some packages that are available on other distributions aren't available on Amazon Linux. For AL2, run the following command to install the Extra Packages for Enterprise Linux (EPEL) repository:

sudo amazon-linux-extras install epel -y

For AL2023, see Packages in Amazon Linux 2 not in Amazon Linux 2023.

Some package names changed between AL2 and AL2023. To identify the package in AL2023, run the following command:

dnf search keyword

Note: Replace keyword with your keyword.