Proxy Setting Considerations

Proxy Configuration Priority

Chocolatey applies proxy configuration based on the order below:

1. Command line arguments.
2. Chocolatey configuration.
3. Environment variables.
4. System configured proxy server.

Known Limitations

Certain Chocolatey products are known to apply different proxy settings depending on circumstances.

• Chocolatey GUI - Downloading icons does not honor Chocolatey CLI proxy settings.
• Chocolatey Licensed Extension - VirusTotal checking at runtime does not use any proxy.
• Chocolatey Agent - Agent communications do not use any proxy configuration.

Installing Chocolatey From Behind a Proxy Server

When trying to install Chocolatey behind a proxy server, you may be faced with one of the following errors:

Get Response returned: (407) Proxy Authentication Required

or

The underlying connection was closed: Could not establish trust relationship for the SSL / TLS secure channel.

Steps to help address this:

1. Copy the install.ps1 file locally.
2. Open a PowerShell command line as administrator.
3. If not using a proxy with authentication, set the default proxy credentials with [Net.WebRequest]::DefaultWebProxy.Credentials = [Net.CredentialCache]::DefaultCredentials.
4. Set the following environment variables:
   1. $env:chocolateyProxyLocation (in the format proxyserver:proxyport, see below for an example).
5. If your proxy requires authentication, set the following variables:
   1. $env:chocolateyProxyUser (if using a domain account, ensure you have the appropriate domain prefix for the account, e.g. AD\UserName or UserName).
   2. $env:chocolateyProxyPassword.
6. With that same shell open where the environment variables are set, run the downloaded script to install Chocolatey.

In PowerShell, it looks like this:

[Net.WebRequest]::DefaultWebProxy.Credentials = [Net.CredentialCache]::DefaultCredentials
$env:chocolateyProxyLocation = 'https://local.proxy.address:8001'

# Un-comment the following lines if your proxy server requires explicit authentication and
# substitute your username and password.
#$env:chocolateyProxyUser = 'username'
#$env:chocolateyProxyPassword = 'password'

# Run the downloaded install script
& "C:\Path\to\script\install.ps1"

:choco-info: NOTE

This will only work with the installation methods that call https://community.chocolatey.org/install.ps1 (or use a similar script, like Puppet/Chef scripts do) as part of the install.

Troubleshooting Installation

You've tried everything and Chocolatey still won't install from https://community.chocolatey.org -

The underlying connection was closed: Could not establish trust relationship for the SSL / TLS secure channel.

It could also be that your trusted root certificates are missing or not up to date (Windows 2012 does not install root certificates by default). You will need to download and install the following certificates into your LocalMachine's Trusted Root Certification Authorities certificate store.

To access community.chocolatey.org:

• Go Daddy Secure Certificate Authority - G2 (File: gdroot-g2.crt; Thumbprint: 47BEABC922EAE80E78783462A79F45C254FDE68B). (On the download page, this certificate is named GoDaddy Class 2 Certification Authority Root Certificate - G2 and its listed thumbprint (45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA) is wrong.

To access packages.chocolatey.org:

• AddTrust External CA Root (File: addtrustexternalcaroot.crt; Thumbprint: 02FAF3E291435468607857694DF5E45B68851868)

System Proxy Settings

Chocolatey by default already supports system set proxy servers

:choco-info: NOTE

Unfortunately proxy bypass lists may not be available when using this method. We recommend explicit proxy settings.

Existing Proxy Environment Variables

Chocolatey will automatically pick up the following environment variables if they are already set:

• http_proxy.
• https_proxy.
• no_proxy.

Explicit Proxy Settings

Chocolatey has explicit proxy support through the choco config command.

You can simply configure up to 5 settings and Chocolatey will use a proxy server. proxy is required and is the location and port of the proxy server. The values for user/password are only used for credentials when both are present.

choco config set --name="'proxy'" --value="'<LOCATION-AND-PORT>'"
choco config set --name="'proxyUser'" --value="'<USERNAME>'" #optional
choco config set --name="'proxyPassword'" --value="'<PASSWORD>'" # optional, will be encrypted in the configuration file
choco config set --name="'proxyBypassList'" --value="'<BYPASS-LIST-COMMA-SEPARATED>'" # optional
choco config set --name="'proxyBypassOnLocal'" --value="'true'" # optional

Example

Running the following commands:

choco config set --name="'proxy'" --value="'http://localhost:8888'"
choco config set --name="'proxyUser'" --value="'bob'"
choco config set --name="'proxyPassword'" --value="'123Sup#rSecur3'"
choco config set --name="'proxyBypassList'" --value="'http://localhost,http://this.location/'"
choco config set --name="'proxyBypassOnLocal'" --value="'true'"

Results in the following items being added to the config file:

Explicit Proxy Settings at Runtime

You can pass proxy information at runtime with each command. See https://github.com/chocolatey/choco/issues/1173

--proxy="'value'" --proxy-user="'<user>'" --proxy-password="'<pwd>'" --proxy-bypass-list="'<comma separated, list>'" --proxy-bypass-on-local

What to do if My Proxy is Socks?

It may just work. It hasn't been validated yet.