SSL cert or SSH key error on nixos-rebuild switch --upgrade

Hi all -

I’m running nixOS on a raspberry pi. When I run nixos-rebuild switch --upgrade, I get:

warning: unable to download 'https://nixos.org/channels/nixos-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 334 ms
warning: unable to download 'https://nixos.org/channels/nixos-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 639 ms
warning: unable to download 'https://nixos.org/channels/nixos-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 1041 ms
warning: unable to download 'https://nixos.org/channels/nixos-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 2023 ms
error: unable to download 'https://nixos.org/channels/nixos-unstable': SSL peer certificate or SSH remote key was not OK (60)

How do I fix this? Do I need to manually import some certificate or ssh key and if so where do I find those?

1 Like

Usually this is caused by the time on the machine being set wrong, causing the certificate verification to fail. Check that first?

Thanks for the response. date returns the correct information though.

Maybe a proxy that breaks the secure connection and injects its own certificate that isn’t trusted?
Does this match your output?

$ openssl s_client -connect nixos.org:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = nixos.org
verify return:1
---
Certificate chain
 0 s:/CN=nixos.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

There shouldn’t be a proxy or anything. I’m having issues checking since I don’t have the openssl binary on the pi and nix-shell -p openssl doesn’t work since it can’t download the package.

Kind of grasping for straws here, but you could try to find an openssl binary this way:
$ find /nix/store -name openssl -type f -executable
If you never had it installed it’s quite possible that there is none, of course.
Debugging TLS connections without seeing what’s going on is somewhat complicated, of course.
Worst case you could disable the binary cache and build from source. Might take a while, though. I don’t know the exact options to pass to nix-env to accomplish that, maybe someone else knows that?

Fixed. I saw that systemd-timesyncd was failing, so I looked around. It was encountering this issue (Failed to start Network Time Synchronization. · Issue #31540 · NixOS/nixpkgs · GitHub). After removing /var/lib/systemd/timesync and /var/lib/private/systemd/timesync everything appears to be well.

1 Like