SSL CA cert error on MacOS

Have you ever seen this error in Nix (MacOS Ventura 13.4.1 (c) (22F770820d)):

% nix run nix-darwin -- switch --flake ~/.config/nix-darwin warning: cannot read flake registry '/etc/nix/registry.json': error: opening file '/etc/nix/registry.json': No such file or directory
error: unable to download 'https://cache.nixos.org/nar/1wy0f953cqm34w2sh4n0jhggrlsyvnpx7mdpqhbxnbfr0yg8w8b2.nar.xz': Problem with the SSL CA cert (path? access rights?) (77)

% nix-shell
warning: cannot read flake registry '/etc/nix/registry.json': error: opening file '/etc/nix/registry.json': No such file or directory
error: unable to download 'https://cache.nixos.org/rwpiwxha1h6lii6dkz651jx16z9c5qzw.narinfo': Problem with the SSL CA cert (path? access rights?) (77)

% nix develop
error: unable to download 'https://cache.nixos.org/xqpx4n6h53qgyjxrn3i29rx0zhr9pc8q.narinfo': Problem with the SSL CA cert (path? access rights?) (77)

This happens whenever I run a Nix command.
All the projects above work on other machines (Nix on Windows WSL and NixOS).
Only on this Mac Machine it stopped working.

I used the DeterminateSystems installer 1. Get Nix running on your system this time, however, I do believe this error has nothing to do with the installer but Nix.
The first time (installed Nix with Nix default installer) I tried multiple fixes and nothing worked so I formatted the Mac and installed Nix with DeterminateSystems installer.
I do not know how to reproduce, but this happened twice on this machine.
This happened after a couple of days of not turning on the machine, before that it was working and no change (that I remember) was made.

I looked on issues on Nix, the DeterminateSystems installer, nix-darwin, etc. The most relevant is this one Multi-user installation on OSX - SSL cert problem for user, not for root · Issue #2899 · NixOS/nix · GitHub but I am not sure if it is related and the solutions do not work. Appears to be the same as this issue: Nix run error: Problem with the SSL CA cert but the solution did not work for me.

Have you ever experience or seen anyone have this issue?

The solution on the other post does not work, because:

• Reusing the DeterminateSystems installer, uninstalls and installs but it continues with the same error;
• And, using the official documentation to uninstall and install fails. More info at: Error reinstalling Nix on MacOS (error: failed to configure synthetic.conf) · Issue #8771 · NixOS/nix · GitHub

We coincidentally had an installer workgroup meeting this morning and I asked about this. The developer on the detsys installer thinks this sounds like some reports they have about trouble caused by uninstalling Nix without uninstalling nix-darwin first, and having some of nix-darwin’s artifacts/changes dangling.

https://github.com/DeterminateSystems/nix-installer/issues/528

If that sounds like it might describe your case, you may need to manually uninstall nix-darwin. Judging from Uninstall nix-darwin manually · Issue #542 · LnL7/nix-darwin · GitHub, it sounds like there’s heavy emphasis on the manually bit. (I haven’t looked around further to see if there is a clear set of manual instructions out there…)

The SSL error started before trying to reinstall anything. I had indeed nix-darwin installed (pretty sure both times the error appear it was installed).

Will uninstall nix-darwin manually and then update the post with the results.

Solved it, for more info go to Error reinstalling Nix on MacOS (error: failed to configure synthetic.conf) · Issue #8771 · NixOS/nix · GitHub

However, the solution was fixing a dead symlink as stated in Problems with multi-user (re)installation of nix on macOS · Issue #3261 · NixOS/nix · GitHub

Check for an old symlink like this:

ls -la /etc/ssl/certs/ca-certificates.crt

If you have it (e.g. pointing to /etc/static/ssl/certs/ca-certificates.crt, remove and create a new one.

TL;DR: Try this

sudo rm /etc/ssl/certs/ca-certificates.crt
sudo ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt

Thank you @abathur and everyone else for the help.

In case you might have a custom truststore with self-signed certificates, this is what you can do:

1. Export all trusted certs in one big bundle

security export -t certs -f pemseq -k /Library/Keychains/System.keychain -o /tmp/certs-system.pem
security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o /tmp/certs-root.pem
cat /tmp/certs-root.pem /tmp/certs-system.pem > /tmp/ca_cert.pem

2. Copy bundle to /etc/nix/

sudo mv /tmp/ca_cert.pem /etc/nix/

3. Edit launchctl plist of nix-daemon

sudo vi /Library/LaunchDaemons/org.nixos.nix-daemon.plist

4. Ensure the EnvironmentVariables key is present:

    <key>EnvironmentVariables</key>
    <dict>
      <key>NIX_SSL_CERT_FILE</key>
      <string>/etc/nix/ca_cert.pem</string>
      <key>SSL_CERT_FILE</key>
      <string>/etc/nix/ca_cert.pem</string>
      <key>REQUEST_CA_BUNDLE</key>
      <string>/etc/nix/ca_cert.pem</string>
    </dict>
    <key>ProgramArguments</key>
    <array>

5. Reload nix-daemon service

sudo launchctl unload /Libray/LaunchDaemons/org.nixos.nix-daemon.plist
sudo launchctl load /Libray/LaunchDaemons/org.nixos.nix-daemon.plist

6. Verify service contains EnvironmentVariables

sudo launchctl print system/org.nixos.nix-daemon

Thanks, @weitzj ! My laptop has self-signed certificates installed by my employer, and I’d never have figured this out on my own.

Possibly helpful note for the next person who runs into this:

• The launchctl unload/load commands were giving me an error, but restarting the computer did the trick.
• After a successful restart, launchctl print showed the variables defined correctly. However, the section containing the environment variables is called “environment”, not “EnvironmentVariables”.

Oh, since this thread is resurfacing anyway, I’ll go ahead and mention that I had a problem like this on my mac. It turned out it was because I was using nix-darwin, and at some point decided to reinstall Nix after I hadn’t updated nixpkgs in a long time. The result was that after Nix was uninstalled, I had a dangling /etc/ssl/certs/ca-certificates.crt -> /etc/static/ssl/certs/ca-certificates.crt -> /nix/store/... symlink leftover from nix-darwin, which caused the new Nix install to be unable to download anything.

Yes similar issue after trying to do a full system reinstallation of nix (using detsys installer) without uninstalling nix-darwin first. (Once nix is removed you also lose access to the automatic nix-darwin uninstaller) mig4ng solution worked perfectly.

Thanks @weitzj this worked like a charm apart from the unload and load commands of launchctl. They seem to be deprecated and not working as of MacOS 14.7.1 at least. I used bootout and bootstrap respectively instead as follows:

sudo launchctl bootout system/org.nixos.nix-daemon
sudo launchctl bootstrap system /Library/LaunchDaemons/org.nixos.nix-daemon.plist

The little annoyance I’m having is that the .plist file gets reverted back to its original state after

darwin-rebuild switch --flake .

I’m new to Mac and tried some things to alleviate the issue but to no avail. Can org.nixos.nix-daemon.plist be managed by nix itself?

Got a solution from here. Just added the following to my flake.nix and I don’t have to edit the .plist file every time anymore.

system.activationScripts."ssl-ca-cert-fix".text = ''
  if [ ! -f /etc/nix/ca_cert.pem ]; then
    security export -t certs -f pemseq -k /Library/Keychains/System.keychain -o /tmp/certs-system.pem
    security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o /tmp/certs-root.pem
    cat /tmp/certs-root.pem /tmp/certs-system.pem > /tmp/ca_cert.pem
    sudo mv /tmp/ca_cert.pem /etc/nix/
  fi
'';

# This is the main part
nix.settings = {
  ssl-cert-file = "/etc/nix/ca_cert.pem";
};

Thank you for this, I had the exact same problem and this solved it for me.