- Newest
- Most votes
- Most comments
For interface type VPC endpoints, private DNS cannot be enabled, so access to the S3 yum repository fails.
As a countermeasure, configure "/etc/hosts" on EC2 to allow name resolution to "amazonlinux-2-repos-eu-central-1.s3.dualstack.eu-central-1.amazonaws.com".
Check the private IP address of the interfaced VPC endpoint.
172.16.1.1" is the private IP address of the ENI of the interfaced VPC endpoint.
This IP address should be changed according to your environment.
Try adding the following configuration to "/etc/hosts".
172.16.1.1 amazonlinux-2-repos-eu-central-1.s3.dualstack.eu-central-1.amazonaws.com
It is not very good from a security point of view, but try putting the following settings in "/etc/yum.conf".
Adding the setting will not check for SSL certificates.
sslverify=0
Once the settings are added, the settings file itself looks like this.
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3
distroverpkg=system-release
timeout=5
retries=7
sslverify=0
# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
# download the new metadata and "pay" for it by yum not having correct
# information.
# It is esp. important, to have correct metadata, for distributions like
# Fedora which don't keep old packages around. If you don't like this checking
# interupting your command line usage, it's much better to have something
# manually check the metadata once an hour (yum-updatesd will do this).
# metadata_expire=90m
# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
This would work, but unfortunately this is not a solution for our production system. The problem is that the SSL certificate returned by the S3 interface endpoint doesn't contain the S3 dualstack domain (e.g. *.s3.dualstack.eu-central-1.amazonaws.com). I tried to enable the "dualstack" ip address type on the S3 interface endpoint, but that is not supported by the service. Probably that is the reason for the missing domain in the SSL certificate.
Thanks again!
Relevant content
- asked 7 years ago
- asked 6 months ago
- asked 4 years ago
AWS OFFICIALUpdated 2 months ago
Hi Riku_Kobayashi, thanks for you suggestion.
Accessing the S3 yum repository fails with an SSL verification error. The routing is not the problem, as I created a private hosted zone with a record for the domain "amazonlinux-2-repos-eu-central-1.s3.dualstack.eu-central-1.amazonaws.com" pointing to the IP address of the S3 interface endpoint.