(For context, see here and here. The motivation is to reproducibly build LaTeX documents.)
Consider the following fixed-ouput derivation that uses tectonic to download the dependencies from the internet while building main.tex.
{ stdenvNoCC, cacert, tectonic }:
stdenvNoCC.mkDerivation {
name = "main";
src = ./src;
nativeBuildInputs = [ tectonic ];
SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
# HACK: tls doesn't work
bundleUrl = builtins.replaceStrings [ "https" ] [ "https" ]
tectonic.passthru.bundleUrl;
buildPhase = ''
runHook preBuild
mkdir -p .cache/Tectonic
export XDG_CACHE_HOME=$(realpath .cache)
export TECTONIC_CACHE_DIR="$(realpath .cache/Tectonic)"
export SOURCE_DATE_EPOCH=0
tectonic --web-bundle $bundleUrl -Z deterministic-mode main.tex
runHook postBuild
'';
installPhase = ''
runHook preInstall
cp -r .cache/Tectonic -T $out
runHook postInstall
'';
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "sha256-6oGX0k7kVpiUsKbAdHleh2jaiw2WE3KT3GEXAlWKXP0=";
}
The contents of main.tex don’t particularly matter, but for concreteness, consider the following src/main.tex placed in the same directory.
\documentclass[tikz]{standalone}
\usepackage{amsmath}
% https://flyx.org/nix-flakes-latex/
\special{pdf:trailerid [
<00112233445566778899aabbccddeeff>
<00112233445566778899aabbccddeeff>
]}
\begin{document}
\begin{tikzpicture}
% https://tikz.dev/tikz-shapes#sec-17.2.3
\node[inner xsep=0mm, inner ysep=0.07em] {%
\( \lvert \mathcal{X} \rvert_0 \)
};
\end{tikzpicture}
\end{document}
I’m getting SSL errors even when I set SSL_CERT_FILE to "${cacert}/etc/ssl/certs/ca-bundle.crt".
note: connecting to https://data1.fullyjustified.net/tlextras-2022.0r0.tar
error: error sending request for url (https://data1.fullyjustified.net/tlextras-2022.0r0.tar): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: (unable to get local issuer certificate)
caused by: error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: (unable to get local issuer certificate)
caused by: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: (unable to get local issuer certificate)
caused by: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
As far as I can tell, tectonic depends on reqwest > native_tls > openssl_probe which ultimately looks for the tls certificates. But openssl_probe should look for SSL_CERT_FILE. Curl seems to work correctly. If I remove https, i.e. change the second https to http in the derivation above, then it builds as well.
If I run tectonic outside of the nix build sandbox with the following commands,
sudo mv /etc/pki /etc/pki_
sudo mv /etc/ssl /etc/ssl_
mkdir -p .cache/Tectonic
export XDG_CACHE_HOME="$(realpath .cache)"
export TECTONIC_CACHE_DIR="$(realpath .cache/Tectonic)"
tectonic main.tex
then I get the errors
note: connecting to https://data1.fullyjustified.net/tlextras-2022.0r0.tar
error: error sending request for url (https://data1.fullyjustified.net/tlextras-2022.0r0.tar): error trying to connect: error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: (unable to get local issuer certificate)
caused by: error trying to connect: error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: (unable to get local issuer certificate)
caused by: error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: (unable to get local issuer certificate)
caused by: error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file, error:80000002:system library:file_open:reason(2):providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/0p6iwr6j9arbwzbwm3r34nlzy8ck82gg-openssl-3.0.14/etc/ssl/certs), error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
(the errors are more verbose for some reason, e.g. they include the openssl store path, even though the tectonic binary is the same.) However, if I run SSL_CERT_FILE=/etc/ssl_/certs/ca-bundle.crt tectonic main.text instead, it successfully builds, suggesting tectonic indeed respects SSL_CERT_FILE.
note: connecting to https://data1.fullyjustified.net/tlextras-2022.0r0.tar
note: downloading index https://data1.fullyjustified.net/tlextras-2022.0r0.tar.index.gz
note: downloading SHA256SUM
note: generating format "latex"
...
note: downloading glyphlist.txt
note: downloading cmsy10.pfb
note: downloading cmr7.pfb
Writing `main.pdf` (2.85 KiB)
Skipped writing 1 intermediate files (use --keep-intermediates to keep them)
Since I’m on NixOS, both /etc/ssl/certs/ca-bundle.crt (the one provided above) and "${cacert}/etc/ssl/certs/ca-bundle.crt" (the one provided in the sandbox) both resolve to the same certificates, namely, /nix/store/<hash>-nss-cacert-3.101.1/etc/ssl/certs/ca-bundle.crt.
What difference am I missing between the sandbox and outside? Thanks!