(Resolved) Unexpected binary SSL certificates in ca-bundle.crt after nixos-rebuild! Great Russian Firewall?

Update: that was my mistake: I had long-forgotten includes in my configuration.nix, adding some erroneous binary certifiactes copied from random Windows system. The addition was made back in 2019 but caused no errors until now. I assume that some parsing rules for *crt files became stricter and this finally triggered my situation.

The original post:

Hi, I have a security issue. I have upgraded my NixOS from 20.03 to the recent 21.05 on one of my machines yesterday. The upgrade went well, but after reboot I couldn't open any HTTPS site. All the browsers reported invalid certificate errors. After some investigation I found that my `/etc/static/ssl/certs/ca-bundle.crt` file contains a binary header with Cyrillic words in it (it says "BLA BLA Минкомсвязи России BLABLA", which means "Ministry of communications of Russia").

The question is: how this insertion could appear in my system?

I'm sharing the ca-bundle.crt file via filebin:  https://filebin.net/11y2pyxjglrmqi56
The original path: /nix/store/a33bbwhdi8wninhl5x0g2zg42n5vj0jv-ca-certificates.crt
sha256 67bcd169817572c7717d07df47cb003abb1e1e38855978ee2a7b4ba22deb3474  ca-bundle-rf.crt~~~
1 Like