X509: certificate signed by unknown authority

JulienMalka · February 6, 2022, 10:43pm

Hello,
I’m running the nixos navidrome module, that mostly works. However, Navidrome is supposed to be able to fetch some metadata from last.fm, but it doesn’t work for me. Instead, this error shows up in the logs : x509: certificate signed by unknown authority. I have no idea what could be causing this. Navidrome runs behind a reverse proxy with SSL activated. Could this be an nginx misconfiguration ? I leave here my nginx configuration :

services.nginx.virtualHosts."music.mydomain" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString port}";
      };
    };

Thanks in advance

TLATER · February 7, 2022, 1:26am

I assume navidrome is the service hosted under music.mydomain? Can you share the exact logs? Have you tried running curl against the domain manually, just to check if it’s your CA config or time being out of sync somehow?

rnhmjoj · February 7, 2022, 7:22am

The service is hardened to only have access to /nix/store and the music directory. I guess this fails because it can’t read the root certificates file.

Try adding this to the configuration:

systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];

JulienMalka · February 7, 2022, 10:38pm

It had indeed something to do with the service being hardened, thanks !

rnhmjoj · February 8, 2022, 9:34am

Uhm, If that worked you should open an issue and ping the maintainer.