Custom binary cache behind https fails with unable to download 'SSL peer certificate or SSH remote key was not OK

gador · February 13, 2023, 9:21pm

I’m trying to setup a local binary cache behind a SSL terminating nginx reverse proxy.
The certificate was signed by my root certificate and works just fine with curl.
curl -vI https://cache.my-server.lan yields SSL certificate verify ok.

The root certificate is added to my system with security.pki.certificates.

The certificate is also referenced as Environment="CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt" in nix-daemon.service

(also I don’t know how relevant/needed that is: nix-daemon: remove `CURL_CA_BUNDLE` from sevice by nrdxp · Pull Request #178350 · NixOS/nixpkgs · GitHub)

Is there some issue with nix accessing a different ca-bundle?
Or is it a configuration issue on my end?

gador · February 14, 2023, 7:48am

Update:

I noticed this issue in nixpkgs-review and didn’t think it had anything to do with it.
It turns out it did: Issue with SSL substituter and NIX_SSL_CERT_FILE · Issue #305 · Mic92/nixpkgs-review · GitHub

So nixpkgs-review explicitly sets NIX_SSL_CERT_FILE and overrides my custom root ca which will cause the SSL errors.