Nix cannot find my custom SSL certificate

Help
1

Hi!

I am new to nix so excuse me when I am not describing things accurately! I installed nix as a multi-user installation on Ubuntu 20.04.6 LTS. When I try to run nix develop in a directory with a flake.nix or just nix-shell -p, I get the following message:

warning: unable to download 'https://cache.nixos.org/nix-cache-info': Problem with the SSL CA cert (path? access rights?) (77)

Nix then goes on and tries to build literally everything, which is not feasible. I have to use a custom SSL certificate (company MITM interception). I have updated the system CA certificates to include my custom certificate (update-ca-certificates) and this works:

$ curl -v  https://cache.nixos.org/nix-cache-info
*   Trying 151.101.66.217:443...
* TCP_NODELAY set
* Connected to cache.nixos.org (151.101.66.217) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=cache.nixos.org
*  start date: Jul 19 08:45:27 2022 GMT
*  expire date: Aug 20 08:45:26 2023 GMT
*  subjectAltName: host "cache.nixos.org" matched cert's "cache.nixos.org"
*  issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=FG3K4ETB20900071; emailAddress=support@fortinet.com
*  SSL certificate verify ok.
...

I have also set the environment variables $SSL_CERT_FILE and $NIX_SSL_CERT_FILE to /etc/ssl/certs/ca-certificates.crt, no luck. I have read a hint here that nix uses a seperate CA bundle in nixpkgs.cacert, but how can I edit the cacert CA file without a nix-shell?

Another issue could be that my $USER contains the domain and a backslash (I know…), while whoami for some reason prints user@domain.local. Either this difference or the backslash itself could generate issues for the CA path.

I have tried to find a solution for this problem for a while - any help appreciated!

Thanks!

1 Like
2

According to the nix manual, the SSL cert file should be read from exactly where it is (/etc/ssl/certs/ca-certificates.crt, updated by update-ca-certificates). Also, they should be overridden by $SSL_CERT_FILE and $NIX_SSL_CERT_FILE, both of which I tried. Not sure what’s going on…

3

I don’t really grok what’s going on, but I’ve seen a number of issues that sound ~related recently, including:

4

I found a possible reason (but don’t know how to fix it). I ran nix develop -vvvvv to get “vomit”-level debugging info. I found that nix still has information about a file I once set as a test (I think even during installation). Back then I set NIX_SSL_CERT_FILE to point to <my-custom-cert>.pem (very illegal I know). I did this because the installer did not find the certificate as a test and it seems to have baked into nix.

I have now re-installed nix (uninstalled according to the instructions the installer provides), but the issue did not disappear and I can still see nix’s curl trying to use that value. Where could this come from? How could I get this removed?

$ nix develop -vvvvv
...
curl:   Trying 151.101.2.217:443...
download thread waiting for 100 ms
curl: Connected to cache.nixos.org (151.101.2.217) port 443 (#0)
curl: ALPN: offers h2
curl: ALPN: offers http/1.1
curl: error setting certificate file: /usr/local/share/ca-certificates/<my-custom-cert>.pem
curl: Closing connection 0
finished download of 'https://cache.nixos.org/a169pn3ya9qhslncqiygzq7nfmljph0y.narinfo'; curl status = 77, HTTP status = 0, body = 0 bytes
5

Alright I think I finally managed. The problem was that nix ignored my custom SSL cert file, so I had to edit the nix-deamon.service configuration to include my cert file in its environment. Please see this GitHub issue, that’s where I got that from. I edited the configuration by systemctl edit nix-daemon.service and pasted the following:

[Service]
Environment="NIX_SSL_CERT_FILE=/path/to/my/custom-cert-file.crt"

For me that was the source of the problem, because in the end I wanted to use the default system one again and forgot I edited the service. The service also does not reset on re-installation, so maybe the un-install instructions need to include how to remove that service? Anyway, I reverted the configuration by systemctl revert nix-daemon.service.

I think the two posts you mentioned @abathur are MacOS-specific issues, but not sure.

Thanks!

2 Likes
6

I think what you would have needed was this in your configuration.nix:
security.pki.certificates=[‘’
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
‘’];

7

Here with the same issue. I have the certificate in the option mentioned here, and cache.nixos.org loads properly in Firefox signed by my organization, but I still get this when trying to run nix:

warning: error: unable to download 'https://cache.nixos.org/4lx7f6476dx1nz3ryfd055w14vck04nv.narinfo': SSL connect error (35); retrying in 269 ms
warning: error: unable to download 'https://cache.nixos.org/4lx7f6476dx1nz3ryfd055w14vck04nv.narinfo': SSL connect error (35); retrying in 551 ms
warning: error: unable to download 'https://cache.nixos.org/4lx7f6476dx1nz3ryfd055w14vck04nv.narinfo': SSL connect error (35); retrying in 1411 ms
warning: error: unable to download 'https://cache.nixos.org/4lx7f6476dx1nz3ryfd055w14vck04nv.narinfo': SSL connect error (35); retrying in 2624 ms
error: unable to download 'https://cache.nixos.org/4lx7f6476dx1nz3ryfd055w14vck04nv.narinfo': SSL connect error (35)