Use a custom TLS/SSL CA in the nixos installer

Help
1

Today, I was in need of making the nixos installer trust a custom root CA (Certificate Authority) for TLS/SSL.

In the end, I managed to do it, so I will report here the steps needed (maybe some of them are unnecessary), with the hope that this post can serve to document this and be helpful to others.

2

These instructions are tailored for users of the graphical NixOS installer. If you’re using the minimal image, you can likely apply these same steps with minor adjustments.

I did it the following way:

  1. Launch the ISO with the nixos installer. As soon as it opens, the install GUI shows up, but immediately complains about not being able to reach the internet (in my case, this was because all TLS traffic was being intercepted and signed by a custom CA of the network security tool)
  2. Close the install GUI
  3. Obtain the root CA certificate in PEM format (e.g., using Firefox). Save it to a file, e.g., /ca.crt.
  4. Launch a new root shell
  5. In the terminal, run export NIX_SSL_CERT_FILE=/ca.crt (reference), cp /ca.crt /etc/ssl/certs
  6. Add this line to /etc/nix/nix.conf:
    ssl-cert-file = /ca.crt
  7. Run the nixos installer again. This time, it should not complain about SSL/TLS errors :ok_hand:
  8. Once the installation is complete, in the installed system, you will probably need to trust the CA again. To do this:
    • Obtain a copy of the root CA certificate, let’s assume you save it again in /ca.crt
    • Edit /etc/nixos/configuration.nix adding
      security.pki.certificates = [
# Instead of the example below, insert your root CA certificate
''
-----BEGIN CERTIFICATE-----
MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
...
-----END CERTIFICATE-----
''
];
    • Open a terminal as root
      • set the CA file (again) export NIX_SSL_CERT_FILE=/ca.crt
      • rebuild nixos-rebuild switch (to apply the security.pki.certificates)
      • clean up: rm /ca.crt, export -n NIX_SSL_CERT_FILE, unset NIX_SSL_CERT_FILE
1 Like