I’ve been trying to troubleshoot a puzzling apparently VPN related issue for a friend, I wonder if I could get some help or suggestions for further steps.
The scenario is that a particular derivation (some vendored dependencies produced by fetchCargoTarball) won’t build behind a corporate VPN. It’s fine when the VPN is down. It also works on my machine, behind the same VPN, though we may have different VPN configurations. The error is:
> Running phase: buildPhase
> Updating crates.io index
> error: failed to sync
>
> Caused by:
> failed to load pkg lockfile
>
> Caused by:
> failed to get `proc-macro-error` as a dependency of package `kani_macros v0.55.0 (/build/source/library/kani_macros)`
>
> Caused by:
> download of config.json failed
>
> Caused by:
> failed to download from `https://index.crates.io/config.json`
>
> Caused by:
> [60] SSL peer certificate or SSH remote key was not OK (SSL certificate problem: unable to get local issuer certificate)
This suggests that it’s some kind of version of this issue: `fetchCargoTarball` fails with MITM proxy · Issue #304483 · NixOS/nixpkgs · GitHub
But the odd thing is that although nix build THATPACKAGE fails, nix develop THATPACKAGE followed by genericBuild succeeds. So that makes we wonder if it’s not exactly the same as the reported issue - since it seems like a build that sets CARGO_HTTP_CAINFO can in fact work behind the VPN.
Any ideas what I can do to debug further? Trying to get some nix adoption at my organization, and it’s not a good look if my friend’s first attempt at a build system that’s supposed to fix “works on my machine” build issues doesn’t work on his machine, and fails in an inscrutable way that I can’t fix.