I am new to nix so excuse me when I am not describing things accurately! I installed nix as a multi-user installation on Ubuntu 20.04.6 LTS. When I try to run
nix develop in a directory with a
flake.nix or just
nix-shell -p, I get the following message:
warning: unable to download 'https://cache.nixos.org/nix-cache-info': Problem with the SSL CA cert (path? access rights?) (77)
Nix then goes on and tries to build literally everything, which is not feasible. I have to use a custom SSL certificate (company MITM interception). I have updated the system CA certificates to include my custom certificate (
update-ca-certificates) and this works:
$ curl -v https://cache.nixos.org/nix-cache-info * Trying 22.214.171.124:443... * TCP_NODELAY set * Connected to cache.nixos.org (126.96.36.199) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=cache.nixos.org * start date: Jul 19 08:45:27 2022 GMT * expire date: Aug 20 08:45:26 2023 GMT * subjectAltName: host "cache.nixos.org" matched cert's "cache.nixos.org" * issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=FG3K4ETB20900071; emailAddressfirstname.lastname@example.org * SSL certificate verify ok. ...
I have also set the environment variables
/etc/ssl/certs/ca-certificates.crt, no luck. I have read a hint here that nix uses a seperate CA bundle in
nixpkgs.cacert, but how can I edit the cacert CA file without a
Another issue could be that my
$USER contains the domain and a backslash (I know…), while
whoami for some reason prints
email@example.com. Either this difference or the backslash itself could generate issues for the CA path.
I have tried to find a solution for this problem for a while - any help appreciated!