MITM SSL issues when running behind company firewall

I’m running NixOS in WSL and am unable to update (nixos-rebuild switch) after my company changed firewall providers. All my coworkers were able to get around this by following these steps:

1. Extract firewall cert
2. sudo cp firewall.crt /usr/local/share/ca-certificates/
3. sudo update-ca-certificates

It’s my understanding that the equivalent for NixOS would be adding the cert to either security.pki.certificateFiles or security.pki.certificates.

However I’m not able to do this because (seemingly) it’s not possible for me to update my config without a network connection, and I can’t connect to the network without updating my config. I’ve tried a few things to get around the cert issue.

1. Set NIX_SSL_CERT_FILE and added ssl-cert-file to nix.conf. Had to set NIX_CONFIG to target an writable config file [1][2]
2. Run nixos-rebuild with --option substitute false [3]
3. Acquire openssl/update-ca-certificates via a nix shell with NIX_SSL_CERT_FILE set

None of these worked for me. I’m not sure what to try next, any help would be appreciated.

[1] Use a custom TLS/SSL CA in the nixos installer
[2] nix.conf - Nix Reference Manual
[3] Rebuild NixOS Offline - #8 by rnhmjoj

Hi, in my case (your reference [1]), I had to set NIX_SSL_CERT_FILE and copy the certificate (providing as the extension .crt) into /etc/ssl/certs/. Then I was able to run nixos-rebuild normally (without worrying about trying to make the build work offline. Perhaps you are missing that

Let me know if it helped.

Unfortunately copying the cert into /etc/ssl/certs/ did not resolve the issue.

I was able to fix it by deploying an EC2 instance running NixOS and using the --build-host option. I’m able to make SSL connections after rebuilding with the cert added to security.pki.certificates.