I’m receiving errors when using yum on my Amazon Elastic Compute Cloud (Amazon EC2) instance running Amazon Linux 1, Amazon Linux 2, or Amazon Linux 2023.
Short description
Use the output messages of the yum command to determine what error occurred. The following are common error messages:
- Connection timed out XXX milliseconds
- HTTP Error 403 - Forbidden
- Could not resolve host: xxxxxxxxx.$awsregion.$awsdomain
- HTTP Error 407 - Proxy Authentication Required
- Resolving timed out after 5000 milliseconds
Resolution
Connection timed out XXXX milliseconds
1. Verify that the security group attached to your EC2 instance allows outbound HTTP or HTTPS traffic.
2. Verify that the network ACLs associated with your EC2 instance's subnet allows outbound HTTP or HTTPS traffic through your NACLs.
The following example shows a custom network ACL that allows outbound traffic on port 80 and 443:
Inbound rules
Rule# Type Protocol Port Range Source Allow/Deny
100 Custom TCP Rule TCP (6) 1024-65535 0.0.0.0/0 ALLOW
101 Custom TCP Rule TCP (6) 1024-65535 ::/0 ALLOW
* ALL Traffic ALL ALL ::/0 DENY
* ALL Traffic ALL ALL 0.0.0.0/0 DENY
Outbound rules
Rule # Type Protocol Port Range Source Allow/Deny
100 HTTP (80) TCP (6) 80 0.0.0.0/0 ALLOW
101 HTTPS (443) TCP (6) 443 0.0.0.0/0 ALLOW
102 HTTP (80) TCP (6) 80 ::/0 ALLOW
103 HTTPS (443) TCP (6) 443 ::/0 ALLOW
* ALL Traffic ALL ALL ::/0 DENY
* ALL Traffic ALL ALL 0.0.0.0/0 DENY
3. Verify that your EC2 instance has access to Amazon Linux repositories using one of the following options:
- Your instance is in a public subnet with an internet gateway. For more information, see Turn on internet access.
- Your instance is in a private subnet with a NAT gateway. For more information, see NAT gateways.
- Your instance is in a private subnet with a NAT instance. For more information, see NAT instances.
- Your instance is in a public or private subnet with an Amazon Simple Storage Service (Amazon S3) VPC endpoint. For more information, see How can I update yum or install packages without internet access on my EC2 instances running Amazon Linux 1, Amazon Linux 2, or Amazon Linux 2023?
- Your instance is in a private subnet with a proxy. To configure yum to use a proxy, modify the /etc/yum.conf file with the following parameters. In the following example, replace proxy-port, proxy-user-name, and proxy-password with the correct values for your proxy.
proxy=http://proxy-server-IP-address:proxy_port
proxy_username="proxy-user-name"
proxy_password="proxy-password"
For more information, see Using yum with a proxy server on the fedoraproject.org website.
4. After configuring your instance using one of the preceding options, run the following curl command to confirm that the instance can access the repository. In the following command, replace us-east-1 with your instance's AWS Region.
Amazon Linux 2023
curl -I al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com
Amazon Linux 1
curl -I repo.us-east-1.amazonaws.com
Amazon Linux 2
curl -I amazonlinux.us-east-1.amazonaws.com
The curl command is pre-installed on all Amazon Machine Images (AMIs), but the Amazon Linux repositories aren't accessible without credentials. The curl command can't take the credentials of a yum repository. So, you receive an access denied error message similar to the following. The curl command is used to test whether the timeout issue is still occurring. The error message shows that the network is reachable and the timeout issue is no longer occurring:
$ curl -I amazonlinux.us-east-1.amazonaws.com
HTTP/1.1 403 Forbidden
x-amz-bucket-region: us-east-1
x-amz-request-id: xxxxxxxx
x-amz-id-2: xxxxxxxxxxxxx=
Content-Type: application/xml
Date: Thu, 17 Nov 2022 16:59:59 GMT
Server: AmazonS3
To install software, such as telnet, run the following command:
sudo yum install telnet
HTTP Error 403 - Forbidden
1. For an Amazon S3 VPC endpoint in your instance's VPC, verify that the attached policy allows the s3:GetObject API call on the following resources. In the following examples, replace region with your instance's AWS Region.
Amazon Linux 2023:
"arn:aws:s3:::al2023-repos-us-east-1-de612dc2/*"
Amazon Linux 1:
"arn:aws:s3:::packages.region.amazonaws.com/*"
"arn:aws:s3:::repo.region.amazonaws.com/*"
Amazon Linux 2:
"arn:aws:s3:::amazonlinux.region.amazonaws.com/*"
"arn:aws:s3:::amazonlinux-2-repos-region/*"
For more information, see Gateway endpoints for Amazon S3.
2. If you use a proxy to access Amazon Linux repositories, then verify that the .amazonaws.com subdomain is on the allowlist in your proxy configuration.
Could not resolve host: xxxxxxxx.$awsregion.$awsdomain
1. Run the following commands to verify that the /etc/yum/vars directory defines the custom yum variables. The directory must include the variables awsdomain and awsregion. In the following example command, replace us-east-1 with your instance's AWS Region.
$ cat /etc/yum/vars/awsregion
us-east-1
$ cat /etc/yum/vars/awsdomain
amazonaws.com
2. Run the following command to verify the DNS resolution of your instance. The instance must resolve the domain name of the Amazon Linux repositories.
$ dig amazonlinux.us-east-1.amazonaws.com
$ dig repo.us-east-1.amazonaws.com
$ dig al2023-repos-us-east-1-de612dc2
Queries to the Amazon-provided DNS server at the 169.254.169.253 IPv4 address and the fd00:ec2::253 IPv6 address succeed. Queries to the Amazon-provided DNS server at the reserved IP address at the base of the VPC IPv4 network range plus two also succeed. The IPv6 address is accessible only on Nitro-based EC2 instances.
HTTP Error 407 - Proxy Authentication Required
HTTP Error 407 occurs if your proxy can't complete the request because yum or dnf doesn't have proper authentication credentials for your proxy server. To configure yum or dnf to use a proxy, modify the /etc/yum.conf file with the following parameters:
Amazon Linux 1 and Amazon Linux 2 : /etc/yum.conf
Amazon Linux 2023 : /etc/dnf/dnf.conf
proxy=http://proxy-server-IP-address:proxy_port
proxy_username=proxy-user-name
proxy_password=proxy-password
Resolving timed out after 5000 milliseconds
Run the following command to verify that the /etc/resolv.conf file has the correct IP for your DNS server:
cat /etc/resolv.conf
nameserver YourDNSIP
You can modify the time-out period of 5000 milliseconds by modifying the timeout value in the yum configuration file. For more information, see yum.conf on the linux.die.net website.
To check the query time using dig, run the following command:
$ dig repo.us-east-1.amazonaws.com | grep time
For Amazon Linux 2023, modify the time out period by changing the metadata_expire value in /etc/yum.repos.d/amazonlinux.re.