Cache.nixos.org peer certificate or SSH remote key was not OK (60)

jacg · February 18, 2022, 10:59am

On a specific machine, any Nix command executed by a normal user, which requires contacting cache.nixos.org fails with errors like these

error: unable to download 'https://cache.nixos.org/j6nzx7mn1y2irr6swbgc18dh1xli8svz.narinfo': SSL peer certificate or SSH remote key was not OK (60); retrying in 2552 ms

The problem only occurs for normal users, not root.
NIX_SSL_CERT_FILE is set in the user’s environment.
/usr/bin/openssl s_client -CAfile $NIX_SSL_CERT_FILE -connect cache.nixos.org:443 connects without a problem.
This occurs on a machine on which
- Nix 2.4 was installed originally.
- At least one failed attempt was made to upgrade (I don’t have the details available).
- Another attempt was made, by completely removing /nix and running the Nix installer script.
- Nix 2.6.0 installed at present.

Can you suggest how to make Nix usable once more for normal users on this machine?

NobbZ · February 18, 2022, 11:35am

Root bypasses the demon IIRC. So probably it’s the demon not seeing the correct certificate?

jacg · February 18, 2022, 7:27pm

The problem appears to have been solved with

nix-channel --update; nix-env -iA nixpkgs.nix nixpkgs.cacert; systemctl daemon-reload; systemctl restart nix-daemon

srl295 · December 27, 2023, 7:07pm

just to state another cause (but where s_client would fail): Also check your system clock, that can do it!