Nix official Docker image with custom SSL certificate?

drupol · June 11, 2025, 4:08pm

Hello everyone,

I’m trying to use the nixos/nix official Docker image within a GitLab CI pipeline to build a Nix project. The source code for this project is hosted on our private, internally-managed GitLab instance, which uses custom SSL certificates.

The issue I’m facing is that Nix fails to fetch the source from our GitLab instance due to an SSL certificate verification error.

My approach has been to create a new certificate bundle within the before_script section of my .gitlab-ci.yml. The script appends our custom CA certificate to the existing certificate bundle provided by the image and then updates the relevant environment variables (NIX_SSL_CERT_FILE, SSL_CERT_FILE, and GIT_SSL_CAINFO) to point to this new file.

Here is the relevant snippet from my .gitlab-ci.yml:

image: nixos/nix:2.29.0

default:
  before_script:
    - echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
    - echo "access-tokens = github.com=${GITHUB_TOKEN} corporate-gitlab-url=${CORP_GITLAB_TOKEN}" >> /etc/nix/nix.conf

    - NEW_CERT_BUNDLE_PATH=$(mktemp)
    - cat "$NIX_SSL_CERT_FILE" > "$NEW_CERT_BUNDLE_PATH"
    - echo "" >> "$NEW_CERT_BUNDLE_PATH"
    - cat "CustomCA.crt" >> "$NEW_CERT_BUNDLE_PATH"
    
    - export NIX_SSL_CERT_FILE="$NEW_CERT_BUNDLE_PATH"
    - export SSL_CERT_FILE="$NEW_CERT_BUNDLE_PATH"
    - export GIT_SSL_CAINFO="$NEW_CERT_BUNDLE_PATH"

    - echo "--- Custom Certificate Bundle ---"
    - cat "$NIX_SSL_CERT_FILE"
    - echo "-------------------------------"

Unfortunately, this approach hasn’t solved the problem. The build still fails with the same error:

error: Failed to open archive (Source threw exception: error: unable to download 'https://corporate-gitlab-url/api/v4/projects/devops%2Finfrastructure%2Fpackages/repository/archive.tar.gz?sha=f17e8fe9c5924f3afdade88d200fc3a845f27f2f': SSL peer certificate or SSH remote key was not OK (60) SSL certificate problem: unable to get local issuer certificate)

I feel like I’m on the right track by creating a new certificate bundle, but I must be missing a crucial step. Has anyone successfully configured the nixos/nix image for a similar setup?

Any pointers or suggestions would be greatly appreciated.

Many thanks!

wamserma · June 12, 2025, 7:18pm

Are you bound to using the upstream image would it be reasonable to customize it?
In the latter case: the builder for the official nix image can be used with dockerTools (I’ve done that to build a container to run LaTeX in CI) or you can just do a simple hack and replace the cert bundle in the container’s Nix store…

drupol · June 12, 2025, 7:46pm

In the end, I did this:

docker: make sure `nix config check` works by drupol · Pull Request #13351 · NixOS/nix · GitHub
docker: use `callPackage`, parametrise the image build by drupol · Pull Request #13354 · NixOS/nix · GitHub

However, I’m curious to learn how to do:

you can just do a simple hack and replace the cert bundle in the container’s Nix store…

wamserma · June 13, 2025, 6:52am

(not tested. may contain syntax errors)

sth. like

FROM nixos/nix:2.29.0

RUN $CERT_BUNDLE_PATH=$(find /nix/store*-nss-cacert-*/etc/ssl/certs/ -name ca-bundle.crt) && echo "" >> "$CERT_BUNDLE_PATH" && cat "CustomCA.crt" >> "$CERT_BUNDLE_PATH"

just don’t verify/repair the store path afterwards…

drupol · June 13, 2025, 3:58pm

Thanks !

On my side, both PRs were merged this morning, I can now do:

{
  inputs,
  callPackage,
  cacert,
  ...
}:
callPackage "${inputs.nix-docker}/docker.nix" {
  name = "nix-base-image";
  cacert = cacert.override {
    extraCertificateFiles = [
      ./customCA.crt
    ];
  };
  nixConf = {
    experimental-features = "nix-command flakes";
    warn-dirty = "false";
  };
}

I am quite satisfied of the result