Hi!

I’ve ran into an issue with nix develop shells.

My setup:

  • Nix Darwin (macos)
  • Custom TLS certificates installed via nix darwin

Everything works as expected with the installed certificates, but as soon as I enter into a development shell with nix develop, the certificates are not available and thus, I get TLS errors that break whatever I’m doing in the dev shell. If I use an impure development shell, the issue disappears.

Is there a way to use pure nix develop shells which respect the installed certificates?

  • onlinepersona
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    3 months ago

    Could you provide more information? Snippets of the config that are relevant e.g custom TLS certs config, what does the flake look like, self-signed TLS certs? What exactly is breaking? curl https://localhost:8080/something ?

    Have you compared the environment variables?

    Anti Commercial-AI license

    • secanaOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      Sure. I import the certificates like this:

      { config, pkgs, inputs, ... }:
      {
        security.pki.certificateFiles = [
          ./certificates/home.pem
        ];
      }
      

      where home.pem is a default PEM formatted certificate. It works fine to import the cert system wide this way.

      If I enter the flake.nix and run a simple curl against the remote server I get the following, which is typical for a TLS certificate error.

      curl https://webpage.home
      curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme
      

      So it seems to me that the development shell does not pick up the certificates installed on the system. I can work around that by using an impure shell, but I think that this is not how nix should be used.

      • onlinepersona
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        3 months ago

        So the certs end up in these files:

        • /etc/ssl/certs/ca-certificates.crt
        • /etc/ssl/certs/ca-bundle.crt
        • / etc/pki/tls/certs/ca-bundle.crt

        Only the first one is mentioned on stackoverflow as being used by Go on debian.

        Curl seems to have its default location compiled in by passing --with-ca-bundle , but after installing curlFull and running curl-config --ca, it doesn’t look like that was used and the “default” path is guessed.

        Looking further in the curl derivation there are these lines for darwin :

        lib.optionals stdenv.isDarwin [
              # Disable default CA bundle, use NIX_SSL_CERT_FILE or fallback to nss-cacert from the default profile.
              # Without this curl might detect /etc/ssl/cert.pem at build time on macOS, causing curl to ignore NIX_SSL_CERT_FILE.
              "--without-ca-bundle"
              "--without-ca-path"
            ]
        

        So, check the value of NIX_SSL_CERT_FILE outside nix shell and within. The path might have to be set there. I dunno how to do that automatically with nix shell, so it might have to be done manually.

        Anti Commercial-AI license