X509: certificate signed by unknown authority

I’m running the nixos navidrome module, that mostly works. However, Navidrome is supposed to be able to fetch some metadata from last.fm, but it doesn’t work for me. Instead, this error shows up in the logs : x509: certificate signed by unknown authority. I have no idea what could be causing this. Navidrome runs behind a reverse proxy with SSL activated. Could this be an nginx misconfiguration ? I leave here my nginx configuration :

services.nginx.virtualHosts."music.mydomain" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString port}";

Thanks in advance

I assume navidrome is the service hosted under music.mydomain? Can you share the exact logs? Have you tried running curl against the domain manually, just to check if it’s your CA config or time being out of sync somehow?

The service is hardened to only have access to /nix/store and the music directory. I guess this fails because it can’t read the root certificates file.

Try adding this to the configuration:

systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];

It had indeed something to do with the service being hardened, thanks !

Uhm, If that worked you should open an issue and ping the maintainer.