Always set NIX_SSL_CERT_FILE

[amarshall]

Some things in nixpkgs expect this to be set. E.g.

NIX_SSL_CERT_FILE= ruby -r net/http -e 'Net::HTTP.get(URI("https://example.com"))'

With ruby from Nixpkgs will always fail with e.g.

SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)

However, with NIX_SSL_CERT_FILE set correctly, will succeed.

[amarshall]

Actually, this may indeed not be necessary. Need to do a bit more debugging and will follow-up or close.

[amarshall]

This ended up being because the host OS has /etc/ssl/certs/ca-bundle.crt, whereas, by default, Nix’s OpenSSL is looking for /etc/ssl/certs/ca-certificates.crt. So whether NIX_SSL_CERT_FILE is needed depends on the host OS’s packaging.

’ll leave it up for discussion whether this PR (or something similar) is wanted given the above, or if it should be closed and it left up to consumers to handle host OS with different CA cert paths. I’m comfortable with either.

[domenkozar]

I'm happy to merge it if we know of a reproducible case where it's needed.

[domenkozar]

Closing for now, let me know if you can reproduce it again.