This warning occurs when apt cannot establish a network connection to a package repository server. The repository server may be down, unreachable due to network issues, or your system's network configuration is blocking the connection.
The "W: Failed to fetch URL Connection refused" warning indicates that your system attempted to contact a package repository server (like archive.ubuntu.com or security.debian.org) but the connection was actively refused or could not be established. The error code "Connection refused" (errno 111 on Linux) means: - The remote server rejected the connection attempt - No service is listening on the target port (80 or 443) - A firewall is blocking outbound connections - The hostname could not be resolved to an IP address This commonly happens when: - Running `apt update` or `apt upgrade` fails to reach one or more repositories - Using Ubuntu or Debian systems where repositories are temporarily unavailable - Running in constrained environments (containers, VMs, WSL) with network issues - Behind a corporate proxy or firewall that requires special configuration Unlike a timeout error, "connection refused" means the system actively rejected the connection, which usually indicates a network configuration problem rather than a server being temporarily slow.
First, check if your system can reach external networks:
# Test basic connectivity
ping -c 4 8.8.8.8
# Test DNS resolution
nslookup archive.ubuntu.com
# or
dig archive.ubuntu.comIf ping fails, you have a network connectivity issue:
- Check if you're connected to Wi-Fi or Ethernet
- Restart your network adapter
- Check your firewall settings
- Verify you have a valid IP address: ip addr show
Some networks have broken IPv6 support. Force apt to use IPv4:
sudo apt -o Acquire::ForceIPv4=true updateIf this works, make it permanent by creating a configuration file:
echo 'Acquire::ForceIPv4 "true";' | sudo tee /etc/apt/apt.conf.d/99force-ipv4Verify it worked:
sudo apt updateCorrupted package lists can sometimes cause connection errors:
# Clear the package list cache
sudo rm -rf /var/lib/apt/lists/*
sudo mkdir -p /var/lib/apt/lists/partial
# Update package lists
sudo apt updateThis downloads fresh package metadata from your configured repositories.
If a specific mirror is down, try a different one. For Ubuntu:
# Backup your current sources
sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup
# Edit sources list
sudo nano /etc/apt/sources.listReplace repository URLs:
- archive.ubuntu.com → mirror.example.com (or use your regional mirror)
- security.ubuntu.com → security.example.com
For Ubuntu, you can also use the GUI:
sudo software-properties-gtkOr use automatic mirror selection:
sudo apt-mirror-selectorIf you're behind a corporate proxy, configure apt:
Method 1: Create a configuration file
sudo tee /etc/apt/apt.conf.d/95proxies > /dev/null << 'EOF'
Acquire::http::Proxy "http://proxy.example.com:8080/";
Acquire::https::Proxy "http://proxy.example.com:8080/";
EOFMethod 2: Set environment variables
export http_proxy=http://proxy.example.com:8080
export https_proxy=http://proxy.example.com:8080
sudo -E apt updateMethod 3: For specific repositories
# In /etc/apt/sources.list, use proxy URL format
deb [allow-insecure=yes] http://proxy.example.com:8080/archive.ubuntu.com/ubuntu focal mainReplace proxy.example.com:8080 with your actual proxy.
Test if you can actually reach the repository servers:
# Test HTTP connectivity to Ubuntu archive
curl -I http://archive.ubuntu.com/ubuntu/dists/focal/
# Test HTTPS connectivity
curl -I https://archive.ubuntu.com/ubuntu/dists/focal/
# For security updates
curl -I http://security.ubuntu.com/ubuntu/dists/focal-security/If curl times out or connection is refused:
- The server may be down (check the official status page)
- Your ISP/firewall may be blocking the connection
- Try a different mirror URL
Look at available mirrors for your distribution:
- Ubuntu: https://launchpad.net/ubuntu/+archivemirrors
- Debian: https://www.debian.org/mirror/list
Some mirrors might not support HTTP anymore. Update to HTTPS:
sudo sed -i 's/http:\/\//https:\/\//g' /etc/apt/sources.listOr manually edit /etc/apt/sources.list and change:
- deb http://archive.ubuntu.com → deb https://archive.ubuntu.com
- deb http://security.ubuntu.com → deb https://security.ubuntu.com
Then update:
sudo apt updateSome firewalls, VPNs, or security tools block apt:
# Temporarily disable UFW to test
sudo ufw disable
sudo apt update
# If it works, re-enable and add rules
sudo ufw enableFor UFW (Ubuntu Firewall):
# Allow outbound HTTP/HTTPS
sudo ufw allow out to any port 80
sudo ufw allow out to any port 443
# Check rules
sudo ufw status verboseFor iptables:
# Check current rules
sudo iptables -L -n
# Ensure outbound is allowed
sudo iptables -P OUTPUT ACCEPTIf running in Docker, Podman, or WSL:
Docker container:
# Ensure --dns is set for proper name resolution
docker run --dns 8.8.8.8 --dns 8.8.4.4 ubuntu apt update
# Or in docker-compose.yml:
services:
app:
image: ubuntu
dns:
- 8.8.8.8
- 8.8.4.4WSL (Windows Subsystem for Linux):
# Check DNS configuration
cat /etc/resolv.conf
# Generate new /etc/resolv.conf
sudo wsl.exe --shutdown
# Then restart WSL from Windows
# Or manually set DNS
echo 'nameserver 8.8.8.8' | sudo tee /etc/resolv.conf > /dev/nullIncorrect system time can cause SSL/TLS certificate validation failures:
# Check current date/time
date
# Sync with NTP (Network Time Protocol)
sudo apt install -y chrony
sudo systemctl restart chrony
# Or use timedatectl on systemd systems
sudo timedatectl set-ntp onIf your time is significantly off, HTTPS connections will fail even if the network is fine.
Understanding apt repository connection errors:
Connection refused (errno 111) is distinct from timeout errors:
- Connection refused: Something at the endpoint is actively rejecting the connection
- Timeout: The connection attempt isn't getting a response (slow network)
- DNS resolution failure: Can't find the IP address for the hostname
Repository mirror selection:
Ubuntu and Debian provide multiple mirrors. If one fails, try another:
- Primary: archive.ubuntu.com, deb.debian.org
- Security: security.ubuntu.com, security.debian.org
- Regional mirrors: Often faster if you're far from primary locations
You can automate mirror selection:
# For Ubuntu 20.04+, use mirror selection tool
sudo apt install ubuntu-release-upgrader-core
sudo apt-mirror-selectorNetworking in containers:
Docker containers inherit the host's DNS settings by default. If apt fails in a container but works on the host:
1. Check if DNS is configured: cat /etc/resolv.conf
2. Pass custom DNS: docker run --dns 1.1.1.1 ...
3. Use host network mode for testing: docker run --network host ... (less isolation, but tests connectivity)
IPv6 considerations:
Modern Linux systems prefer IPv6 over IPv4 when both are available. If your network has broken IPv6 (rare but happens):
# Disable IPv6 globally (not recommended in most cases)
echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Or just for apt (recommended)
echo 'Acquire::ForceIPv4 "true";' | sudo tee /etc/apt/apt.conf.d/99force-ipv4Proxy authentication:
For corporate proxies requiring authentication:
# In apt.conf.d configuration:
Acquire::http::Proxy "http://username:[email protected]:8080/";
Acquire::https::Proxy "http://username:[email protected]:8080/";
# For NTLM authentication, use cntlm proxy:
sudo apt install cntlm
# Then point apt to localhost cntlm proxy
Acquire::http::Proxy "http://localhost:3128/";Repository validation:
The APT package manager validates repository signatures. If certificate validation fails:
# Update CA certificates
sudo apt install -y ca-certificates
sudo update-ca-certificates
# For unsigned repos (NOT recommended for security)
sudo apt install -y --allow-unauthenticated package-namedpkg: serious warning: files list file for package 'package-name' contains empty filename
How to fix "files list file contains empty filename" in APT
E: Sub-process /usr/bin/dpkg returned an error code (2)
How to fix "Sub-process /usr/bin/dpkg returned an error code (2)" in APT
dpkg-divert: error: rename involves overwriting 'path' with different file
How to fix dpkg-divert rename conflicts in APT
E: Sub-process /usr/bin/dpkg returned an error code (1) during kernel installation
How to fix "dpkg returned an error code (1)" in APT kernel installation
dpkg: dependency problems prevent configuration of triggers
dpkg: dependency problems prevent configuration of triggers in apt