SSL CA cert error on MacOS

Have you ever seen this error in Nix (MacOS Ventura 13.4.1 (c) (22F770820d)):

% nix run nix-darwin -- switch --flake ~/.config/nix-darwin warning: cannot read flake registry '/etc/nix/registry.json': error: opening file '/etc/nix/registry.json': No such file or directory
error: unable to download 'https://cache.nixos.org/nar/1wy0f953cqm34w2sh4n0jhggrlsyvnpx7mdpqhbxnbfr0yg8w8b2.nar.xz': Problem with the SSL CA cert (path? access rights?) (77)

% nix-shell
warning: cannot read flake registry '/etc/nix/registry.json': error: opening file '/etc/nix/registry.json': No such file or directory
error: unable to download 'https://cache.nixos.org/rwpiwxha1h6lii6dkz651jx16z9c5qzw.narinfo': Problem with the SSL CA cert (path? access rights?) (77)

% nix develop
error: unable to download 'https://cache.nixos.org/xqpx4n6h53qgyjxrn3i29rx0zhr9pc8q.narinfo': Problem with the SSL CA cert (path? access rights?) (77)

This happens whenever I run a Nix command.
All the projects above work on other machines (Nix on Windows WSL and NixOS).
Only on this Mac Machine it stopped working.

I used the DeterminateSystems installer 1. Get Nix running on your system this time, however, I do believe this error has nothing to do with the installer but Nix.
The first time (installed Nix with Nix default installer) I tried multiple fixes and nothing worked so I formatted the Mac and installed Nix with DeterminateSystems installer.
I do not know how to reproduce, but this happened twice on this machine.
This happened after a couple of days of not turning on the machine, before that it was working and no change (that I remember) was made.

I looked on issues on Nix, the DeterminateSystems installer, nix-darwin, etc. The most relevant is this one Multi-user installation on OSX - SSL cert problem for user, not for root · Issue #2899 · NixOS/nix · GitHub but I am not sure if it is related and the solutions do not work. Appears to be the same as this issue: Nix run error: Problem with the SSL CA cert but the solution did not work for me.

Have you ever experience or seen anyone have this issue?

The solution on the other post does not work, because:

We coincidentally had an installer workgroup meeting this morning and I asked about this. The developer on the detsys installer thinks this sounds like some reports they have about trouble caused by uninstalling Nix without uninstalling nix-darwin first, and having some of nix-darwin’s artifacts/changes dangling.

https://github.com/DeterminateSystems/nix-installer/issues/528

If that sounds like it might describe your case, you may need to manually uninstall nix-darwin. Judging from Uninstall nix-darwin manually · Issue #542 · LnL7/nix-darwin · GitHub, it sounds like there’s heavy emphasis on the manually bit. (I haven’t looked around further to see if there is a clear set of manual instructions out there…)

The SSL error started before trying to reinstall anything. I had indeed nix-darwin installed (pretty sure both times the error appear it was installed).

Will uninstall nix-darwin manually and then update the post with the results.

Solved it, for more info go to Error reinstalling Nix on MacOS (error: failed to configure synthetic.conf) · Issue #8771 · NixOS/nix · GitHub

However, the solution was fixing a dead symlink as stated in Problems with multi-user (re)installation of nix on macOS · Issue #3261 · NixOS/nix · GitHub

Check for an old symlink like this:

ls -la /etc/ssl/certs/ca-certificates.crt

If you have it (e.g. pointing to /etc/static/ssl/certs/ca-certificates.crt, remove and create a new one.

TL;DR: Try this

sudo rm /etc/ssl/certs/ca-certificates.crt
sudo ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt

Thank you @abathur and everyone else for the help.

5 Likes

In case you might have a custom truststore with self-signed certificates, this is what you can do:

  1. Export all trusted certs in one big bundle
security export -t certs -f pemseq -k /Library/Keychains/System.keychain -o /tmp/certs-system.pem
security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o /tmp/certs-root.pem
cat /tmp/certs-root.pem /tmp/certs-system.pem > /tmp/ca_cert.pem
  1. Copy bundle to /etc/nix/

sudo mv /tmp/ca_cert.pem /etc/nix/

  1. Edit launchctl plist of nix-daemon

sudo vi /Library/LaunchDaemons/org.nixos.nix-daemon.plist

  1. Ensure the EnvironmentVariables key is present:
    <key>EnvironmentVariables</key>
    <dict>
      <key>NIX_SSL_CERT_FILE</key>
      <string>/etc/nix/ca_cert.pem</string>
      <key>SSL_CERT_FILE</key>
      <string>/etc/nix/ca_cert.pem</string>
      <key>REQUEST_CA_BUNDLE</key>
      <string>/etc/nix/ca_cert.pem</string>
    </dict>
    <key>ProgramArguments</key>
    <array>
  1. Reload nix-daemon service
sudo launchctl unload /Libray/LaunchDaemons/org.nixos.nix-daemon.plist
sudo launchctl load /Libray/LaunchDaemons/org.nixos.nix-daemon.plist
  1. Verify service contains EnvironmentVariables
sudo launchctl print system/org.nixos.nix-daemon
2 Likes