Nix cannot find my custom SSL certificate


I am new to nix so excuse me when I am not describing things accurately! I installed nix as a multi-user installation on Ubuntu 20.04.6 LTS. When I try to run nix develop in a directory with a flake.nix or just nix-shell -p, I get the following message:

warning: unable to download '': Problem with the SSL CA cert (path? access rights?) (77)

Nix then goes on and tries to build literally everything, which is not feasible. I have to use a custom SSL certificate (company MITM interception). I have updated the system CA certificates to include my custom certificate (update-ca-certificates) and this works:

$ curl -v
*   Trying
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject:
*  start date: Jul 19 08:45:27 2022 GMT
*  expire date: Aug 20 08:45:26 2023 GMT
*  subjectAltName: host "" matched cert's ""
*  issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=FG3K4ETB20900071;
*  SSL certificate verify ok.

I have also set the environment variables $SSL_CERT_FILE and $NIX_SSL_CERT_FILE to /etc/ssl/certs/ca-certificates.crt, no luck. I have read a hint here that nix uses a seperate CA bundle in nixpkgs.cacert, but how can I edit the cacert CA file without a nix-shell?

Another issue could be that my $USER contains the domain and a backslash (I know…), while whoami for some reason prints user@domain.local. Either this difference or the backslash itself could generate issues for the CA path.

I have tried to find a solution for this problem for a while - any help appreciated!


1 Like

According to the nix manual, the SSL cert file should be read from exactly where it is (/etc/ssl/certs/ca-certificates.crt, updated by update-ca-certificates). Also, they should be overridden by $SSL_CERT_FILE and $NIX_SSL_CERT_FILE, both of which I tried. Not sure what’s going on…

I don’t really grok what’s going on, but I’ve seen a number of issues that sound ~related recently, including:

I found a possible reason (but don’t know how to fix it). I ran nix develop -vvvvv to get “vomit”-level debugging info. I found that nix still has information about a file I once set as a test (I think even during installation). Back then I set NIX_SSL_CERT_FILE to point to <my-custom-cert>.pem (very illegal I know). I did this because the installer did not find the certificate as a test and it seems to have baked into nix.

I have now re-installed nix (uninstalled according to the instructions the installer provides), but the issue did not disappear and I can still see nix’s curl trying to use that value. Where could this come from? How could I get this removed?

$ nix develop -vvvvv
curl:   Trying
download thread waiting for 100 ms
curl: Connected to ( port 443 (#0)
curl: ALPN: offers h2
curl: ALPN: offers http/1.1
curl: error setting certificate file: /usr/local/share/ca-certificates/<my-custom-cert>.pem
curl: Closing connection 0
finished download of ''; curl status = 77, HTTP status = 0, body = 0 bytes

Alright I think I finally managed. The problem was that nix ignored my custom SSL cert file, so I had to edit the nix-deamon.service configuration to include my cert file in its environment. Please see this GitHub issue, that’s where I got that from. I edited the configuration by systemctl edit nix-daemon.service and pasted the following:


For me that was the source of the problem, because in the end I wanted to use the default system one again and forgot I edited the service. The service also does not reset on re-installation, so maybe the un-install instructions need to include how to remove that service? Anyway, I reverted the configuration by systemctl revert nix-daemon.service.

I think the two posts you mentioned @abathur are MacOS-specific issues, but not sure.