search

DeterminateSystems / nix-installer

Install Nix and flakes with the fast and reliable Determinate Nix Installer, with over 7 million installs.
https://determinate.systems
GNU Lesser General Public License v2.1
2.25k stars 56 forks source link

SSL: MissingOrMalformedExtensions #381

Open zickzackv opened 1 year ago

zickzackv commented 1 year ago

Error

Error: 
   0: Install failure
   1: Error executing action `provision_nix`
   2: Child action `fetch_and_unpack_nix`
   3: Request error
   4: builder error: MissingOrMalformedExtensions
   5: MissingOrMalformedExtensions
Hoverbear commented 1 year ago

Hi! Could you tell me which OS this is on?

The docs suggest this error occurs because you have some invalid cert:

https://docs.rs/webpki/latest/webpki/enum.Error.html#variant.MissingOrMalformedExtensions

The certificate extensions are missing or malformed.

In particular, webpki requires the DNS name(s) be in the subjectAltName extension as required by the CA/Browser Forum Baseline Requirements and as recommended by RFC6125.

This looks related: https://github.com/seanmonstar/reqwest/pull/1316

zickzackv commented 1 year ago

Sorry, I wanted to leave yesterday some more Information but since this is my work computer I needed to fix my nix installation first.

nix-info says after getting my nix configuration to run:

   nix run nixpkgs#nix-info -- -m
  - system: `"aarch64-darwin"`
  - host os: `Darwin 22.3.0, macOS 13.2.1`
  - multi-user?: `no`
  - sandbox: `yes`
  - version: `nix-env (Nix) 2.11.1`
  - channels(root): `""`
  - nixpkgs: `not found`

I ran the installer with the following command line:

  RUST_BACKTRACE=full curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --ssl-cert-file /etc/ssl/export.pem --verbose

and it failed with the described error message. I got the installer running without the --ssl-cert-file option while constantly killing my company's zero trust system (zscaler).

Since my local certificate store (keychain access) contains the man-in-the-middle certificate of zscaler I exported all certificates with the following command:

    TMP_CERT=/etc/ssl/export.pem
    security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain > $TMP_CERT
    security find-certificate -a -p /Library/Keychains/System.keychain >> $TMP_CERT

This may have been the reason why I got this error in the first place. I did not tested the exported certificates with e.g. curl before.

zickzackv commented 1 year ago

I tested the exported certificates and the local system certificates with curl:

    /usr/bin/curl --cacert /etc/ssl/export.crt  -v -o /dev/null https://github.com |& grep -E '(CAfile:|SSL certificate verify ok.)'
    *  CAfile: /etc/ssl/export.crt
    *  SSL certificate verify ok.

vs.

     /usr/bin/curl  -v -o /dev/null https://github.com |& grep -E '(CAfile:|SSL certificate verify ok.)'
     *  CAfile: /etc/ssl/cert.pem
     *  SSL certificate verify ok.

So for my understanding the exported certificates are fine for curl

Hoverbear commented 1 year ago

Thanks for this! I'm going to investigate.

Hoverbear commented 1 year ago

One matter I'm curious about is what you see when you run this command against the certificate:

$ openssl -- x509 -noout -ext subjectAltName -in /etc/ssl/certs/ca-certificates.crt
X509v3 Subject Alternative Name: 
    email:accv@accv.es

(If there is sensitive information, please obscure it!)

I was looking around at zscaler's site trying to find an example cert but couldn't find one. If it would be possible, I'd love to get a test cert or something I could try. (ana.hobden@determinate.systems is my email if you need). If not, I can try to cook one up but I need some more information about the shape of it.

zickzackv commented 1 year ago 
on ⛵ staging () nix-setup on  main [📥 (1)]
❯ nix run nixpkgs#openssl -- x509 -noout -ext subjectAltName -in /etc/ssl/export.crt
No extensions in certificate

on ⛵ staging () nix-setup on  main [📥 (1)]
❯ nix run nixpkgs#openssl -- x509 -noout -ext subjectAltName -in /etc/ssl/certs/ca-certificates.crt
X509v3 Subject Alternative Name:
    email:accv@accv.es

/etc/ssl/export.crt is the keychain exported file. /etc/ssl/certs/ca-certificates.crt is the file my nix configuration certificates file with an added zscaler certificate using this configuration 

security.pki.certificates = [ ''...''];
zickzackv commented 1 year ago

I greped for a part/line of the base64 representation of the zscaler root cert in both files.

on ⛵ staging () nix-setup on  main [📥 (1)] took 1m19s
❯ grep MQswCQYDVQQGEwJERTEfMB0GA1UECgwWRGV1dHNjaGVfS3JlZGl0YmFua19BRzEX /etc/ssl/export.crt
MQswCQYDVQQGEwJERTEfMB0GA1UECgwWRGV1dHNjaGVfS3JlZGl0YmFua19BRzEX

on ⛵ staging () nix-setup on  main [📥 (1)]
❯ grep MQswCQYDVQQGEwJERTEfMB0GA1UECgwWRGV1dHNjaGVfS3JlZGl0YmFua19BRzEX /etc/ssl/certs/ca-certificates.crt
MQswCQYDVQQGEwJERTEfMB0GA1UECgwWRGV1dHNjaGVfS3JlZGl0YmFua19BRzEX

So both files include the zscaler root certificate

Hoverbear commented 1 year ago

Thanks for this info, it helps! I think I need to do some digging. Sorry about the issues.

zickzackv commented 1 year ago

Thanks for looking into that issue

Hoverbear commented 1 year ago

Still haven't found any leads here, making it part of next release.