Help adding a CA certificate with security.pki.certificateFiles

kevanslumin · February 1, 2023, 2:48pm

I’ve read through previous topics on this subject, but I’m still having problems:

In my configuration.nix file, I have added this line:

security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" "/etc/ssl/certs/mycert.pem"];

After that I run “nixos-rebuild switch”, and my understanding is that is supposed to concatenate all the certificates into /etc/ssl/certs/ca-certificates.crt according to the options description: NixOS Search

However, it does not add my certificate to that file, and using nix-env -i in a way that will need the cert fails with a certificate/SSL error.

Is there some other command I need to run to get the concatenation to happen? Do I need any other lines in configuration.nix to enable cacert or the security module?

TLATER · February 1, 2023, 3:45pm

https://stop-using-nix-env.privatevoid.net/

The final bundle is created by passing your certificate files to the cacert package, which then bundles them using buildcatrust.

I’m unsure why they don’t end up in the final result for you, or at least create an error. Are you sure /etc/ssl/certs/mycert.pem isn’t an empty file?

I’m pretty sure the ca-bundle.cert from that package is superfluous as well, since it’s just referring to the package itself.

I’d also suggest not putting that in /etc/ssl/certs. Put the file next to your nixos configuration file and simply include it with:

security.pki.certificateFiles = [
  ./mycert.pem
];

Otherwise you won’t be able to build your system reproducibly.

That said, while that’s better style, I don’t think it will fix the problem you’re looking at, unless bundling with an already bundled bundle results in unexpected behavior.

I’m a bit of a broken record, but a good 50% of newcomer issues with nix are caused by nix-env masking stuff, did you ever try to install ca certificates with nix-env?

kevanslumin · February 1, 2023, 7:09pm

Thanks, I verified it’s not an empty file, and I changed the path. That option needs a full path, not “./” so I had to use the full path, but otherwise moving the file has the same result.

I also removed ca-bundle.crt from the list but with the same result.

It’s worth nothing that nixos-rebuild switch also gives the SSL error if it needs to install a package, it’s not just nix-env.

Thanks

TLATER · February 1, 2023, 7:17pm

Hrmm, resolving a literal, non-string path with ./ should resolve the absolute path, so that should work: https://nixos.org/manual/nix/stable/language/values.html#type-path

Writing an absolute path in there will still make your configuration non-reproducible if it ever is in a different directory.

Apparently when I last needed to do this certificateFiles didn’t exist, so I used builtins.readFile here: https://github.com/TLATER/dotfiles/blob/4b8a5c480ef22d086de399d093e8578a57b5b24e/nixos-config/ct-lt-02052/default.nix#L87

Mind trying that to see if it works for you? It certainly does on my end; Perhaps there’s a bug in the cert bundler specific to the -Files variant of the option.

rnhmjoj · February 1, 2023, 7:35pm

Are you perhaps trying to add a self-signed certificate? Note that security.pki.certificateFiles expects CA, not server certificates.

If it can be of help, here’s a test that checks a custom CA in a few browsers. You can see the result that shows it’s working as expected.

kevanslumin · February 1, 2023, 11:12pm

Here is the certificate, it is a root cert:

I should be able to grep for a string from that cert in the resulting /etc/ssl/certs/ca-certificates.crt file after a nixos-rebuild switch, right?

kevanslumin · February 1, 2023, 11:29pm

Ok in wondering why I was getting an error from “./”, I realized I was putting the file paths in quotes and they aren’t meant to be in quotes. I removed the quotes and it works like a charm, thanks!

kevanslumin · February 1, 2023, 11:30pm

Thanks, I realized my error was putting the filenames in quotes, thanks!

EzekielEnns · May 8, 2024, 2:58pm

Could you explain what the difference is between security.pki.certificateFiles and security.pki.certificates ? And why server certs/self-signed ones work for the latter

rnhmjoj · May 8, 2024, 5:42pm

As far as I know both should take CA certificates to be added as roots: one option takes a list of paths to the pem file and one a list of strings.

The implementation of these options in the cacert package: the pki.certificates strings are first concatenated into a single file and then passed along with all the pki.certificateFiles to the buildcatrust --ca_bundle_input tool as arguments. So, I don’t see why one would act differently given the tool has no way of distringuishing them. Are you sure it’s really accepting a non-CA certificate?

EzekielEnns · May 8, 2024, 6:53pm

That makes this even weirder
so for reference, I was trying to do was trust the dev certs for aps.net apps im working on, here’s the comment/post

if there’s a better way to add these, please feel free to add it in the linked comment (or here), the main reason I resorted to this way, was because I can’t seem to run certutil from the nss package, In relation to these settings I wonder if maybe it’s a formatting issue between the options where the files are appended weird IDK any info would help documentation on this seems pretty sparse and most ssl stuff is dealt with by helper scripts and such so most devs so don’t actually know what they are doing (myself included)