Hi everyone,
I’m trying to add a new package to nixpkgs
and build it before opening a PR. I’m on MacOS and have installed Nix using the Determinate Systems installer along with nix-darwin
. My laptop uses an antivirus, which intercepts some HTTP requests with a custom certificate.
In the /Library/LaunchDaemons/org.nixos.nix-daemon.plist
file, I noticed the following entry:
<key>NIX_SSL_CERT_FILE</key>
<string>/etc/ssl/certs/ca-certificates.crt</string>
I tried copying the appropriate certificate bundle to /etc/ssl/certs/ca-certificates.crt
and restarting the nix-daemon, but it didn’t help.
Here is the problematic terminal output when I run nix build '.#cloudflare-dynamic-dns'
:
$ nix build '.#cloudflare-dynamic-dns'
warning: Git tree '/Users/glashevich/Workspace/code/github.com/NixOS/nixpkgs' is dirty
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
error: builder for '/nix/store/6yp7mjl23x4paxrzgxaby2nly762r0di-source.drv' failed with exit code 1;
last 10 log lines:
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here: https://curl.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the webpage mentioned above.
> error: cannot download source from any mirror
For full logs, run 'nix log /nix/store/6yp7mjl23x4paxrzgxaby2nly762r0di-source.drv'.
error: 1 dependencies of derivation '/nix/store/fi5dy6h55fnabhh3z9p5y9d1ygkfrzfy-cloudflare-dynamic-dns-4.3.0.drv' failed to build
Running nix log
yields the following:
$ nix log /nix/store/6yp7mjl23x4paxrzgxaby2nly762r0di-source.drv
warning: The interpretation of store paths arguments ending in `.drv` recently changed. If this command is now failing try again with '/nix/store/6yp7mjl23x4paxrzgxaby2nly762r0di-source.drv^*'
install: skipping file '/dev/fd/63', as it was replaced while being copied
error checking the existence of https://tarballs.nixos.org/sha256/:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
trying https://github.com/zebradil/cloudflare-dynamic-dns/archive/refs/tags/4.3.0.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
error: cannot download source from any mirror
However, directly using curl from the shell works as expected when the SSL_CERT_FILE
environment variable is set to the correct bundle.
$ curl https://github.com/zebradil/cloudflare-dynamic-dns/archive/refs/tags/4.3.0.tar.gz > /dev/null
Has anyone encountered a similar issue or has any ideas on how I can resolve this SSL certificate problem?
NOTE: the issue does not appear if hash
is set here:
src = fetchFromGitHub {
owner = "zebradil";
repo = "cloudflare-dynamic-dns";
rev = "refs/tags/${version}";
hash = "<HERE>";
};
Also, building another package (e.g. nix build '.#myks'
) works as expected.
I worked around the issue by installing nix on another machine with Arch Linux and building there, but I still need to fix the root problem on the Mac.
I’m out of ideas on how to debug this further. Is there a way to pass extra arguments to the failing curl
process somehow?
Thanks in advance for your help!