this post was submitted on 18 Aug 2024
14 points (100.0% liked)

Nix / NixOS

1777 readers
1 users here now

Main links

Videos

founded 1 year ago
MODERATORS
 

Hi!

I've ran into an issue with nix develop shells.

My setup:

  • Nix Darwin (macos)
  • Custom TLS certificates installed via nix darwin

Everything works as expected with the installed certificates, but as soon as I enter into a development shell with nix develop, the certificates are not available and thus, I get TLS errors that break whatever I'm doing in the dev shell. If I use an impure development shell, the issue disappears.

Is there a way to use pure nix develop shells which respect the installed certificates?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] onlinepersona 2 points 3 months ago* (last edited 3 months ago) (1 children)

So the certs end up in these files:

  • /etc/ssl/certs/ca-certificates.crt
  • /etc/ssl/certs/ca-bundle.crt
  • / etc/pki/tls/certs/ca-bundle.crt

Only the first one is mentioned on stackoverflow as being used by Go on debian.

Curl seems to have its default location compiled in by passing --with-ca-bundle ~~, but after installing curlFull and running curl-config --ca, it doesn't look like that was used and the "default" path is guessed.~~

Looking further in the curl derivation there are these lines for darwin :

lib.optionals stdenv.isDarwin [
      # Disable default CA bundle, use NIX_SSL_CERT_FILE or fallback to nss-cacert from the default profile.
      # Without this curl might detect /etc/ssl/cert.pem at build time on macOS, causing curl to ignore NIX_SSL_CERT_FILE.
      "--without-ca-bundle"
      "--without-ca-path"
    ]

So, check the value of NIX_SSL_CERT_FILE outside nix shell and within. The path might have to be set there. I dunno how to do that automatically with nix shell, so it might have to be done manually.

Anti Commercial-AI license

[โ€“] secana 2 points 3 months ago

Thanks, I'll try that!