Should nix-store and companions should respect NIX_SSL_CERT_FILE? -> SSL peer certificate or SSH remote key was not OK

flicaflow · December 8, 2019, 8:40am

I think this has been discussed before but the proposed solution do not work for me.Actually I’m starting to think I’m missing something on the conceptual level.

I have a host which sits behind a proxy which does temper with SSL certificates. The host runs a Ubuntu 18.04. I Installed the local certificate bundle and setup http(s)_proxy env- variables which allowed to access the Internet and install nix (single user currently but I tried multi-user as well).
However, now I’m stuck, no nix command which accesses the cache does work, all producing SSL errors such as

warning: unable to download ‘https://cache.nixos.org/nix-cache-info’: SSL peer certificate or SSH remote key was not OK (60); retrying in 348 ms

however accessing the same URL with curl works just fine. (note: curl is installed by ubuntu apt)
NIX_SSL_CERT_FILE is present and points to /etc/ssl/cert/ca-certificate.crt I even peeked into the environment of the running nix-store process to make sure that the env. variables are present.

Somehow I’m starting to think that the nix commands actually do not use NIX_SSL_CERT_FILE , the nix manual is kind of vague about this and just says that this is required for nix installed tools such, as curl, to work.

help is much appreciated, thanks in advance

flicaflow · December 10, 2019, 9:53am

The problem remains to be a mystery. I could confirm, using strace, that the correct cert (defined by NIX_SSL_CERT_FILE) is loaded. This doesn’t change the fact that nix-env fails to connect to cache.nixos.org but curl is fine. Maybe it’s time to file an issue on github, but it is still a bit to esoteric for my liking.

edolstra · December 10, 2019, 10:11am

You could use http://cache.nixos.org. Since the binary cache is signed anyway it doesn’t matter much for security to not use https.

In debug mode, Nix will now show the CA file used (Downloader: Warn if no trusted CA file has been configured · NixOS/nix@7c568d4 · GitHub). This is only on master at the moment.

flicaflow · December 10, 2019, 10:30am

Unfortunately we have a private substituter which is password protected … no luck

xbreak · December 10, 2019, 1:39pm

I spent some time with a similar issue in a multi-user Nix installation here, maybe some of my findings could be useful: SSL peer certificate or SSH remote key was not OK (60) · Issue #70939 · NixOS/nixpkgs · GitHub

What I’d do is to really verify if the CA file is good since it seems to be picked up by Nix. On CentOS this command seemed to work:
$ SSL_CERT_DIR="" SSL_CERT_FILE="" /usr/bin/openssl s_client -CAfile $NIX_SSL_CERT_FILE -connect cache.nixos.org:443

flicaflow · December 10, 2019, 2:24pm

@xbreak I saw your issue and thought it didn’t really apply to me since you hat the problem on nix multi-user install. I also couldn’t try the openssl s_client thing because this does not work with a proxy. However I made it work now with the proxytunnel trick here which ends with this statement (before that are two pages of server certificate info):

Start Time: 1575985965
Timeout : 300 (sec)
Verify return code: 2 (unable to get issuer certificate)

and then hangs for 300 seconds. Does that mean the proxy is slightly misconfigured, in a way that lets curl accept it but nix being to paranoid?

xbreak · December 10, 2019, 4:46pm

It seems your CA file is missing the necessary certificates. If you do MITM proxying you need to install your company certificate. If not you can try the CAs from curl: curl - Extract CA Certs from Mozilla.

flicaflow · December 11, 2019, 10:20am

I did that, otherwise curl wouldn’t be able to make https requests. Something else seems to be fishy, but I don’t think it’s nix fault. I worked around the problem by implementing a small reverse proxy which transforms the https request to a http request to localhost … hacky but it works.