Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix the nix-daemon Mac OS SSL CA cert #4023

Merged
merged 1 commit into from Sep 21, 2020
Merged

Fix the nix-daemon Mac OS SSL CA cert #4023

merged 1 commit into from Sep 21, 2020

Conversation

@maljub01
Copy link
Contributor

maljub01 commented Sep 16, 2020

Mac OS multi-user installations are currently broken because all requests
made by nix-daemon to the binary cache fail with:

unable to download ... Problem with the SSL CA cert (path? access rights?) (77).

This change ensures that the nix-daemon knows where to find the SSL CA cert file.

Fixes #2899 and #3261.

Mac OS multi-user installations are currently broken because all requests
made by nix-daemon to the binary cache fail with:

```
unable to download ... Problem with the SSL CA cert (path? access rights?) (77).
```

This change ensures that the nix-daemon knows where to find the SSL CA cert file.

Fixes #2899 and #3261.
@@ -4,6 +4,8 @@
<dict>
<key>EnvironmentVariables</key>
<dict>
<key>NIX_SSL_CERT_FILE</key>
<string>/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt</string>

This comment has been minimized.

@matthewbauer

matthewbauer Sep 17, 2020 Member

When NIX_SSL_CERT_FILE is unset, Nix should default to this:

for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})

see also 847f19a

This comment has been minimized.

@maljub01

maljub01 Sep 18, 2020 Author Contributor

Interesting. Something very weird must be going on then. Perhaps it was restarting the daemon rather than this setting that fixed it for me. I removed the environment variable and the daemon is still working ok.

Is it possible that the daemon is unable to access the certificate the first time it is started for some reason? Since it's clear from the other reports that I'm not the only one who had this problem with a fresh installation of Nix.

This comment has been minimized.

@edolstra

edolstra Sep 21, 2020 Member

That's a good point. caFile is set only once, when the daemon starts, so if the CA bundle is installed afterwards, the daemon needs to be restarted.

@edolstra edolstra merged commit 18eb077 into NixOS:master Sep 21, 2020
2 checks passed
2 checks passed
tests (ubuntu-latest)
Details
tests (macos-latest)
Details
@edolstra
Copy link
Member

edolstra commented Sep 21, 2020

Thanks. I've merged this since it seems the easiest way to make the daemon behave predictably.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

3 participants
You can’t perform that action at this time.