search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
16.43k stars 12.93k forks source link

nss-cacert fails to build with extra cert #309623

Open con-f-use opened 1 month ago

con-f-use commented 1 month ago

Describe the bug

nss-cacert fails to build on 25865a40d14b3f9cf19f19b924e2ab4069b09588 when adding an extra cert via overlay.

Overlay:

  cudaCacertOverlay = final: prev: {
    # Might be necessary at one point, but triggers a giant rebuild
    cacert = prev.cacert.overrideAttrs (oldAttrs: {
      buildPhase = oldAttrs.buildPhase + ''
        printf "inspection1\n${fetchurl { url = "https://.../ssl_inspection_vie.pem"; hash = "..."}}" >> ca-bundle.crt
      '';
    });
  };
error: builder for '/nix/store/0hybl6rrblfmiiprga0y48jch3swscga-nss-cacert-3.98.drv' failed with exit code 1;
       last 10 log lines:
       >   File "/nix/store/vrnihg3gq6hkh5c4mljhnfxw4n45cl5g-python3.11-buildcatrust-0.3.0/bin/.buildcatrust-wrapped", line 9, in <module>
       >     sys.exit(main())
       >              ^^^^^^
       >   File "/nix/store/vrnihg3gq6hkh5c4mljhnfxw4n45cl5g-python3.11-buildcatrust-0.3.0/lib/python3.11/site-packages/buildcatrust/cli.py", line 243, in main
       >     sys.exit(cli_main(sys.argv[1:]) or 0)
       >              ^^^^^^^^^^^^^^^^^^^^^^
       >   File "/nix/store/vrnihg3gq6hkh5c4mljhnfxw4n45cl5g-python3.11-buildcatrust-0.3.0/lib/python3.11/site-packages/buildcatrust/cli.py", line 182, in cli_main
       >     raise FileNotFoundError(f"Bundle not found: {bundle_path}")
       > FileNotFoundError: Bundle not found: /nix/store/784qyyvwkr1aki4fwp2c3g8l2qmppa9p-ssl_inspection.pem
       > /nix/store/7ghnvjb57wv8ss1xy3y9il59sbvivba0-ssl_inspection_vie.pem
       For full logs, run 'nix log /nix/store/0hybl6rrblfmiiprga0y48jch3swscga-nss-cacert-3.98.drv'.
error (ignored): error: cannot unlink '/tmp/nix-build-OVMF-202402.drv-1/edk2-unvendored-src/CryptoPkg/Library/OpensslLib/openssl/crypto/aes': Directory not empty
error: 1 dependencies of derivation '/nix/store/wzyj1chckf8wrq6564h2c2snx70p9jar-etc.drv' failed to build
error (ignored): error: cannot unlink '/tmp/nix-build-vault-1.16.2-go-modules.drv-0/source/ui/app': Directory not empty
error (ignored): error: cannot unlink '/tmp/nix-build-sudo-1.9.15p5.drv-0/sudo-1.9.15p5': Directory not empty

The file(s) it claims does not exits, do:

image

Edit:

Realistically, it was one of these changes that caused the problem:

Probably the second one @RaitoBezarius .

Add a :+1: reaction to issues you find important.

con-f-use commented 1 month ago

Doesn't seem to have anything to do with my overlay, because it doesn't even get applied.

I can run the python code that fails and then raises, just fine outside of a build:

$ cat t.py 
import os
import os.path
import sys

bundle_path = sys.argv[1]

# --> copied verbatim form /nix/store/vrnihg3gq6hkh5c4mljhnfxw4n45cl5g-python3.11-buildcatrust-0.3.0/lib/python3.11/site-packages/buildcatrust/cli.py
if os.path.isfile(bundle_path):
    bundle_files = [bundle_path]
elif os.path.isdir(bundle_path):
    bundle_files = [
        os.path.join(bundle_path, f) for f in os.listdir(bundle_path)
    ]
    bundle_files = [f for f in bundle_files if os.path.isfile(f)]
else:
    raise FileNotFoundError(f"Bundle not found: {bundle_path}")
# <--- end copy

print(bundle_files)

$ python t.py /nix/store/784qyyvwkr1aki4fwp2c3g8l2qmppa9p-ssl_inspection.pem
['/nix/store/784qyyvwkr1aki4fwp2c3g8l2qmppa9p-ssl_inspection.pem']

$ cat /nix/store/784qyyvwkr1aki4fwp2c3g8l2qmppa9p-ssl_inspection.pem
-----BEGIN CERTIFICATE-----
MIIDiDCCAnCgAwIBAgIBATANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJBVDEe
...
BebRzRFv7JqaDAHX5AK1VzgPABs4BjWey3n0pR7OK0qRxbEweZQ2qZWdyRE=
-----END CERTIFICATE-----

It might be a shell escaping error for the arguments. Maybe

       > FileNotFoundError: Bundle not found: /nix/store/784qyyvwkr1aki4fwp2c3g8l2qmppa9p-ssl_inspection.pem
       > /nix/store/7ghnvjb57wv8ss1xy3y9il59sbvivba0-ssl_inspection_vie.pem

is a hint that the two certificates are interpreted as a single argument with a newline in it.

adminy commented 1 month ago

same issue here. Any file besides /etc/ssl/certsca-bundle.crt in security.pki.certificateFiles causes this error.

RaitoBezarius commented 1 month ago

Apologies, due to the current governance crisis, I am unable to answer to those issues right now, if those issues are solved, I will take a look and see how to solve it. Feel free to send PRs to the relevant projects if they can fix your issues.

SpriteOvO commented 3 weeks ago

Just a security.pki.certificateFiles should reproduce the problem.

  security.pki.certificateFiles = [
    "/etc/nixos/secret/headscale/rootCA.crt"
    "/etc/nixos/secret/headscale/cert.crt"
  ];

Is there a temporary workaround for it? Due to this problem, I am now unable to upgrade a server that is running an older version of NixOS. :cry:

Aleksanaa commented 2 weeks ago

This may have been resolved by https://github.com/NixOS/nixpkgs/pull/318219. Since the package contains:

https://github.com/NixOS/nixpkgs/blob/b8ead77a91b4a4f9cd069864ec0609bf48667a66/pkgs/data/misc/cacert/default.nix#L155-L208

And the tests were successfully built on ofBorg: https://logs.ofborg.org/?key=nixos/nixpkgs.318219&attempt_id=a3decc27-3d20-45fd-8def-d093d70ba8f0

Sorry I don't have time to test it. You can track the PR here: https://nixpk.gs/pr-tracker.html?pr=318219

jobs62 commented 2 weeks ago

I have been able to build my bundle by using nix-prefetch-url to copy the extra certificat into the store and then use the store path in extraCertificateFiles