Why am I receiving errors when using yum on my EC2 instance running Amazon Linux 1, Amazon Linux 2, or Amazon Linux 2023?

Short description

Use the output messages of the yum command to determine what error occurred. The following are common error messages:

• Connection timed out XXX milliseconds
• HTTP Error 403 - Forbidden
• Could not resolve host: xxxxxxxxx.$awsregion.$awsdomain
• HTTP Error 407 - Proxy Authentication Required
• Resolving timed out after 5000 milliseconds

Resolution

Connection timed out XXXX milliseconds

1.    Verify that the security group attached to your EC2 instance allows outbound HTTP or HTTPS traffic.

2.    Verify that the network ACLs associated with your EC2 instance's subnet allows outbound HTTP or HTTPS traffic through your NACLs.

The following example shows a custom network ACL that allows outbound traffic on port 80 and 443:

Inbound rules
Rule#    Type                    Protocol    Port Range    Source        Allow/Deny
100      Custom TCP Rule         TCP (6)     1024-65535    0.0.0.0/0     ALLOW
101      Custom TCP Rule         TCP (6)     1024-65535    ::/0          ALLOW
*        ALL Traffic             ALL         ALL           ::/0          DENY
*        ALL Traffic             ALL         ALL           0.0.0.0/0     DENY

Outbound rules
Rule #    Type                   Protocol    Port Range    Source       Allow/Deny
100       HTTP (80)              TCP (6)     80            0.0.0.0/0    ALLOW
101       HTTPS (443)            TCP (6)     443           0.0.0.0/0    ALLOW
102       HTTP (80)              TCP (6)     80            ::/0         ALLOW
103       HTTPS (443)            TCP (6)     443           ::/0         ALLOW
*         ALL Traffic            ALL         ALL           ::/0         DENY
*         ALL Traffic            ALL         ALL           0.0.0.0/0    DENY

3.    Verify that your EC2 instance has access to Amazon Linux repositories using one of the following options:

• Your instance is in a public subnet with an internet gateway. For more information, see Turn on internet access.
• Your instance is in a private subnet with a NAT gateway. For more information, see NAT gateways.
• Your instance is in a private subnet with a NAT instance. For more information, see NAT instances.
• Your instance is in a public or private subnet with an Amazon Simple Storage Service (Amazon S3) VPC endpoint. For more information, see How can I update yum or install packages without internet access on my EC2 instances running Amazon Linux 1, Amazon Linux 2, or Amazon Linux 2023?
• Your instance is in a private subnet with a proxy. To configure yum to use a proxy, modify the /etc/yum.conf file with the following parameters. In the following example, replace proxy-port, proxy-user-name, and proxy-password with the correct values for your proxy.

proxy=http://proxy-server-IP-address:proxy_port
proxy_username="proxy-user-name"
proxy_password="proxy-password"

For more information, see Using yum with a proxy server on the fedoraproject.org website.

4.    After configuring your instance using one of the preceding options, run the following curl command to confirm that the instance can access the repository. In the following command, replace us-east-1 with your instance's AWS Region.

Amazon Linux 2023

curl -I al2023-repos-us-east-1-de612dc2.s3.dualstack.us-east-1.amazonaws.com

Amazon Linux 1

curl -I repo.us-east-1.amazonaws.com

Amazon Linux 2

curl -I amazonlinux.us-east-1.amazonaws.com

The curl command is pre-installed on all Amazon Machine Images (AMIs), but the Amazon Linux repositories aren't accessible without credentials. The curl command can't take the credentials of a yum repository. So, you receive an access denied error message similar to the following. The curl command is used to test whether the timeout issue is still occurring. The error message shows that the network is reachable and the timeout issue is no longer occurring:

$ curl -I amazonlinux.us-east-1.amazonaws.com
HTTP/1.1 403 Forbidden
x-amz-bucket-region: us-east-1
x-amz-request-id: xxxxxxxx
x-amz-id-2: xxxxxxxxxxxxx=
Content-Type: application/xml
Date: Thu, 17 Nov 2022 16:59:59 GMT
Server: AmazonS3

To install software, such as telnet, run the following command:

sudo yum install telnet

HTTP Error 403 - Forbidden

1.    For an Amazon S3 VPC endpoint in your instance's VPC, verify that the attached policy allows the s3:GetObject API call on the following resources. In the following examples, replace region with your instance's AWS Region.

Amazon Linux 2023:

"arn:aws:s3:::al2023-repos-us-east-1-de612dc2/*"

Amazon Linux 1:

"arn:aws:s3:::packages.region.amazonaws.com/*"

"arn:aws:s3:::repo.region.amazonaws.com/*"

Amazon Linux 2:

"arn:aws:s3:::amazonlinux.region.amazonaws.com/*"

"arn:aws:s3:::amazonlinux-2-repos-region/*"

For more information, see Gateway endpoints for Amazon S3.

2.    If you use a proxy to access Amazon Linux repositories, then verify that the .amazonaws.com subdomain is on the allowlist in your proxy configuration.

Could not resolve host: xxxxxxxx.$awsregion.$awsdomain

1.    Run the following commands to verify that the /etc/yum/vars directory defines the custom yum variables. The directory must include the variables awsdomain and awsregion. In the following example command, replace us-east-1 with your instance's AWS Region.

$ cat /etc/yum/vars/awsregion
us-east-1

$ cat /etc/yum/vars/awsdomain
amazonaws.com

2.    Run the following command to verify the DNS resolution of your instance. The instance must resolve the domain name of the Amazon Linux repositories.

$ dig amazonlinux.us-east-1.amazonaws.com

$ dig repo.us-east-1.amazonaws.com

$ dig al2023-repos-us-east-1-de612dc2

Queries to the Amazon-provided DNS server at the 169.254.169.253 IPv4 address and the fd00:ec2::253 IPv6 address succeed. Queries to the Amazon-provided DNS server at the reserved IP address at the base of the VPC IPv4 network range plus two also succeed. The IPv6 address is accessible only on Nitro-based EC2 instances.

HTTP Error 407 - Proxy Authentication Required

HTTP Error 407 occurs if your proxy can't complete the request because yum or dnf doesn't have proper authentication credentials for your proxy server. To configure yum or dnf to use a proxy, modify the /etc/yum.conf file with the following parameters:

Amazon Linux 1 and Amazon Linux 2 : /etc/yum.conf
Amazon Linux 2023 : /etc/dnf/dnf.conf

proxy=http://proxy-server-IP-address:proxy_port
proxy_username=proxy-user-name
proxy_password=proxy-password

Resolving timed out after 5000 milliseconds

Run the following command to verify that the /etc/resolv.conf file has the correct IP for your DNS server:

cat /etc/resolv.conf
nameserver YourDNSIP

You can modify the time-out period of 5000 milliseconds by modifying the timeout value in the yum configuration file. For more information, see yum.conf on the linux.die.net website.

To check the query time using dig, run the following command:

$ dig repo.us-east-1.amazonaws.com | grep time

For Amazon Linux 2023, modify the time out period by changing the metadata_expire value in /etc/yum.repos.d/amazonlinux.re.