Why am I receiving errors when using yum on my EC2 instance running Amazon Linux 1 or Amazon Linux 2?

Last updated: 2022-03-24

Why am I receiving errors when using yum on my Amazon Elastic Compute Cloud (Amazon EC2) instance running Amazon Linux 1 or Amazon Linux 2?

Short description

Use the output messages of the yum command to determine what error occurred. The following are common error messages:

  • Connection timed out XXX milliseconds
  • HTTP Error 403 - Forbidden
  • Could not resolve host: xxxxxxxxx.$awsregion.$awsdomain
  • HTTP Error 407 - Proxy Authentication Required
  • Resolving timed out after 5000 milliseconds

Resolution

Connection timed out XXXX milliseconds

1.    Verify that the security group attached to your EC2 instance allows outbound http/https traffic.

2.    Verify that the network ACLs associated with your EC2 instance's subnet allows outbound http/https traffic through your NACLs.

The following example shows a custom network ACL that allows outbound traffic on port 80 and 443:

Inbound rules
Rule#    Type                    Protocol    Port Range    Source        Allow/Deny
100      Custom TCP Rule         TCP (6)     1024-65535    0.0.0.0/0     ALLOW
101      Custom TCP Rule         TCP (6)     1024-65535    ::/0          ALLOW
*        ALL Traffic             ALL         ALL           ::/0          DENY
*        ALL Traffic             ALL         ALL           0.0.0.0/0     DENY
Outbound rules
Rule #    Type                   Protocol    Port Range    Source       Allow/Deny
100       HTTP (80)              TCP (6)     80            0.0.0.0/0    ALLOW
101       HTTPS (443)            TCP (6)     443           0.0.0.0/0    ALLOW
102       HTTP (80)              TCP (6)     80            ::/0         ALLOW
103       HTTPS (443)            TCP (6)     443           ::/0         ALLOW
*         ALL Traffic            ALL         ALL           ::/0         DENY
*         ALL Traffic            ALL         ALL           0.0.0.0/0    DENY

3.    Verify that your EC2 instance has access to Amazon Linux repositories using one of the following options

proxy=http://proxy-server-IP-address:proxy_port
proxy_username="proxy-user-name"
proxy_password="proxy-password"

For more information, see Using yum with a proxy server on the fedoraproject.org website.

4.    After configuring your instance using one of the preceding options, run the following telnet command to confirm that the instance can access the repository. In the following command, replace us-east-1 with your instance's Region.

Amazon Linux 1

telnet repo.us-east-1.amazonaws.com 80

Amazon Linux 2

telnet amazonlinux.us-east-1.amazonaws.com 80

Note: Telnet isn't installed by default on all AMIs. To install telnet, run the following command:

sudo yum install telnet

HTTP Error 403 - Forbidden

1.    If you're using an S3 VPC endpoint in your instance's VPC, verify that the attached policy allows the s3:GetObject API call on the following resources:

Amazon Linux 1:

"arn:aws:s3:::packages.region.amazonaws.com/*"

"arn:aws:s3:::repo.region.amazonaws.com/*"

Amazon Linux 2:

"arn:aws:s3:::amazonlinux.region.amazonaws.com/*"

"arn:aws:s3:::amazonlinux-2-repos-region/*"

Note: Replace the Region in the preceding examples with your instance's Region.

For more information, see Endpoint policies for Amazon S3.

2.    If you're using a proxy to access Amazon Linux repositories, verify that the sub-domains .amazonaws.com are on the allow list in your proxy configuration.

Could not resolve host: xxxxxxxx.$awsregion.$awsdomain

1.    Run the following commands to verify that the directory /etc/yum/vars defines the custom yum variables. The directory must include the variables awsdomain and awsregion. In the following example command, replace us-east-1 with your instance's Region.

$ cat /etc/yum/vars/awsregion
us-east-1

$ cat /etc/yum/vars/awsdomain
amazonaws.com

2.    Verify the DNS resolution of your instance. The instance must resolve the domain name of the Amazon Linux repositories:

$ dig amazonlinux.us-east-1.amazonaws.com

$ dig repo.us-east-1.amazonaws.com

Queries to the Amazon provided DNS server at the 169.254.169.253 IPv4 address and the fd00:ec2::253 IPv6 address will succeed. Queries to the Amazon provided DNS server at the reserved IP address at the base of the VPC IPv4 network range plus two will also succeed. The IPv6 address is only accessible on EC2 instances built on the Nitro System.

HTTP Error 407 - Proxy Authentication Required

This occurs if your proxy can't complete the request because yum doesn't have proper authentication credentials for your proxy server. To configure yum to use a proxy, modify the /etc/yum.conf file with the following parameters:

proxy=http://proxy-server-IP-address:proxy_port
proxy_username=proxy-user-name
proxy_password=proxy-password

Resolving timed out after 5000 milliseconds

Run the following command to verify that the /etc/resolv.conf file has the correct IP for your DNS server:

cat /etc/resolv.conf
nameserver YourDNSIP

You can modify the time out period of 5000 milliseconds by modifying the timeout value in the yum configuration file.

To check the query time using dig, run the following command:

$ dig repo.us-east-1.amazonaws.com | grep time

Did this article help?


Do you need billing or technical support?