Install root certificate

shmu26 · February 23, 2023, 3:06pm

I want to install NixOS on a computer that accesses the internet through a proxy that needs a root certificate.
Below is the instructions how to acquire and install this certificate on other versions of Linux.
How can I do this on an out-of-the-box installation of NixOS?
The catch is that the system will not be able to update or download packages until the certificate is already installed. But I can install the certificate manually in Firefox, and download packages that way, if necessary.

http://wiki.netfree.link/wiki/Installation_of_certificate_in_Linux_operating_system

This script is active in Linux distributions based on Debian, CentOS, Alpine and ArchLinux.

Open the command line,run the following command:

curl -sL https://netfree.link/dl/unix-ca.sh | sudo sh

Or

curl -sL https://netfree.link/dl/unix-ca.sh | sh

Sometimes the command will fail due to the fact that curl isn’t installed, and it will give a message: Command 'curl' not found

To fix this, enter the command:

sudo sh -c “(apt update && apt install -y curl) || yum install -y curl || apk add curl”

Then re-run the previous command.

It is recommended that you restart the computer after this.

In order to install the certificate you need root permission.

To use Firefox you must install the security certificate separately. You can also install a certificate for Chrome individually.

NobbZ · February 23, 2023, 3:50pm

Get the cert manually and add it to security.pki.certificates should do, unless I understand the problem statement wrong.

nixinator · February 23, 2023, 5:27pm

So you want to Man in the middle your own network. Interesting. Burp is it?

shmu26 · February 23, 2023, 5:53pm

It is actually a content-filtering service. All your incoming internet traffic goes through them before it gets to you.

nixinator · February 23, 2023, 7:14pm

Oh sounds interesting , what is this system?

shmu26 · February 23, 2023, 7:31pm

Not sure it will be super interesting to you…
Netfree
https://netfree.link/
is a paid service for people who are not fond of seeing obscenity or hate or other bad stuff when they are browsing the internet. It is sort of like parental control, but for adults.
As you mentioned, this service in the middle of your internet traffic, so you need to trust them implicitly, but it works pretty well.

shmu26 · March 22, 2023, 8:45am

Okay, where do I find security.pki.certificates on my system? Is this a separate config file somewhere, or a section of a more general config file? Maybe it is a section I need to create in nix.config?

NobbZ · March 22, 2023, 8:49am

It is an option for the systems configuration as any other else.

uep · March 22, 2023, 9:08am

e.g.

  security.pki.certificates = [
    ''
      -----BEGIN CERTIFICATE-----
      MIIFCTCCAvGgAwIBAgIQZr … 
      …g3odD/oqxGnEFJwbaEnnNm5cafOTWeOLfbLEkq/TZC4oggetUAeTT
      -----END CERTIFICATE-----
    ''
  ];

shmu26 · March 22, 2023, 3:46pm

That text snippet goes into my nix.config?
If so, where to put it? At the end, before the final }?

shmu26 · March 22, 2023, 6:37pm

Interesting that you put a semicolon after the closing bracket. Maybe that was my mistake, I omitted the semicolon.

For some reason, the official documentation also omits the semicolon:
https://search.nixos.org/options?channel=22.11&show=security.pki.certificates&from=0&size=50&sort=relevance&type=packages&query=certificates