I think I’m having some issues with curl on NixOS behind a corporate proxy. curl
on my shell works fine, but fetching things through Nix during a build doesn’t. For example, nix-build
-ing a package that simply uses fetchzip
to pull https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz results in the error below, even though curl https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz
succeeds my shell.
> nix-build
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
/nix/store/8n9l4kbrbjgn8b6f1j0aksi180zyfbgk-source.drv
building '/nix/store/8n9l4kbrbjgn8b6f1j0aksi180zyfbgk-source.drv'...
error checking the existence of https://tarballs.nixos.org/sha256/:
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
trying https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
error: cannot download source from any mirror
error: boost::bad_format_string: format-string is ill-formed
Why does nix-build
act differently, how do I configure it correctly, and also where is this documented?
The same issue does not appear without a proxy. Details on my setup:
- I have a bunch of our company-internal SSL certificates stored in my
configuration.nix
insecurity.pki.certificates
. - I am running
cntlm
onlocalhost:3128
which successfully connects to our company proxy - I set
networking.proxy.default
andnetworking.proxy.noProxy
accordingly in myconfiguration.nix
, and other apps - such as Firefox - are working fine