New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
curl https://nixos.org/nix/install | sh
ignores nix NIX_SSL_CERT_FILE
#2558
Comments
adding cacert to my default.nix solved my problem. |
@mogorman to which |
sorry makefu. i was experiencing same error issue inside of a nix-shell --pure so i thought it was related. my problem was resolved by adding cacert into the closure. |
ah okay! good to know 👍 |
I marked this as stale due to inactivity. → More info |
haven't tested with latest installer but definitely still relevant for me |
I marked this as stale due to inactivity. → More info |
can anyone confirm everything now works as expected? i will be able to test earliest in 2 weeks. |
I marked this as stale due to inactivity. → More info |
Problem Description
When trying to set
NIX_SSL_CERT_FILE
for the installation i encounteredPeer certificate cannot be authenticated with given CA certificates (60)
even though i had manually set the path to my custom certificate bundle.I encountered the issue because it seems like the old openssl version installed on CentOS7 validates certificates a bit different than the one used by nix which resulted in the cacert file working for the
curl |sh
call but not afterwards for running nix-channel.Cause
The install script sources
$nix/etc/profile.d/nix.sh
( https://github.com/NixOS/nix/blob/master/scripts/install-nix-from-closure.sh#L123 ) just before callingnix-channel --update
.nix.sh
env in turn will almost certainly overrideNIX_SSL_CERT_FILE
when it is able to find another cert file in one of the distribution default directories ( https://github.com/NixOS/nix/blob/master/scripts/nix-profile.sh.in#L63-L76 ).This will also result in an branch where the nix-provided cert file would be installed to (almost) never be encountered ( https://github.com/NixOS/nix/blob/master/scripts/install-nix-from-closure.sh#L131-L134 ).
Possible solution
Check for
NIX_SSL_CERT_FILE
to be set innix.sh
before overriding it.related irc logs: https://logs.nix.samueldr.com/nixos/2018-11-27#1543340933-1543343464;
Related PR which added support for NIX_SSL_CERT_FILE: #2181
The text was updated successfully, but these errors were encountered: