Hi all,
I was debugging an SSL error in a script that I was running via launchd on darwin and eventually figured out that putting cacert in the runtimeInputs of writeShellApplication doesn’t run its setup hook and so doesn’t set {NIX_,}SSL_CERT_FILE, making curl fail with SSL errors.
Example:
with import <nixpkgs> { };
writeShellApplication {
name = "foo.sh";
runtimeInputs = with pkgs; [
cacert
curl
];
text = ''
curl -I https://nixos.org
'';
}
$ nix-build && env -i ./result/bin/foo.sh
/nix/store/bw0gsbq1k19ahvisbzs4fahg56yxydyf-foo.sh
curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme
The simplest workaround I could think of was:
with import <nixpkgs> { };
writeShellApplication {
name = "foo.sh";
runtimeInputs = with pkgs; [
curl
];
text = ''
# shellcheck disable=1091
source ${cacert}/nix-support/setup-hook
curl -I https://nixos.org
'';
}
This works, but I thought there may be a more idiomatic approach. Tried a few different permutations of .overrideAttrs { env.SSL_CERT_FILE = "${cacert}/path/to/cert"; } without luck.
Is there a better / more obvious way of setting up SSL in trivial builders that I’m overlooking? Thanks in advance for suggestions!