Downloads from sourceforge blocked

Hello everyone, I’m trying to use NixOs inside WSL inside a corporate network where sourceforge downloads are blocked: sudo nixos-rebuild switch fails with error: unable to download 'https://downloads.sourceforge.net/libisl/isl-0.20.tar.xz': HTTP error 403. I also tried to build without nix cache, but there is some other package which is downloaded from there.

So my question is: is there a centralized and publicly available cache/proxy where to download artifacts from? I saw some projects use cachix for example.

by default all free software in nixpkgs should be cached on cache.nixos.org, so how you’re even hitting sourceforge at all confuses me.

Do you track a release branch, or are you on master? if you’re on master, please switch to nixos-24.05 or nixos-unstable

1 Like

I completely forgot about nixos cache. And I better understand the problem now:
warning: error: unable to download 'https://cache.nixos.org/nix-cache-info': SSL peer certificate or SSH remote key was not OK (60); retrying in 254 ms
Apparently it’s trying to reach the cache, then when it fails tries to reach sourceforge. I thought I solved the certificate issue, but apparently not.

The only thing I changed in my configuration.nix is the certificate like so:

  security.pki.certificates = [
    ''
      -----BEGIN CERTIFICATE-----
{certificate-content}
      -----END CERTIFICATE-----
    ''
  ];

and setting up the proxy

networking.proxy.default = "my-proxy-host";
networking.proxy.noProxy = "hosts-that-don't-require-proxy";

What am I missing?

Is the system time correct?

By running date I noticed the timezone was wrong, set the correct one by using time.timeZone = "my/timezone", but still the same behaviour when rebuilding.

what version of nix are you on?

nix --version:
nix (Nix) 2.18.4
nixos-version:
24.05.20240702.706eef5 (Uakari)

Just that I understand it correctly: you change the value in your configuration.nix (or friends) and then do a rebuild and it’s the same error and no other actions have been done, correct?

If yes: afaik, just setting the text does not have any consequences on the current running system and it will just have an affect for the build result, or better on the system once activated.

If no: please ignore the comment.

1 Like

I change the configuration.nix file and then run sudo nixos-rebuild switch. But now that I think about it, while the system is rebuilding, it’s not yet using the certificate I added in the configuration maybe.
So I should somehow “manually” activate the certificate first, then run the rebuild?

If it’s successfully switching, you can ignore what @Shawn8901 said. You’d also see the correct time zone in your system afterwards.

Right, but it fails at the build step apparently:

building Nix...
building the system configuration...
warning: error: unable to download 'https://cache.nixos.org/nix-cache-info': SSL peer certificate or SSH remote key was not OK (60); retrying in 314 ms

That was the point I tried to bring up, if the building is failing and you can not activate the changed config, you might need to tinker around that before building (e.g. by passing additional adhoc arguments to nix, for passing the additional certs) or changing the timezone adhoc at runtime.
For both I sadly can not provide adhoc commands due to lack of usable nix capable device

3 Likes

Ok I solved by doing the following:

  1. Save the certificate to a temporary .pem file (at least in my case, the certificate was in pem format).
  2. Rebuild the system by passing the certificate as env variable sudo -E env SSL_CERT_FILE=./mycert.pem nixos-rebuild switch

Note that if you just do export SSL_CERT_FILE={your_cert_file} the env variable is not automatically available when running commands with sudo. It’s something easy to forget, so I hope this helps someone.

Now the system is correctly using the certificate in the configuration and is able to properly use the nix cache.

Thanks everyone for the good ideas.

2 Likes