OpenAI Codex (cloud) Elixir support

Has anyone managed to get Codex (the cloud version, as seen here) to work for Elixir?

I tried to setup the dependencies but mix deps.get always gives the following error:

{:failed_connect, [{:to_address, {~c"proxy", 8080}}, {:inet, [:inet], :econnrefused}]}
Failed to fetch record for plug from registry (using cache instead)

I’ve tried these but none seem to work:

export HEX_CACERTS_PATH="$CODEX_PROXY_CERT"
export HEX_UNSAFE_HTTPS="1"

My setup script that does work is this:

sudo add-apt-repository -y ppa:rabbitmq/rabbitmq-erlang
sudo apt update -y
sudo apt install -y git elixir erlang
mix archive.install github hexpm/hex branch latest --force

Installing things with Git seems fine, even mix can install deps that are pinned to a Github commit

The Docker image that runs has HTTP_PROXY and HTTPS_PROXY both set to http://proxy:8080

Not yet… Here’s my issue:

I’ve tried a lot. Works in docker, near as I could tell. But in their environment, nothing. Killin’ me right now.

Just found this. Pretty sure this info wasn’t there the other day. Will see if I can do anything w/ this knowledge
https://platform.openai.com/docs/codex#internet-access-and-network-proxy

So knowing about the proxy, I have this. But near as I can tell, I’m just getting blocked from pulling anything from hex. I’ll update my ticket, but haven’t seen OpenAI responding at all

#!/usr/bin/env bash
###############################################################################
# setup.sh  ──  Codex build-phase: Erlang 27 + Elixir 1.18 via mise, offline
###############################################################################
set -Eeuo pipefail
set -x                                # trace every command for debug
LOG() { printf '\n[%(%F %T)T] %s\n' -1 "$*"; }

###############################################################################
# 0 ▸ Sanity checks & proxy env
###############################################################################
: "${CODEX_PROXY_CERT:?ERROR: \$CODEX_PROXY_CERT is not set}"
export HTTP_PROXY="${http_proxy:-http://proxy:8080}"
export HTTPS_PROXY="${https_proxy:-http://proxy:8080}"

###############################################################################
# 1 ▸ Trust the Codex proxy CA  (system-wide)
###############################################################################
install -Dm644 "$CODEX_PROXY_CERT" \
  /usr/local/share/ca-certificates/codex-proxy.crt
update-ca-certificates --fresh

###############################################################################
# 2 ▸ Teach *APT* about the proxy  (APT ignores env-vars)
###############################################################################
cat >/etc/apt/apt.conf.d/01codex-proxy <<EOF
Acquire::http::Proxy  "${HTTP_PROXY}";
Acquire::https::Proxy "${HTTPS_PROXY}";
EOF

###############################################################################
# 3 ▸ Install build prerequisites
###############################################################################
apt-get update -yqq
DEBIAN_FRONTEND=noninteractive \
apt-get install -y --no-install-recommends \
  curl git ca-certificates \
  build-essential autoconf automake libtool \
  libncurses5-dev libssl-dev libwxgtk3.2-dev \
  openssl tar xz-utils

###############################################################################
# 4 ▸ Install mise (Rust runtime manager)
###############################################################################
curl -fsSL --retry 5 --retry-delay 4 https://mise.run | \
  bash -s -- --yes  # non-interactive

# mise binaries
export PATH="$HOME/.local/share/mise/bin:$HOME/.local/bin:$PATH"
# mise shims (erl, iex, elixir, … will live here)
export PATH="$HOME/.local/share/mise/shims:$PATH"

# load mise hook functions for the current shell
eval "$(mise activate bash)"

mise --version                       # debug print

###############################################################################
# 5 ▸ Build Erlang 27 & Elixir 1.18 with mise
###############################################################################
export KERL_CONFIGURE_OPTIONS="--without-wx --disable-jit --with-ssl=/usr"
export MAKEFLAGS="-j$(nproc)"

mise install erlang@27               # compiles from source, cached by mise
mise install elixir@1.18

mise use erlang@27 elixir@1.18   # make them default for the rest of script
erl -eval 'erlang:display(erlang:system_info(otp_release)),halt().' -noshell
elixir -v

###############################################################################
# 6 ▸ TLS settings for Erlang/Hex/Mix
###############################################################################
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
export HEX_CACERTS_PATH=$SSL_CERT_FILE
export MIX_ENV=prod
export MIX_DEBUG=1

###############################################################################
# 7 ▸ Install Hex, Rebar, deps, compile  (proxy-friendly)
###############################################################################
LOG "Installing Hex…"
if ! mix local.hex --force ; then
  LOG "builds.hex.pm unreachable ⇒ fetching Hex from GitHub…"
  mix archive.install --force \
       github hexpm/hex \
       tag    v2.2.1         # ← keep in sync with latest release as needed
fi
mix hex.info                 # debug: should print “Hex v2.2.1”

LOG "Installing Rebar3…"
if ! mix local.rebar --force ; then
  LOG "builds.hex.pm unreachable ⇒ fetching rebar3 binary from GitHub…"
  REBAR_VER="3.24.0"         # current stable (change when a new one drops)
  curl -fsSL --retry 5 --retry-delay 4 \
       "https://github.com/erlang/rebar3/releases/download/${REBAR_VER}/rebar3" \
       -o "$HOME/.mix/rebar3"
  chmod +x "$HOME/.mix/rebar3"
fi
"$HOME/.mix/rebar3" --version # debug: prints rebar 3.24.0

export HEX_HTTP_CONCURRENCY=1     # ONE connection → HTTP/1.1, no multiplexing
export HEX_HTTP_TIMEOUT=300000    # 5-minute per-request timeout (default 15 s)
export HEX_HTTP_RETRIES=5         # built-in retries for registry & tarballs
LOG "Hex proxy tuning: concurrency=$HEX_HTTP_CONCURRENCY, timeout=$HEX_HTTP_TIMEOUT"

###############################################################################
# 8 ▸ Fetch deps with retry wrapper
###############################################################################
env

for ATTEMPT in {1..5}; do
  LOG "mix deps.get attempt $ATTEMPT …"
  if mix deps.get --verbose ; then
    break
  fi
  LOG "mix deps.get failed – sleeping 10 s and retrying"
  sleep 10
done

LOG "mix compile …"
mix compile --warnings-as-errors

#####################################################################
# 8 ▸ Smoke test TLS through the proxy (repo.hex.pm)
###############################################################################
erl -noshell -eval '
ssl:start(),
case ssl:connect("repo.hex.pm",443,[],5000) of
  {ok,S} -> io:format("TLS OK (~p)~n",[ssl:negotiated_protocol(S)]), ssl:close(S), halt(0);
  E      -> io:format("TLS FAILED: ~p~n",[E]), halt(1)
end.'

LOG "✅  setup.sh finished – fully offline runtime ready."

For the sake of comparing notes, here’s my experience trying to get mix deps.get working in a Codex environment. It looks like I’m hitting a proxy wall too.

Based on Codex’s documentation on internet access and proxies, here’s what I tried after installing Elixir via asdf:

1. Set all the recommended proxy and cert env vars:

   export http_proxy="http://proxy:8080"
   export https_proxy="http://proxy:8080"
   export SSL_CERT_FILE="$CODEX_PROXY_CERT"
   export REQUESTS_CA_BUNDLE="$CODEX_PROXY_CERT"
   export HEX_CACERTS_PATH="$CODEX_PROXY_CERT"
   export HEX_HTTP_CONCURRENCY=1
   

2. Installed Hex manually (since mix local.hex --force fails with a 503):

   mix archive.install github hexpm/hex --branch latest --force
   

3. Ran mix deps.get and got this repeated error:

   upstream connect error or disconnect/reset before headers. reset reason: connection termination
   

It looks like repo.hex.pm is getting blocked entirely, or the TLS handshake is being dropped by the proxy. Even with HEX_CACERTS_PATH pointing to the Codex proxy cert, the connection fails before it completes.

I noticed the docs say:

Environments are pre-configured to work with common tools and package managers

So I’m guessing Hex just isn’t allowed yet the way pip, npm, and others are.

Would love to get this working. Happy to test more or compare setups.

FWIW here’s my full script up until I try doing mix local.hex --force

#!/usr/bin/env bash
# bootstrap_asdf_prebuilt.sh – pulls binary OTP builds, so no C tool-chain needed
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive

# 1. Runtime-only libs (<< 10 MB total)
apt-get update -qq
apt-get install -y --no-install-recommends libssl3 zlib1g libncurses6
rm -rf /var/lib/apt/lists/*

# 2. asdf (same as before, but no gcc/make)
git clone -q https://github.com/asdf-vm/asdf.git /opt/asdf --branch v0.14.1
echo '. /opt/asdf/asdf.sh' >> /etc/bash.bashrc
. /opt/asdf/asdf.sh

# 3. **Pre-built** plugin for Erlang
asdf plugin add erlang https://github.com/michallepicki/asdf-erlang-prebuilt-ubuntu-24.04.git || true
asdf plugin add elixir
asdf plugin add nodejs

# 4. Honour your .tool-versions file
asdf install
asdf reshim

echo "🔥 OTP and Elixir installed"

export http_proxy="http://proxy:8080"
export https_proxy="http://proxy:8080"
export SSL_CERT_FILE="$CODEX_PROXY_CERT"
export REQUESTS_CA_BUNDLE="$CODEX_PROXY_CERT"
export HEX_CACERTS_PATH="$CODEX_PROXY_CERT"
export HEX_HTTP_CONCURRENCY=1

I thought I was losing my mind because I spent a few hours debugging this. Even downloaded the codex Dockerfile and it was working locally.

Has anyone found a solution? Hopefully codex can resolve this on their end!

I have run into the same trouble, and haven’t found a work around.

Generally seeing 503s from build.hex.pm—I’m wondering if they’re actively blocking OpenAI calls?

OpenAI announced that you can have full internet access. But there doesn’t seem to be a way to enable it. They say it’s on a per environment basis, but there is no option anywhere for it.

They also say the setup phase has full internet access, but it clearly doesn’t because no matter what I do to install dependencies, it just doesn’t work.

Check out the allowlist found here. hex.pm is completely missing: https://platform.openai.com/docs/codex/agent-network

There doesn’t seem to be a way to configure it, despite their docs clearly stating that you can. Am I just blind?

Turns out it was a UI error. I hit shift + refresh and it showed up. And yet, hex still seems to be restricted.

I still have to run mix archive.install github hexpm/hex branch latest --force which works, but when I run mix deps.get, I get the following:

{:could_not_establish_ssl_tunnel, {~c"HTTP/1.1", 403, ~c"Forbidden"}}

internet access864×602 21.5 KB

I get the impression that « Additional allowed domains » only applies to what the agent can access during its tasks, not the domains accessible during setup. Or maybe hex.pm blocks requests coming from Codex?

In any case, I haven’t found a workaround either… It’s frustrating!

I’m leaning toward this, too! I saw few 403 errors in the logs coming from repo.hex.pm, so it’s likely a hex.pm issue. I’m super bummed about it. I think Claude Code is the closest alternative. I’m gonna give that a shot!

Success! After spending a few hours with ChatGPT o3, I have finally managed to cast an incantation that seems to work! Some of the steps might be not necessary, and I might play with the script some more to experiment what can be safely removed.

TL;DR of the two critical steps:

• Need to compile Erlang with the right certificates (just using the binaries doesn’t seem to work). That’s unfortunate, as compiling Erlang takes the most amount of time (be patient!)
• Need to use a different Hex proxy jsDeliver from Mirrors | Hex; the official one doesn’t seem to work

Here is the script - let me know if it works for you, and how we can eliminate the unnecessary settings.

Thanks a lot! It works on my side too

I made some tweaks to it for my setup, but that worked! Thank you

I can’t get it to work (using the last version of the above gist), still getting errors when trying to install anything from hex.pm or cdn.jsdeliver.net:

** (Mix) httpc request failed with: {:bad_status_code, 503}
Could not install Rebar because Mix could not download metadata at https://cdn.jsdelivr.net/hex/installs/rebar3-1.x.csv.

What did you tweak to get it working for you?

After some trial I find jsdeliver mirror too unreliable. Package installs fail randomly or popular packages are not found on the mirror. I went back to not running mix deps.get at all

I made tweaks specific to my build and nothing to do with mix deps.get

The error you described happens when you run mix local.hex --force. I couldn’t find a way around that, but thankfully the error gives you an option. Run this instead:

mix archive.install github hexpm/hex branch latest --force

Have you tried that?

Ya, the headache of setting Codex up drove me to check out Claude Code. It’s a much better developer experience IMO.

I’ve personally been using Cursor with agent mode. If you use a smart model like o3 it works pretty well.

Honestly I think the best solution is, if one of us has a contact at OpenAI, request them to whitelist hex.pm. Until then it’s really not worth it with all the other options out there.

I haven’t done very extensive experiments, but it might be also a hex.pm issue. I don’t think OpenAI blocks the traffic in any specific way.