nss-cacert fails to build with extra cert

[con-f-use]

Describe the bug

nss-cacert fails to build on 25865a40d14b3f9cf19f19b924e2ab4069b09588 when adding an extra cert via overlay.

Overlay:

  cudaCacertOverlay = final: prev: {
    # Might be necessary at one point, but triggers a giant rebuild
    cacert = prev.cacert.overrideAttrs (oldAttrs: {
      buildPhase = oldAttrs.buildPhase + ''
        printf "inspection1\n${fetchurl { url = "https://.../ssl_inspection_vie.pem"; hash = "..."}}" >> ca-bundle.crt
      '';
    });
  };

error: builder for '/nix/store/0hybl6rrblfmiiprga0y48jch3swscga-nss-cacert-3.98.drv' failed with exit code 1;
       last 10 log lines:
       >   File "/nix/store/vrnihg3gq6hkh5c4mljhnfxw4n45cl5g-python3.11-buildcatrust-0.3.0/bin/.buildcatrust-wrapped", line 9, in <module>
       >     sys.exit(main())
       >              ^^^^^^
       >   File "/nix/store/vrnihg3gq6hkh5c4mljhnfxw4n45cl5g-python3.11-buildcatrust-0.3.0/lib/python3.11/site-packages/buildcatrust/cli.py", line 243, in main
       >     sys.exit(cli_main(sys.argv[1:]) or 0)
       >              ^^^^^^^^^^^^^^^^^^^^^^
       >   File "/nix/store/vrnihg3gq6hkh5c4mljhnfxw4n45cl5g-python3.11-buildcatrust-0.3.0/lib/python3.11/site-packages/buildcatrust/cli.py", line 182, in cli_main
       >     raise FileNotFoundError(f"Bundle not found: {bundle_path}")
       > FileNotFoundError: Bundle not found: /nix/store/784qyyvwkr1aki4fwp2c3g8l2qmppa9p-ssl_inspection.pem
       > /nix/store/7ghnvjb57wv8ss1xy3y9il59sbvivba0-ssl_inspection_vie.pem
       For full logs, run 'nix log /nix/store/0hybl6rrblfmiiprga0y48jch3swscga-nss-cacert-3.98.drv'.
error (ignored): error: cannot unlink '/tmp/nix-build-OVMF-202402.drv-1/edk2-unvendored-src/CryptoPkg/Library/OpensslLib/openssl/crypto/aes': Directory not empty
error: 1 dependencies of derivation '/nix/store/wzyj1chckf8wrq6564h2c2snx70p9jar-etc.drv' failed to build
error (ignored): error: cannot unlink '/tmp/nix-build-vault-1.16.2-go-modules.drv-0/source/ui/app': Directory not empty
error (ignored): error: cannot unlink '/tmp/nix-build-sudo-1.9.15p5.drv-0/sudo-1.9.15p5': Directory not empty

The file(s) it claims does not exits, do:

Edit:

Realistically, it was one of these changes that caused the problem:

• https://github.com/NixOS/nixpkgs/pull/289160/files
• https://github.com/NixOS/nixpkgs/commit/19159a234916d7169e15d267e6ee1c9462790319

Probably the second one @RaitoBezarius .

---

Add a :+1: reaction to issues you find important.

[con-f-use]

Doesn't seem to have anything to do with my overlay, because it doesn't even get applied.

I can run the python code that fails and then raises, just fine outside of a build:

$ cat t.py 
import os
import os.path
import sys

bundle_path = sys.argv[1]

# --> copied verbatim form /nix/store/vrnihg3gq6hkh5c4mljhnfxw4n45cl5g-python3.11-buildcatrust-0.3.0/lib/python3.11/site-packages/buildcatrust/cli.py
if os.path.isfile(bundle_path):
    bundle_files = [bundle_path]
elif os.path.isdir(bundle_path):
    bundle_files = [
        os.path.join(bundle_path, f) for f in os.listdir(bundle_path)
    ]
    bundle_files = [f for f in bundle_files if os.path.isfile(f)]
else:
    raise FileNotFoundError(f"Bundle not found: {bundle_path}")
# <--- end copy

print(bundle_files)

$ python t.py /nix/store/784qyyvwkr1aki4fwp2c3g8l2qmppa9p-ssl_inspection.pem
['/nix/store/784qyyvwkr1aki4fwp2c3g8l2qmppa9p-ssl_inspection.pem']

$ cat /nix/store/784qyyvwkr1aki4fwp2c3g8l2qmppa9p-ssl_inspection.pem
-----BEGIN CERTIFICATE-----
MIIDiDCCAnCgAwIBAgIBATANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJBVDEe
...
BebRzRFv7JqaDAHX5AK1VzgPABs4BjWey3n0pR7OK0qRxbEweZQ2qZWdyRE=
-----END CERTIFICATE-----

It might be a shell escaping error for the arguments. Maybe

       > FileNotFoundError: Bundle not found: /nix/store/784qyyvwkr1aki4fwp2c3g8l2qmppa9p-ssl_inspection.pem
       > /nix/store/7ghnvjb57wv8ss1xy3y9il59sbvivba0-ssl_inspection_vie.pem

is a hint that the two certificates are interpreted as a single argument with a newline in it.

[adminy]

same issue here. Any file besides /etc/ssl/certsca-bundle.crt in security.pki.certificateFiles causes this error.

[RaitoBezarius]

Apologies, due to the current governance crisis, I am unable to answer to those issues right now, if those issues are solved, I will take a look and see how to solve it. Feel free to send PRs to the relevant projects if they can fix your issues.

[SpriteOvO]

Just a security.pki.certificateFiles should reproduce the problem.

  security.pki.certificateFiles = [
    "/etc/nixos/secret/headscale/rootCA.crt"
    "/etc/nixos/secret/headscale/cert.crt"
  ];

Is there a temporary workaround for it? Due to this problem, I am now unable to upgrade a server that is running an older version of NixOS. :cry:

[Aleksanaa]

This may have been resolved by https://github.com/NixOS/nixpkgs/pull/318219. Since the package contains:

https://github.com/NixOS/nixpkgs/blob/b8ead77a91b4a4f9cd069864ec0609bf48667a66/pkgs/data/misc/cacert/default.nix#L155-L208

And the tests were successfully built on ofBorg: https://logs.ofborg.org/?key=nixos/nixpkgs.318219&attempt_id=a3decc27-3d20-45fd-8def-d093d70ba8f0

Sorry I don't have time to test it. You can track the PR here: https://nixpk.gs/pr-tracker.html?pr=318219

[jobs62]

I have been able to build my bundle by using nix-prefetch-url to copy the extra certificat into the store and then use the store path in extraCertificateFiles

[djhworld]

getting the same error

these 3 derivations will be built:
  /nix/store/f71131zbzdqpikc6dhh5xbm6458n0azh-nss-cacert-3.101.drv
  /nix/store/sdags71jg8s7jvg8ybxlqyiazj0vah9z-etc.drv
  /nix/store/waaicmdsid9iawcc6jlcvwz517f6232p-nixos-system-vm-24.05.2933.c716603a63ac.drv
building '/nix/store/f71131zbzdqpikc6dhh5xbm6458n0azh-nss-cacert-3.101.drv'...
Running phase: unpackPhase
unpacking source archive /nix/store/8pp6bp787l1782b3xlrpqkcnjvz4xnkq-nss-cacert-certdata-3.101
source root is nss-cacert-certdata-3.101
Running phase: patchPhase
Running phase: updateAutotoolsGnuConfigScriptsPhase
Running phase: configurePhase
no configure script, doing nothing
Running phase: buildPhase
Traceback (most recent call last):
  File "/nix/store/ah6lbm3vjyplbipiff4p5z5lyymswkkv-python3.11-buildcatrust-0.3.0/bin/.buildcatrust-wrapped", line 9, in <module>
    sys.exit(main())
             ^^^^^^
  File "/nix/store/ah6lbm3vjyplbipiff4p5z5lyymswkkv-python3.11-buildcatrust-0.3.0/lib/python3.11/site-packages/buildcatrust/cli.py", line 243, in main
    sys.exit(cli_main(sys.argv[1:]) or 0)
             ^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/ah6lbm3vjyplbipiff4p5z5lyymswkkv-python3.11-buildcatrust-0.3.0/lib/python3.11/site-packages/buildcatrust/cli.py", line 182, in cli_main
    raise FileNotFoundError(f"Bundle not found: {bundle_path}")
FileNotFoundError: Bundle not found: /etc/nixos/files/pki/rootCA.crt

even though the file exists

$ sudo ls -lsa /etc/nixos/files/pki/
total 12
4 drwxr-xr-x 2 root root 4096 Jul 20 19:04 .
4 drwxr-xr-x 4 root root 4096 Jul 20 19:17 ..
4 -rw------- 1 root root 1842 Jul 20 19:04 rootCA.crt

configuration:

  security.pki = {
    certificateFiles = [
    "/etc/nixos/files/pki/rootCA.crt"
    ];
  };

[chrisguida]

it seems this is breaking the new version of nss-cacert:

security.pki.certificateFiles = [ "/root/cert" ];

It worked on the old version and is preventing from from updating my system.

What is the new way to install a custom cert?

[SpriteOvO]

@chrisguida AFAIK, there is currently no way, I have rolled my server back to 23.11.

[chrisguida]

@SpriteOvO that seems... suboptimal :/

ok thanks for the info :)

[Aleksanaa]

getting the same error

Try:

  security.pki = {
    certificateFiles = [
      ./rootCA.crt
    ];
  };

The CA is built in a container, and thus absolute path won't be available inside, but store path can.

[chrisguida]

@Aleksanaa are you saying my /root/cert .crt files are somehow magically imported into the build dir?