Certificate validation broken in all electron/chromium apps and browsers


i run in an ERR_CERT_AUTHORITY_INVALID with all electron based applications.
i tried slack element-desktop vscode.

environment: I use nix on Fedora 35
steps: nix-shell -p slack element-desktop vscode opsenssl cacert nss
error: all applications deny network access due to ERR_CERT_AUTHORITY_INVALID


i tried nix-shell -p chromium and with this chromium browser i also get NET::ERR_CERT_AUTHORITY_INVALID for every website.

At least Chromium uses its own certificate database which is stored in ~/.pki. Maybe try deleting this folder.

ok, tried to remove ~/.pki and rerun chromium results in the same. also tried google-chrome which gives the same error. certutil shows that nssdb is empty after delete and rerun chrome/chromium/firefox

eddy:~$ nix-shell -p nssTools

[nix-shell:~]$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes


every browser installed with nix-shell also doesn’t work.

EDIT1: added certutil output
EDIT2: added firefox

Which channel? Are you running NixOS or Nix on another distribution?

1 Like

nix on Fedora 35. I did not change any of the default settings except to add
{ allowUnfree = true; } to ~/.config/nixpkgs/config.nix

What’s the output of nix-channel --list?

I have an idea about what your issue could be: since NixOS 21.05 (IIRC) nss has been patched to use the system trust store instead of a hardcoded set of CA roots (the cacert package). On NixOS (and Debian, Arch, Gentoo, etc.) the trust store is /etc/ssl/certs/ca-certificates.crt, but Fedora uses /etc/pki/tls/certs/ca-bundle.crt and nss has only been configured for the former location.

If I’m correct, making a symlink like

ln -s /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt

should fix the errors.


ohh yes this fixed it. thank you very much!

Great! I’ll open a pull request to add the Fedora location as well.


i don’t know exactly but RHEL might have the same issue?

Do you know if the path is the same as on Fedora or a different one?

i just checked RHEL 8.4 and it is the same as Fedora 35.

1 Like

I finally have a fix for this ready.

There’s one last thing I need to ask you: does the validation work in curl?
I think it should be affected by this too, but maybe (hopefully) I’m missing something.