diff --git a/scripts/lib/build-pgroonga b/scripts/lib/build-pgroonga
index ce589262f5..11ca220413 100755
--- a/scripts/lib/build-pgroonga
+++ b/scripts/lib/build-pgroonga
@@ -8,7 +8,7 @@ tmpdir="$(mktemp -d)"
 trap 'rm -r "$tmpdir"' EXIT
 cd "$tmpdir"
 tarball="pgroonga-$version.tar.gz"
-curl -fLO "https://packages.groonga.org/source/pgroonga/$tarball"
+curl -fLO --retry 3 "https://packages.groonga.org/source/pgroonga/$tarball"
 sha256sum -c <<<"$sha256 $tarball"
 tar -xzf "$tarball"
 cd "pgroonga-$version"
diff --git a/scripts/lib/install-node b/scripts/lib/install-node
index af8157a268..db231168f0 100755
--- a/scripts/lib/install-node
+++ b/scripts/lib/install-node
@@ -24,7 +24,7 @@ if ! check_version 2>/dev/null; then
     tmpdir="$(mktemp -d)"
     trap 'rm -r "$tmpdir"' EXIT
     cd "$tmpdir"
-    curl_opts=(-fLO)
+    curl_opts=(-fLO --retry 3)
     if [ -n "${CUSTOM_CA_CERTIFICATES:-}" ]; then
         curl_opts+=(--cacert "${CUSTOM_CA_CERTIFICATES}")
     fi
diff --git a/scripts/lib/install-yarn b/scripts/lib/install-yarn
index d70619c1e5..46f05808b6 100755
--- a/scripts/lib/install-yarn
+++ b/scripts/lib/install-yarn
@@ -18,7 +18,7 @@ if ! check_version; then
     tmpdir="$(mktemp -d)"
     trap 'rm -r "$tmpdir"' EXIT
     cd "$tmpdir"
-    curl -fLO "https://registry.npmjs.org/yarn/-/$tarball"
+    curl -fLO --retry 3 "https://registry.npmjs.org/yarn/-/$tarball"
     sha256sum -c <<<"$sha256 $tarball"
     rm -rf /srv/zulip-yarn
     mkdir /srv/zulip-yarn
diff --git a/scripts/setup/apt-repos/zulip/custom.sh b/scripts/setup/apt-repos/zulip/custom.sh
index b8508fb9bc..c8fc1f1bd1 100755
--- a/scripts/setup/apt-repos/zulip/custom.sh
+++ b/scripts/setup/apt-repos/zulip/custom.sh
@@ -26,8 +26,8 @@ if [[ ! -e /usr/share/doc/groonga-apt-source/copyright ]]; then
         } <<<"$os_info"
         groonga_apt_source_deb="groonga-apt-source-latest-$release.deb"
         groonga_apt_source_deb_sign="$groonga_apt_source_deb.asc.$pgroonga_apt_sign_key_fingerprint"
-        curl -fLO "https://packages.groonga.org/$distribution/$groonga_apt_source_deb"
-        curl -fLO "https://packages.groonga.org/$distribution/$groonga_apt_source_deb_sign"
+        curl -fLO --retry 3 "https://packages.groonga.org/$distribution/$groonga_apt_source_deb"
+        curl -fLO --retry 3 "https://packages.groonga.org/$distribution/$groonga_apt_source_deb_sign"
         gpg \
             --homedir="$tmp_gpg_home" \
             --verify \
diff --git a/scripts/setup/sha256-tarball-to b/scripts/setup/sha256-tarball-to
index d32eaddb74..e59f0e0a7d 100755
--- a/scripts/setup/sha256-tarball-to
+++ b/scripts/setup/sha256-tarball-to
@@ -25,7 +25,7 @@ cd "$tmpdir"
 
 # Fetch to a predictable name, not whatever curl guesses from the URL
 LOCALFILE="archive.tar.gz"
-curl -fL -o "$LOCALFILE" "$URL"
+curl -fL --retry 3 -o "$LOCALFILE" "$URL"
 
 # Check the hash against what was passed in
 echo "$SHA256  $LOCALFILE" >"$LOCALFILE.sha256"
diff --git a/tools/ci/Dockerfile.prod b/tools/ci/Dockerfile.prod
index 55f8f5b25c..d813fc965d 100644
--- a/tools/ci/Dockerfile.prod
+++ b/tools/ci/Dockerfile.prod
@@ -12,7 +12,7 @@ FROM $BASE_IMAGE
 # Download the release tarball, start rabbitmq server and install the server
 ARG VERSION
 RUN cd $(mktemp -d) \
-  && curl -fLO "https://download.zulip.com/server/zulip-server-$VERSION.tar.gz" \
+  && curl -fLO --retry 3 "https://download.zulip.com/server/zulip-server-$VERSION.tar.gz" \
   && tar -xf "zulip-server-$VERSION.tar.gz" \
   # Version 3.4 predates ddb9d16132a6336b384bf674c4c950cd75d83e5c and 9d57fa97597ec176a8357d6620ab9e670ee19f4e
   && perl -pi -e 's/pgrep -f epmd/which pgrep && pgrep -x epmd/' zulip-server-$VERSION/puppet/zulip/manifests/rabbit.pp \
diff --git a/tools/push-to-pull-request b/tools/push-to-pull-request
index 4b3c5320b3..d0ed09bbd1 100755
--- a/tools/push-to-pull-request
+++ b/tools/push-to-pull-request
@@ -91,7 +91,7 @@ fi
 # seems to require authentication even for simple lookups of public data,
 # and that'd be a pain for a simple script like this.
 pr_url=https://api.github.com/repos/"${repo_fq}"/pulls/"${pr_id}"
-pr_details="$(curl -fLsS "$pr_url")"
+pr_details="$(curl -fLsS --retry 3 "$pr_url")"
 
 pr_jq() {
     echo "$pr_details" | jq "$@"
diff --git a/tools/setup/bootstrap-awscli.sh b/tools/setup/bootstrap-awscli.sh
index 0ec6a45afc..70363b7e14 100644
--- a/tools/setup/bootstrap-awscli.sh
+++ b/tools/setup/bootstrap-awscli.sh
@@ -19,7 +19,7 @@ if [ ! -d "/srv/zulip-aws-tools/v2/$AWS_CLI_VERSION" ]; then
     (
         cd /srv/zulip-aws-tools || exit 1
         rm -rf awscli.zip awscli.zip.sha256 aws/
-        curl -fL "https://awscli.amazonaws.com/awscli-exe-linux-$ARCH-$AWS_CLI_VERSION.zip" -o awscli.zip
+        curl -fL --retry 3 "https://awscli.amazonaws.com/awscli-exe-linux-$ARCH-$AWS_CLI_VERSION.zip" -o awscli.zip
         echo "$AWS_CLI_SHA  awscli.zip" >awscli.zip.sha256
         sha256sum -c awscli.zip.sha256
         unzip -q awscli.zip
diff --git a/tools/setup/dev-vagrant-docker/Dockerfile b/tools/setup/dev-vagrant-docker/Dockerfile
index 16c7890bd5..9c40c43d6d 100644
--- a/tools/setup/dev-vagrant-docker/Dockerfile
+++ b/tools/setup/dev-vagrant-docker/Dockerfile
@@ -31,7 +31,7 @@ RUN \
     # managed by systemd start within Docker, which breaks normal
     # operation of systemd.
     dpkg-divert --add --rename /bin/systemctl \
-    && curl -fLsS -o /bin/systemctl 'https://raw.githubusercontent.com/gdraheim/docker-systemctl-replacement/v1.5.4505/files/docker/systemctl3.py' \
+    && curl -fLsS --retry 3 -o /bin/systemctl 'https://raw.githubusercontent.com/gdraheim/docker-systemctl-replacement/v1.5.4505/files/docker/systemctl3.py' \
     && echo '93006382a98aadfd2490e521824fc870759732ff80cd012ce0dfc70d4225c803  /bin/systemctl' | sha256sum -c \
     && chmod +x /bin/systemctl \
     && ln -nsf /bin/true /usr/sbin/policy-rc.d \
@@ -42,7 +42,7 @@ RUN \
     # Set up the vagrant user and its SSH key (globally public)
     && useradd -ms /bin/bash -u "$VAGRANT_UID" vagrant \
     && mkdir -m 700 ~vagrant/.ssh \
-    && curl -fLsS -o ~vagrant/.ssh/authorized_keys 'https://raw.githubusercontent.com/hashicorp/vagrant/be7876d83644aa6bdf7f951592fdc681506bcbe6/keys/vagrant.pub' \
+    && curl -fLsS --retry 3 -o ~vagrant/.ssh/authorized_keys 'https://raw.githubusercontent.com/hashicorp/vagrant/be7876d83644aa6bdf7f951592fdc681506bcbe6/keys/vagrant.pub' \
     && chown -R vagrant: ~vagrant/.ssh \
     && echo 'vagrant ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/vagrant
 
diff --git a/tools/setup/install-shellcheck b/tools/setup/install-shellcheck
index 3aaeb374ea..f9fa95e162 100755
--- a/tools/setup/install-shellcheck
+++ b/tools/setup/install-shellcheck
@@ -19,7 +19,7 @@ if ! check_version 2>/dev/null; then
     tmpdir="$(mktemp -d)"
     trap 'rm -r "$tmpdir"' EXIT
     cd "$tmpdir"
-    curl -fLO "https://github.com/koalaman/shellcheck/releases/download/v$version/$tarball"
+    curl -fLO --retry 3 "https://github.com/koalaman/shellcheck/releases/download/v$version/$tarball"
     sha256sum -c <<<"${sha256[$arch]} $tarball"
     tar -xJf "$tarball" --no-same-owner --strip-components=1 -C /usr/local/bin "shellcheck-v$version/shellcheck"
     check_version
diff --git a/tools/setup/install-shfmt b/tools/setup/install-shfmt
index 11af797932..0a9536124b 100755
--- a/tools/setup/install-shfmt
+++ b/tools/setup/install-shfmt
@@ -24,7 +24,7 @@ if ! check_version 2>/dev/null; then
     tmpdir="$(mktemp -d)"
     trap 'rm -r "$tmpdir"' EXIT
     cd "$tmpdir"
-    curl -fLO "https://github.com/mvdan/sh/releases/download/v$version/$binary"
+    curl -fLO --retry 3 "https://github.com/mvdan/sh/releases/download/v$version/$binary"
     sha256sum -c <<<"$sha256 $binary"
     chmod +x "$binary"
     mv "$binary" /usr/local/bin/shfmt