Diagnosing download timeout from chocolatey.org in a Windows Docker build

Question

I'm trying to put together a Windows Docker container that can run .NET builds. Given the dependencies I need the best way to do so seemed to be to make use of Chocolatey. However in the install step for Chocolatey I am getting a download timeout trying to run the command

Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

The full error is below.

Exception calling "DownloadString" with "1" argument(s): "The operation has
timed out"
At C:\install.ps1:3 char:51
+ ... ess -Force; iex ((New-Object System.Net.WebClient).DownloadString('ht ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordE
   xception
    + FullyQualifiedErrorId : WebException

This seems strange for a number of reasons.

1. I have successfully built this Docker image on a machine I hand rolled, but the failure happens consistently on our provisioned build machine.
2. I can RDP onto the machine and download the script outside the context of the docker container with no problem.
3. I can ping chocolatey.org without issue within the Docker container.
4. I can download the content of other sites from within the Docker container (i.e. google.com or nuget.org).
5. I have completely destroyed this build machine and provisioned a new one (via BOSH).

Conclusion: There seems to be some kind of networking issue related to Docker that does not prevent connection to the servers at chocolatey.org, but nonetheless prevents reading the contents of URLs from there.

However I'm out of tools for troubleshooting and any ideas would be greatly appreciated.

Full Docker file

FROM microsoft/windowsservercore:1709

COPY install.ps1 /install.ps1
RUN powershell /install.ps1

ENTRYPOINT powershell

Full install.ps1

$ErrorActionPreference = "Stop"

Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

choco install 7zip -y
choco install visualstudio2017professional -y
choco install visualstudio2017-workload-manageddesktop --includeOptional --pre -y
choco install visualstudio2017-workload-universal --includeOptional --pre -y

choco install nuget.commandline

Answer 1

When you are installing Chocolatey itself, ensure that TLS1.2 is available. This command line will add the TLS1.2 protocol to any existing protocols in the current console:

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

To enable TLS1.2 on a system wide and permanent scope you must use the registry:

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled = 1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault = 0

Also, after Chocolatey is installed, there are some chocolatey settings that can be useful for network issues:

choco config set --name="'commandExecutionTimeoutSeconds'" --value="'2700'"
choco config set --name="'webRequestTimeoutSeconds'" --value="'30'"
choco config set --name="'proxy'" --value="'myproxy.myorg.com:8080'"
choco config set --name="'proxyUser'" --value="'username'"
choco config set --name="'proxyPassword'" --value="'P@ssw0rd'"