Nix-build curl issues behind proxy

nutrx · May 24, 2024, 10:57am

I think I’m having some issues with curl on NixOS behind a corporate proxy. curl on my shell works fine, but fetching things through Nix during a build doesn’t. For example, nix-build-ing a package that simply uses fetchzip to pull https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz results in the error below, even though curl https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz succeeds my shell.

> nix-build
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
  /nix/store/8n9l4kbrbjgn8b6f1j0aksi180zyfbgk-source.drv
building '/nix/store/8n9l4kbrbjgn8b6f1j0aksi180zyfbgk-source.drv'...
error checking the existence of https://tarballs.nixos.org/sha256/:
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

trying https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
error: cannot download source from any mirror
error: boost::bad_format_string: format-string is ill-formed

Why does nix-build act differently, how do I configure it correctly, and also where is this documented?

The same issue does not appear without a proxy. Details on my setup:

I have a bunch of our company-internal SSL certificates stored in my configuration.nix in security.pki.certificates.
I am running cntlm on localhost:3128 which successfully connects to our company proxy
I set networking.proxy.default and networking.proxy.noProxy accordingly in my configuration.nix, and other apps - such as Firefox - are working fine

nutrx · May 24, 2024, 2:26pm

Turns out, SSL certificate handling by Nix fetchers is a big mess. While I can perfectly do this:

> nix-shell --pure -p curl
[nix-shell]$ export CURL_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
[nix-shell]$ curl -I https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz

there is no obvious way of achieving the same when using fetchers such as fetchzip. A (bad) workaround is passing curlOpts = "--insecure" to fetchzip or fetchurl see code.

An alternative is to use fetchTarball which doesn’t seem to care about SSL verification, so that works (but of course I only control the fetchers in my own Nix code).

raboof · May 24, 2024, 2:49pm

I haven’t checked, but possibly NIX_SSL_CERT_FILE could work

(I think the reasoning here is that you’d pass a sha256 to fetchTarball, so even if the certificate can’t be verified you can be sure the artifact was intact because its hash is checked)

nutrx · May 24, 2024, 3:36pm

You also pass sha256 to fetchzip or fetchurl, it’s curl that by default cares about SSL verification. Regarding NIX_SSL_CERT_FILE, as I understand it this would have to be part of the nix-daemon service’s Environment in order to be visible by builds created from it. I can confirm it doesn’t work either, same outcome as before.

nutrx · May 28, 2024, 8:36am

github.com/NixOS/nix

SSL certificate path does not propagate to builds during `nix-build`

opened 12:18PM - 27 May 24 UTC

leon-thomm

bug

**Describe the bug** Fetchers such as `fetchzip` rely on `curl` which by defa…ult will try to verify SSL certificates. When running behind an intercepting proxy, `curl` must either be run with `--insecure`, or it must be given a certificate bundle containing the self-signed certificate, e.g. through the `CURL_CA_BUNDLE` environment variable. It seems this information does not propagate to the build process through the nix daemon. The [documentation](https://nix.dev/manual/nix/2.18/command-ref/conf-file#conf-ssl-cert-file) suggests the path to the SSL certificate bundle should propagate properly when setting `NIX_SSL_CERT_FILE`. I accordingly adjusted `environment.variables`. Indeed, `systemctl show nix-daemon | grep Environment` now shows correct entries for `NIX_SSL_CERT_FILE` and even `CURL_CA_BUNDLE`, but the build fails as described below. **Steps To Reproduce** 1. Run behind an intercepting corporate proxy, and add self-signed certificates to `security.pki.certificates` 2. Run cntlm ```nix users.users.cntlm.group = "cntlm"; users.users.cntlm.isSystemUser = true; users.groups.cntlm = {}; services.cntlm = { enable = true; configText = <-- snip config and credentials -->; }; networking.proxy.default = "http://127.0.0.1:3128/"; networking.proxy.noProxy = "127.0.0.*,localhost,<-- snip internal sites -->"; ``` 3. Verify that your proxy works, and curl succeeds if and only if `CURL_CA_BUNDLE` is set properly ```bash > nix-shell --pure -p curl [nix-shell:~/projects/nix-pkg-test]$ curl -I https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz HTTP/1.1 200 Connection established Proxy-agent: netentsec Connection: close curl: (77) error setting certificate file: /no-cert-file.crt [nix-shell:~/projects/nix-pkg-test]$ CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt curl -I https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz HTTP/1.1 200 Connection established Proxy-agent: netentsec Connection: close HTTP/1.1 200 OK Date: Mon, 27 May 2024 11:59:24 GMT Server: Apache/2.4.29 (Trisquel_GNU/Linux) Strict-Transport-Security: max-age=63072000 Last-Modified: Sun, 29 May 2022 23:05:08 GMT ETag: "fc451-5e02e9229e6eb" Accept-Ranges: bytes Content-Length: 1033297 Content-Security-Policy: default-src 'self'; img-src 'self' https://static.fsf.org https://static.gnu.org https://gnu.org http://static.fsf.org http://static.gnu.org http://gnu.org http://gnu.org; object-src 'none'; frame-ancestors 'none'; child-src 'self' https://static.gnu.org http://static.fsf.org http://static.gnu.org http://gnu.org; X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Type: application/x-gzip ``` 5. Build a basic package using `fetchzip`, `fetchFromGitHub`, or similar (no `fetchTarball`) ```nix let pkgs = import <nixpkgs> {}; in { myhello = pkgs.stdenv.mkDerivation { pname = "hello"; version = "0.5"; src = pkgs.fetchzip { url = "https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz"; sha256 = ""; }; }; } ``` 6. See error ``` > nix-build -A myhello warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=' these 2 derivations will be built: /nix/store/8n9l4kbrbjgn8b6f1j0aksi180zyfbgk-source.drv /nix/store/mj82j0ljhn3ibs0lyqzy571igq881yia-hello-0.5.drv building '/nix/store/8n9l4kbrbjgn8b6f1j0aksi180zyfbgk-source.drv'... error checking the existence of https://tarballs.nixos.org/sha256/: curl: (60) SSL certificate problem: self-signed certificate in certificate chain More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. trying https://ftp.gnu.org/gnu/hello/hello-2.12.1.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: self-signed certificate in certificate chain More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. error: cannot download source from any mirror error: builder for '/nix/store/8n9l4kbrbjgn8b6f1j0aksi180zyfbgk-source.drv' failed with exit code 1; last 10 log lines: > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 > curl: (60) SSL certificate problem: self-signed certificate in certificate chain > More details here: https://curl.se/docs/sslcerts.html > > curl failed to verify the legitimacy of the server and therefore could not > establish a secure connection to it. To learn more about this situation and > how to fix it, please visit the web page mentioned above. > error: cannot download source from any mirror For full logs, run 'nix log /nix/store/8n9l4kbrbjgn8b6f1j0aksi180zyfbgk-source.drv'. error: 1 dependencies of derivation '/nix/store/mj82j0ljhn3ibs0lyqzy571igq881yia-hello-0.5.drv' failed to build ``` **Expected behavior** Succeeding build. **`nix-env --version` output** ``` nix-env (Nix) 2.18.1 ``` **Additional context** The fact that the fetchers don't consider system certificates IMO is a bug in itself. [They wrongly use](https://github.com/NixOS/nixpkgs/blob/0690ca343a0250e89aeaac0af392a5f468a4695c/pkgs/build-support/fetchurl/default.nix#L168) `${cacert}/etc/ssl/certs/ca-bundle.crt` which gives rise to this issue in the first place ([explanation](https://github.com/NixOS/nixpkgs/issues/8247#issuecomment-253755606)). Nevertheless, `NIX_SSL_CERT_FILE` should still override it. **Priorities** Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).