`mix deps.get` fails for Hex registry (`Unknown CA` then upstream connection termination)

[arnodirlam]

In a Codex Web environment based on codex-universal (Dockerfile: https://raw.githubusercontent.com/openai/codex-universal/refs/heads/main/Dockerfile), Elixir deps cannot be fetched reliably from Hex.

It seems to be a proxy+TLS issue.

Setup

I locally use mise and have a .tool-versions file in my repo.

My initial setup script:

mise install
eval "$(mise activate bash)"
mix local.hex --force
mix local.rebar --force
mix deps.get

which gives

+ mix local.hex --force
** (Mix) httpc request failed with: {:bad_status_code, 503}

Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv.

Alternatively, you can compile and install Hex directly with this command:

    $ mix archive.install github hexpm/hex branch latest

What I tried

• Enabled network access for all domains.
• Confirmed github.com works; installed Hex from GitHub instead of builds.hex.pm (default) successfully:

  mix archive.install github hexpm/hex --force
  

• Initial error from mix deps.get: TLS Fatal - Unknown CA against builds.hex.pm / repo.hex.pm.
• Found SSL_CERT_FILE=/usr/local/share/ca-certificates/envoy-mitmproxy-ca-cert.crt.
• Set that explicitly for hex via HEX_CACERTS_PATH (see docs).
• Also tried variations of:

  apt-get update
  apt-get install --reinstall -y ca-certificates
  update-ca-certificates
  

• Tried mirror: HEX_MIRROR=https://cdn.jsdelivr.net/hex.

Current failure

• upstream connect error or disconnect/reset before headers. reset reason: connection termination
• Failed to fetch record for <package> from registry (using cache instead)
• Failed to check for new Hex version
• ** (Mix) Unknown package esbuild in lockfile

Steps to reproduce

Clone any Elixir project with Hex deps in Codex web, then run setup:

mix local.hex --force
mix local.rebar --force
mix deps.get

.tool-versions

elixir 1.15.8-otp-25
erlang 25.3.2.21