Hello everyone,
I’m trying to use the nixos/nix
official Docker image within a GitLab CI pipeline to build a Nix project. The source code for this project is hosted on our private, internally-managed GitLab instance, which uses custom SSL certificates.
The issue I’m facing is that Nix fails to fetch the source from our GitLab instance due to an SSL certificate verification error.
My approach has been to create a new certificate bundle within the before_script section of my .gitlab-ci.yml
. The script appends our custom CA certificate to the existing certificate bundle provided by the image and then updates the relevant environment variables (NIX_SSL_CERT_FILE
, SSL_CERT_FILE
, and GIT_SSL_CAINFO
) to point to this new file.
Here is the relevant snippet from my .gitlab-ci.yml
:
image: nixos/nix:2.29.0
default:
before_script:
- echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
- echo "access-tokens = github.com=${GITHUB_TOKEN} corporate-gitlab-url=${CORP_GITLAB_TOKEN}" >> /etc/nix/nix.conf
- NEW_CERT_BUNDLE_PATH=$(mktemp)
- cat "$NIX_SSL_CERT_FILE" > "$NEW_CERT_BUNDLE_PATH"
- echo "" >> "$NEW_CERT_BUNDLE_PATH"
- cat "CustomCA.crt" >> "$NEW_CERT_BUNDLE_PATH"
- export NIX_SSL_CERT_FILE="$NEW_CERT_BUNDLE_PATH"
- export SSL_CERT_FILE="$NEW_CERT_BUNDLE_PATH"
- export GIT_SSL_CAINFO="$NEW_CERT_BUNDLE_PATH"
- echo "--- Custom Certificate Bundle ---"
- cat "$NIX_SSL_CERT_FILE"
- echo "-------------------------------"
Unfortunately, this approach hasn’t solved the problem. The build still fails with the same error:
error: Failed to open archive (Source threw exception: error: unable to download 'https://corporate-gitlab-url/api/v4/projects/devops%2Finfrastructure%2Fpackages/repository/archive.tar.gz?sha=f17e8fe9c5924f3afdade88d200fc3a845f27f2f': SSL peer certificate or SSH remote key was not OK (60) SSL certificate problem: unable to get local issuer certificate)
I feel like I’m on the right track by creating a new certificate bundle, but I must be missing a crucial step. Has anyone successfully configured the nixos/nix
image for a similar setup?
Any pointers or suggestions would be greatly appreciated.
Many thanks!