DigitalOcean Droplet unable to resolve mirror locations?

Web Server Oct 14, 2020

You've set up a Droplet in DigitalOcean and locked things down to restrict access to it via the firewall. Great. You can access the server and make local changes fine, but you try to update or install something, only to be presented with terminal output similar to:

Terminal output from a Ubuntu server. Mirror repositories for updates are unable to be resolved
Failed to fetch security.ubuntu.com?

Panic sets in. You can't configure your new server when it can't find the packages you need to install.  What do you do?

You might be tempted to trash the Droplet and start again (go ahead - you'll likely get the same result - I'll wait...), but that's futile. The issue is more than likely with the firewall rules. There's a good chance they are similar to:

Firewall rules within DigitalOcean, showing inbound and outbound allowed rules for ports 80 and 443 on each
DigitalOcean firewall rules. Keep things locked down.

It makes sense. The update and package mirrors are HTTP or HTTPS locations, so why won't it connect?

The reason is simple once it's explained - the server can't communicate with DNS servers. You've locked the Droplet down on the firewall to the point that it can't send outbound DNS requests. Add firewall rules for outbound connections on TCP and UDP ports 53, then the updates should work.

DigitalOcean firewall rules. As before, but with newly added outbound rules for TCP and UDP connections on port 53
Added TCP and UDP ports for outbound rules

Tags