Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl https://nixos.org/nix/install | sh ignores nix NIX_SSL_CERT_FILE #2558

Open
makefu opened this issue Nov 27, 2018 · 9 comments
Open

curl https://nixos.org/nix/install | sh ignores nix NIX_SSL_CERT_FILE #2558

makefu opened this issue Nov 27, 2018 · 9 comments
Labels
installer stale

Comments

@makefu
Copy link

makefu commented Nov 27, 2018

Problem Description

When trying to set NIX_SSL_CERT_FILE for the installation i encountered Peer certificate cannot be authenticated with given CA certificates (60) even though i had manually set the path to my custom certificate bundle.

I encountered the issue because it seems like the old openssl version installed on CentOS7 validates certificates a bit different than the one used by nix which resulted in the cacert file working for the curl |sh call but not afterwards for running nix-channel.

Cause

The install script sources $nix/etc/profile.d/nix.sh ( https://github.com/NixOS/nix/blob/master/scripts/install-nix-from-closure.sh#L123 ) just before calling nix-channel --update. nix.sh env in turn will almost certainly override NIX_SSL_CERT_FILE when it is able to find another cert file in one of the distribution default directories ( https://github.com/NixOS/nix/blob/master/scripts/nix-profile.sh.in#L63-L76 ).

This will also result in an branch where the nix-provided cert file would be installed to (almost) never be encountered ( https://github.com/NixOS/nix/blob/master/scripts/install-nix-from-closure.sh#L131-L134 ).

Possible solution

Check for NIX_SSL_CERT_FILE to be set in nix.sh before overriding it.

related irc logs: https://logs.nix.samueldr.com/nixos/2018-11-27#1543340933-1543343464;
Related PR which added support for NIX_SSL_CERT_FILE: #2181
@mogorman
Copy link
Contributor

mogorman commented Mar 10, 2019
edited

adding cacert to my default.nix solved my problem.

@makefu
Copy link
Author

makefu commented Mar 10, 2019

@mogorman to which default.nix exactly? when running curl | sh i do not see an entry point to update any sources.

@mogorman
Copy link
Contributor

sorry makefu. i was experiencing same error issue inside of a nix-shell --pure so i thought it was related. my problem was resolved by adding cacert into the closure.

@makefu
Copy link
Author

makefu commented Mar 11, 2019

ah okay! good to know 👍

@stale
Copy link

stale bot commented Feb 14, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the stale label Feb 14, 2021
@makefu
Copy link
Author

makefu commented Feb 14, 2021

haven't tested with latest installer but definitely still relevant for me

@stale stale bot removed the stale label Feb 14, 2021
@stale
Copy link

stale bot commented Aug 13, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the stale label Aug 13, 2021
@makefu
Copy link
Author

makefu commented Aug 16, 2021

can anyone confirm everything now works as expected? i will be able to test earliest in 2 weeks.
still relevant for me obviously

@stale stale bot removed the stale label Aug 16, 2021
@stale
Copy link

stale bot commented Apr 17, 2022

I marked this as stale due to inactivity. → More info

@stale stale bot added the stale label Apr 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
installer stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mogorman @makefu @domenkozar