Open leon-thomm opened 1 month ago
I wonder if behavior changes with --option ssl-cert-file /path/to/bundle
(it might not, since I think it takes effect in the same way NIX_SSL_CERT_FILE
does, but worth a shot...)
yeah same result, unfortunately
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/nix-build-curl-issues-behind-proxy/45911/5
Fetchers such as
fetchzip
since fetchzip is not a nix builtin but implemented in nixpkgs (based on fetchurl), this issue should perhaps be moved to the nixpkgs repo instead?
this issue should perhaps be moved to the nixpkgs repo instead?
I thought it might also be a Nix (daemon?) issue that it kills NIX_SSL_CERT_FILE
or something, because I experienced this with multiple fetchers, but I don't actually know. What do you think?
What do you think?
Hmm, indeed curl in nixpkgs does reference NIX_SSL_CERT_FILE
in a comment - not sure how this is intended to fit together.
https://github.com/NixOS/nix/issues/3155 and https://discourse.nixos.org/t/nix-cannot-find-my-custom-ssl-certificate/27361/5 might also be relevant.
yeah, I saw those issues and already applied the Environment
fix, by adding NIX_SSL_CERT_FILE
to systemd.services.nix-daemon.serviceConfig.Environment
, and checking systemctl show nix-daemon | grep Environment
, whose output correctly includes
CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
A workaround when using curl
through fetchurl
is to set NIX_CURL_FLAGS
in the nix-daemon environment [1] [2]. On NixOS in configuration.nix
you can do something like this:
systemd.services.nix-daemon = {
enable = true;
serviceConfig = {
Environment = [
"NIX_CURL_FLAGS=\"--cacert /etc/ssl/certs/ca-certificates.crt\""
];
};
};
which seems to work in my setup. Still, I think NIX_SSL_CERT_FILE
should be fixed and used instead.
edit: this workaround seems to work with nix-build
but not with nixos-rebuild
on NixOS which runs into the original error
Triaged in Nix maintainers meeting:
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/2024-05-29-nix-team-meeting-minutes-148/46195/1
Another hacky workaround is utilize the extra certificate arguments of the cacert
package. This way, your certificates will also end up in ${cacert}/etc/ssl/certs/ca-bundle.crt
. On NixOS, you can do
nixpkgs.overlays = [
(final: prev: {
cacert = prev.cacert.overrideAttrs (old: {
extraCertificateStrings=[your_certificates];
});
})
];
Since almost everything on your system transitively depends on cacert
, nixos-rebuild
will re-compile most of NixOS from scratch. I had to pass --max-jobs 1
in order to not run out of memory, and this took more than a day.
Describe the bug
Fetchers such as
fetchzip
rely oncurl
which by default will try to verify SSL certificates. When running behind an intercepting proxy,curl
must either be run with--insecure
, or it must be given a certificate bundle containing the self-signed certificate, e.g. through theCURL_CA_BUNDLE
environment variable. It seems this information does not propagate to the build process through the nix daemon.The documentation suggests the path to the SSL certificate bundle should propagate properly when setting
NIX_SSL_CERT_FILE
. I accordingly adjustedenvironment.variables
. Indeed,systemctl show nix-daemon | grep Environment
now shows correct entries forNIX_SSL_CERT_FILE
and evenCURL_CA_BUNDLE
, but the build fails as described below.Steps To Reproduce
security.pki.certificates
Verify that your proxy works, and curl succeeds if and only if
CURL_CA_BUNDLE
is set properlyfetchzip
,fetchFromGitHub
, or similar (nofetchTarball
)See error
Expected behavior
Succeeding build.
nix-env --version
outputAdditional context
The fact that the fetchers don't consider system certificates IMO is a bug in itself. They wrongly use
${cacert}/etc/ssl/certs/ca-bundle.crt
which gives rise to this issue in the first place (explanation). Nevertheless,NIX_SSL_CERT_FILE
should still override it.Priorities
Add :+1: to issues you find important.