Nix develop shell not using custom TSL certificates

@secana · 26 days ago

Nix develop shell not using custom TSL certificates

@secana · 25 days ago

Sure. I import the certificates like this:

{ config, pkgs, inputs, ... }:
{
  security.pki.certificateFiles = [
    ./certificates/home.pem
  ];
}

where home.pem is a default PEM formatted certificate. It works fine to import the cert system wide this way.

If I enter the flake.nix and run a simple curl against the remote server I get the following, which is typical for a TLS certificate error.

curl https://webpage.home
curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme

So it seems to me that the development shell does not pick up the certificates installed on the system. I can work around that by using an impure shell, but I think that this is not how nix should be used.

@onlinepersona · edit-2 25 days ago

So the certs end up in these files:

/etc/ssl/certs/ca-certificates.crt
/etc/ssl/certs/ca-bundle.crt
/ etc/pki/tls/certs/ca-bundle.crt

Only the first one is mentioned on stackoverflow as being used by Go on debian.

Curl seems to have its default location compiled in by passing --with-ca-bundle ~~, but after installing curlFull and running curl-config --ca, it doesn’t look like that was used and the “default” path is guessed.~~

Looking further in the curl derivation there are these lines for darwin :

lib.optionals stdenv.isDarwin [
      # Disable default CA bundle, use NIX_SSL_CERT_FILE or fallback to nss-cacert from the default profile.
      # Without this curl might detect /etc/ssl/cert.pem at build time on macOS, causing curl to ignore NIX_SSL_CERT_FILE.
      "--without-ca-bundle"
      "--without-ca-path"
    ]

So, check the value of NIX_SSL_CERT_FILE outside nix shell and within. The path might have to be set there. I dunno how to do that automatically with nix shell, so it might have to be done manually.

Anti Commercial-AI license

@secana · 24 days ago

Thanks, I’ll try that!