SSL verification error when running yum update on an EC2 instance with amazon linux 2 using an S3 VPC interface endpoint


We use CloudFormation to setup an EC2 instance with amazon linux 2 in a public subnet and an S3 interface endpoint in a private subnet. We had to disable Private DNS on the S3 interface endpoint, as otherwise CloudFormation also sets the "Enable private DNS only for inbound endpoint" flag to true and the deployment fails because there is no S3 Gateway endpoint. Instead we also set up private hosted zones to route the traffic for "", "", "" and "" to the S3 interface endpoint.

Accessing our own S3 buckets works perfectly fine, but when we try to run "sudo yum update" we get the following error message:

Could not retrieve mirrorlist error was 14: curl#60 - "SSL: no alternative certificate subject name matches target host name ''"

Is there a way to make yum work with an S3 interface endpoint?

2 Answers

For interface type VPC endpoints, private DNS cannot be enabled, so access to the S3 yum repository fails.
As a countermeasure, configure "/etc/hosts" on EC2 to allow name resolution to "".
Check the private IP address of the interfaced VPC endpoint." is the private IP address of the ENI of the interfaced VPC endpoint.
This IP address should be changed according to your environment.
Try adding the following configuration to "/etc/hosts".
profile picture
answered a year ago
  • Hi Riku_Kobayashi, thanks for you suggestion.

    Accessing the S3 yum repository fails with an SSL verification error. The routing is not the problem, as I created a private hosted zone with a record for the domain "" pointing to the IP address of the S3 interface endpoint.


It is not very good from a security point of view, but try putting the following settings in "/etc/yum.conf".
Adding the setting will not check for SSL certificates.


Once the settings are added, the settings file itself looks like this.


#  This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
# download the new metadata and "pay" for it by yum not having correct
# information.
#  It is esp. important, to have correct metadata, for distributions like
# Fedora which don't keep old packages around. If you don't like this checking
# interupting your command line usage, it's much better to have something
# manually check the metadata once an hour (yum-updatesd will do this).
# metadata_expire=90m

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
profile picture
answered a year ago
  • This would work, but unfortunately this is not a solution for our production system. The problem is that the SSL certificate returned by the S3 interface endpoint doesn't contain the S3 dualstack domain (e.g. * I tried to enable the "dualstack" ip address type on the S3 interface endpoint, but that is not supported by the service. Probably that is the reason for the missing domain in the SSL certificate.

    Thanks again!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions