Update: that was my mistake: I had long-forgotten includes in my configuration.nix, adding some erroneous binary certifiactes copied from random Windows system. The addition was made back in 2019 but caused no errors until now. I assume that some parsing rules for *crt files became stricter and this finally triggered my situation.
The original post:
Hi, I have a security issue. I have upgraded my NixOS from 20.03 to the recent 21.05 on one of my machines yesterday. The upgrade went well, but after reboot I couldn't open any HTTPS site. All the browsers reported invalid certificate errors. After some investigation I found that my `/etc/static/ssl/certs/ca-bundle.crt` file contains a binary header with Cyrillic words in it (it says "BLA BLA Минкомсвязи России BLABLA", which means "Ministry of communications of Russia"). The question is: how this insertion could appear in my system? I'm sharing the ca-bundle.crt file via filebin: https://filebin.net/11y2pyxjglrmqi56 The original path: /nix/store/a33bbwhdi8wninhl5x0g2zg42n5vj0jv-ca-certificates.crt sha256 67bcd169817572c7717d07df47cb003abb1e1e38855978ee2a7b4ba22deb3474 ca-bundle-rf.crt~~~