How to install NixOS with a self signed cert?

Hello Nix community. I love the idea of NixOS! I am trying to intall it up for the first time, but I am having a very frustrating experience. The installation is failing because it thinks I have no internet connection due to not trusting my company’s CA. Is there a way to get the installer to trust my CA?

I found this discussion thread, which seems to be helpful. However, adding “security.pki.certificateFiles” to my “configuration.nix” file and running “nixos-rebuild switch" did not solve the problem. Furthermore, I know that the problem is due to NxOS/Calamares itself, because when I use “export SSL_CERT_FILE=/etc/nixos/mycert.pem”, then curling HTTPS sites works great.

Does anyone know what to do? I feel like I must be missing something, as this seems like a basic thing that the GUI installer should handle.

If you encountered the offline error when trying to switch, then the switch did not get applied and you still won’t have the cert trusted.

Try using

nixos-rebuild switch --option substitute false

for the first switch, that should remove any network requests from it and allow you to add the cert as trusted. If you didn’t change anything else then it should succeed.

cache.nixos.org is also on http so you can try nixos-rebuild switch --option substituters http://cache.nixos.org

You may need to run the command as a trusted user (use sudo)

The downloaded files are still checked against the public key cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=

1 Like

There’s a similar bootstrapping problem using the default AWS AMIs. These are normally quite convenient because you can put a NixOS configuration in instance metadata, and the host will reconfigure and update itself on boot accordingly.

But, if they get deployed behind such an intercepting proxy, of course that doesn’t work, and even worse you can’t even build a new configuration with the certificate trust config manually, because the image needs to fetch some build tools from cache even for the first reconfiguration. (Or at least it did when I last tried, probably a year or two ago now)

I ended up solving the problem in that particular environment by building a custom AMI with the relevant parts pre-loaded, which was a bunch of faff to get started but ultimately was the right solution for all the other normal reasons you might want your own AMI anyway.

At the time, I did not even think about fetching from the cache via http, that would have been much simpler to get started. Noted for next time, thanks!