Short description
To determine what error occurred, use the output messages of the yum command. You might receive one of the following common error messages:
- "Connection timed out ABCD milliseconds"
- "HTTP Error 403 - Forbidden"
- "Could not resolve host: abcdexyz.$awsregion.$awsdomain"
- "HTTP Error 407 - Proxy Authentication Required"
- "Resolving timed out after 5000 milliseconds"
Resolution
Connection timed out ABCD milliseconds
To troubleshoot this issue, verify that the security group attached to your instance allows outbound HTTP or HTTPS traffic. Also verify that the network access control lists (network ACLs) associated with your instance's subnet allow outbound HTTP or HTTPS traffic.
The following example shows a custom network ACL that allows outbound traffic on port 80 and 443:
Inbound rules
Rule# Type Protocol Port Range Source Allow/Deny
100 Custom TCP Rule TCP (6) 1024-65535 0.0.0.0/0 ALLOW
101 Custom TCP Rule TCP (6) 1024-65535 ::/0 ALLOW
* ALL Traffic ALL ALL ::/0 DENY
* ALL Traffic ALL ALL 0.0.0.0/0 DENY
Outbound rules
Rule # Type Protocol Port Range Source Allow/Deny
100 HTTP (80) TCP (6) 80 0.0.0.0/0 ALLOW
101 HTTPS (443) TCP (6) 443 0.0.0.0/0 ALLOW
102 HTTP (80) TCP (6) 80 ::/0 ALLOW
103 HTTPS (443) TCP (6) 443 ::/0 ALLOW
* ALL Traffic ALL ALL ::/0 DENY
* ALL Traffic ALL ALL 0.0.0.0/0 DENY
To access Amazon Linux repositories, your instance must use one of the following internet access settings based on your configuration:
After you configure your instance, run the following curl command to make sure that the instance can access the repository.
Amazon Linux 2023:
curl -I al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com
Amazon Linux 1:
curl -I repo.us-east-1.amazonaws.com
Amazon Linux 2:
curl -I amazonlinux.us-east-1.amazonaws.com
Note: In the preceding commands, replace us-east-1 with your instance's AWS Region.
The curl command is preinstalled on all Amazon Machine Images (AMIs). However, you can't access the Amazon Linux repositories without credentials, and the curl command can't take the credentials of a yum repository. When you run the curl command, you receive an access denied error message similar to the following example:
$ curl -I amazonlinux.us-east-1.amazonaws.com
HTTP/1.1 403 Forbidden
x-amz-bucket-region: us-east-1
x-amz-request-id: xxxxxxxx
x-amz-id-2: xxxxxxxxxxxxx=
Content-Type: application/xml
Date: Thu, 17 Nov 2022 16:59:59 GMT
Server: AmazonS3
Use the curl command to test whether the timeout issue is still occurring. The example error message shows that the network is reachable and the timeout issue is no longer occurring,
HTTP Error 403 - Forbidden
You use a VPC endpoint
If you use an Amazon S3 VPC endpoint, then make sure that the attached policy allows the s3:GetObject API call based on your Linux version.
Amazon Linux 2023: arn:aws:s3:::al2023-repos-region-de612dc2/*
Amazon Linux 1: arn:aws:s3:::packages.region.amazonaws.com/* and arn:aws:s3:::repo.region.amazonaws.com/*
Amazon Linux 2: arn:aws:s3:::amazonlinux.region.amazonaws.com/ and arn:aws:s3:::amazonlinux-2-repos-region/
Note: In the preceding resources, replace region with your instance's Region.
For more information, see Gateway endpoints for Amazon S3.
You use a proxy
If you use a proxy to access Amazon Linux repositories, then verify that the .amazonaws.com subdomain is on the allowlist in your proxy configuration.
You use an unsupported repository
You might receive the following error: "Error: Failed to download metadata for repo 'amazonlinux': GPG verification is activated, but GPG signature is not available. This may be an error or the repository does not support GPG verification". This is a known issue that occurs when you activate repo_gpgcheck in the repository files under the /etc/yum.repos.d/ directory, for example repository.repo files or /etc/yum.conf. Amazon Linux 2023 repositories don't have metadata signing activated. Also, if you use this configuration for unsupported repositories, then package installations or operating system (OS) updates might fail. As a workaround, open the repository repo file and set the value of repo_gpgcheck for the repository to 0. For example, set the value to repo_gpgcheck=0.
For more information about this situation, see [Bug] - not able to install/upgrade packages after activating repo_gpgcheck on the GitHub website.
Could not resolve host: abcdexyz.$awsregion.$awsdomain
The /etc/yum/vars directory must include the awsdomain and awsregion variables. To verify that the /etc/yum/vars directory defines your custom yum variables, run the following commands:
$ cat /etc/yum/vars/awsregion
us-east-1
$ cat /etc/yum/vars/awsdomain
amazonaws.com
Note: Replace us-east-1 with your instance's Region.
The instance must resolve the domain name of the Amazon Linux repositories. To verify your instance's DNS resolution, run the following commands:
$ dig amazonlinux.us-east-1.amazonaws.com
$ dig repo.us-east-1.amazonaws.com
$ dig al2023-repos-us-east-1-de612dc2
Note: Replace us-east-1 with your instance's Region.
Note that queries to the Amazon provided DNS server at the 169.254.169.253 IPv4 address and the fd00:ec2::253 IPv6 address succeed. Queries to the Amazon provided DNS server at the reserved IP address at the base of the VPC IPv4 network range plus two also succeed. The IPv6 address is accessible only on Nitro-based EC2 instances.
HTTP Error 407 - Proxy Authentication Required
This issue occurs when your proxy can't complete the request because yum or dnf doesn't have the correct authentication credentials for your proxy server. To configure yum or dnf to use a proxy, modify the configuration file with the following parameters:
proxy=http://proxy-server-IP-address:proxy_port
proxy_username=proxy-user-name
proxy_password=proxy-password
Note: If you already configured the proxy and are using the same configuration file, then the proxy password is visible in plaintext in the file. Replace proxy-port with the port that your proxy uses, proxy-user-name with your proxy username, and proxy-password with your proxy password. For Amazon Linux 1 and Amazon Linux 2, modify the /etc/yum.conf file. For Amazon Linux 2023, modify the /etc/dnf/dnf.conf file.
Timed out issues
Run the following command to verify that the /etc/resolv.conf file has the correct IP address for your DNS server:
cat /etc/resolv.conf
nameserver YourDNSIP
To modify the default timeout period of 5000 ms, modify the timeout value in the yum configuration file. For more information, see yum.conf on the die.net website. For Amazon Linux 2023, change the metadata_expire value in /etc/yum.repos.d/amazonlinux.repo to modify the timeout period.
To use a dig command to check the query time, run the following command:
$ dig repo.us-east-1.amazonaws.com | grep time
Note: Replace us-east-1 with your instance's Region.