Help adding a CA certificate with security.pki.certificateFiles

kevanslumin · February 1, 2023, 2:48pm

I’ve read through previous topics on this subject, but I’m still having problems:

In my configuration.nix file, I have added this line:

security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" "/etc/ssl/certs/mycert.pem"];

After that I run “nixos-rebuild switch”, and my understanding is that is supposed to concatenate all the certificates into /etc/ssl/certs/ca-certificates.crt according to the options description: NixOS Search

However, it does not add my certificate to that file, and using nix-env -i in a way that will need the cert fails with a certificate/SSL error.

Is there some other command I need to run to get the concatenation to happen? Do I need any other lines in configuration.nix to enable cacert or the security module?

TLATER · February 1, 2023, 3:45pm

https://stop-using-nix-env.privatevoid.net/

The final bundle is created by passing your certificate files to the cacert package, which then bundles them using buildcatrust.

I’m unsure why they don’t end up in the final result for you, or at least create an error. Are you sure /etc/ssl/certs/mycert.pem isn’t an empty file?

I’m pretty sure the ca-bundle.cert from that package is superfluous as well, since it’s just referring to the package itself.

I’d also suggest not putting that in /etc/ssl/certs. Put the file next to your nixos configuration file and simply include it with:

security.pki.certificateFiles = [
  ./mycert.pem
];

Otherwise you won’t be able to build your system reproducibly.

That said, while that’s better style, I don’t think it will fix the problem you’re looking at, unless bundling with an already bundled bundle results in unexpected behavior.

I’m a bit of a broken record, but a good 50% of newcomer issues with nix are caused by nix-env masking stuff, did you ever try to install ca certificates with nix-env?

kevanslumin · February 1, 2023, 7:09pm

Thanks, I verified it’s not an empty file, and I changed the path. That option needs a full path, not “./” so I had to use the full path, but otherwise moving the file has the same result.

I also removed ca-bundle.crt from the list but with the same result.

It’s worth nothing that nixos-rebuild switch also gives the SSL error if it needs to install a package, it’s not just nix-env.

Thanks

TLATER · February 1, 2023, 7:17pm

Hrmm, resolving a literal, non-string path with ./ should resolve the absolute path, so that should work: https://nixos.org/manual/nix/stable/language/values.html#type-path

Writing an absolute path in there will still make your configuration non-reproducible if it ever is in a different directory.

Apparently when I last needed to do this certificateFiles didn’t exist, so I used builtins.readFile here: https://github.com/TLATER/dotfiles/blob/4b8a5c480ef22d086de399d093e8578a57b5b24e/nixos-config/ct-lt-02052/default.nix#L87

Mind trying that to see if it works for you? It certainly does on my end; Perhaps there’s a bug in the cert bundler specific to the -Files variant of the option.

rnhmjoj · February 1, 2023, 7:35pm

Are you perhaps trying to add a self-signed certificate? Note that security.pki.certificateFiles expects CA, not server certificates.

If it can be of help, here’s a test that checks a custom CA in a few browsers. You can see the result that shows it’s working as expected.

kevanslumin · February 1, 2023, 11:12pm

Here is the certificate, it is a root cert:

I should be able to grep for a string from that cert in the resulting /etc/ssl/certs/ca-certificates.crt file after a nixos-rebuild switch, right?

kevanslumin · February 1, 2023, 11:29pm

Ok in wondering why I was getting an error from “./”, I realized I was putting the file paths in quotes and they aren’t meant to be in quotes. I removed the quotes and it works like a charm, thanks!

kevanslumin · February 1, 2023, 11:30pm

Thanks, I realized my error was putting the filenames in quotes, thanks!