Use self-signed certficates for flake input repo

I have some git repos hosted via cgit in LAN and use a self-signed certificate for https. I want to add a local git repo in flake inputs in NixOS configuration.

However, adding it directly will cause the error OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme as the certificate is not trusted. I know git supports setting GIT_SSL_CAINFO for root CA but is there a way to do it in a flake?

Thanks

did you try to add to your system configuration

security.pki.certificates = [
      ''-----BEGIN CERTIFICATE-----
... your cert etc.

-----END CERTIFICATE-----''
  ];

this will add your self cert to be trusted if I recall correctly, I switched to let’s encrypt so I’ve not done this in a bit.

I didn’t do that because I don’t want to trust the cert globally in my system for security reason. I only want to trust it when I am cloning the repo.

My repo is hosted locally without a public domain. So let’s encrypt is not an option for me either.

You could specify the custom CA in ssl-cert-file.

Bit of a tangent, but you can issue wildcard certificates through let’s encrypt if you don’t want the domain to be visible in issuance logs. My domain has a subdomain (srv.domain.tld) for which I am using a wildcard cert. All services are using domain names like git.srv.domain.tld.

The ssh-cert-file seems to overwrite the default certificate which makes it unable to download from other sources with https. Besides, it is difficult to set it up as /etc/nix/nix.conf is managed by NixOS configurations and it couldn’t be set up when deploying it on a new machine.

The file is meant to store a CA cert bundle, so you can append yours to the existing ones.

For deployment scenario you can use an env var or a nix command switch.

It seems that I need to copy the system CA cert bundle first, append my own cert and store it, especially when I need to use an env var or nix command switch as I can’t specify a nix store path with the cert.
Then it causes another problem where I need to keep it up to date as the system cert may get updated.

Rolling one’s own CA comes at a TCO price pretty much by definition. Still easier than becoming a public CA :slight_smile:

I used to do it (way before the days of Lets Encrypt having the wildcards) but now that there’s an easy button out there - I wouldn’t do it again except for learning experience.

If you want to make the bundle dynamic, you can write a tiny derivation that produces a cert bundle with your certificate appended to it and use it during the initial install.

1 Like

Yeah, you are right. I don’t own any public domain names so it doesn’t make much sense to buy one just for internal use (also it is usually longer than private domain name). Probably I should just go with plain HTTP instead HTTPS as it’s hard to do it using flake.

I can write a derivation to bundle it, but how can I do it during the initial install of another machine before I can build the system derivation? My whole NixOS configuration will depend on the certificate which is a cyclic dependency

Multiple options: out of band file copy, build a custom installer.

If we backtrack the question though, there are more alternatives:

  • not using http(s) for inputs at all, there are alternatives
  • not having the target machine pull anything. Deploy using remote nixos-rebuild with --target-host or something like deploy-rs
1 Like

I see. Thanks for the above suggestions.

Looks like there’s really no easy and straightforward way to trust a self-signed certificate for flake inputs currently. There are alternative ways, but all have their own problems.