Unable to fetch Rust/Cargo dependencies through TLS-intercepting proxy

[makefu]

Describe the bug
Nix is able to fetch source dependencies from github and other URLs but building a rust package fails when rust is trying to fetch the cargo dependencies.
CURL_CA_BUNDLE GIT_SSL_CAINFO and SSL_CERT_FILE contain paths to the certificate chain of the intercepting proxy.

To Reproduce
Steps to reproduce the behavior:

1. set up TLS-Intercepting proxy (or work in a company which uses this tech)
2. Set CURL_CA_BUNDLE, GIT_SSL_CAINFO and SSL_CERT_FILE to /etc/ssl/certs/ca-bundle.crt
3. security.pki.certificates = [ (lib.readFile ./intercepting-proxy.pem ];
4. build a rust package which is not cached by cache.nixos.org, e.g. this derivation: https://git.ingolf-wagner.de/palo/nixos-config/src/master/pkgs/navi/default.nix

Expected behavior
The package is built from source and can be used in configuration

Screenshots

building '/nix/store/dsi88ymq5wbm5ds86xxxnahkl1gk6p0f-navi-2.1.1-vendor.tar.gz.drv'...
unpacking sources
unpacking source archive /nix/store/4xhyh64vhlxxkfwpl7zbr1wcj0yxqafx-source
source root is source
patching sources
building
Updating crates.io index
warning: spurious network error (2 tries remaining): [56] Failure when receiving data from the peer; class=Net (12)
warning: spurious network error (1 tries remaining): [56] Failure when receiving data from the peer; class=Net (12)
error: failed to sync

Caused by:
failed to load pkg lockfile

Caused by:
failed to fetch https://github.com/rust-lang/crates.io-index

Caused by:
[56] Failure when receiving data from the peer; class=Net (12)

Additional context
Add any other context about the problem here.

Notify maintainers
@Ericson2314 @bhipple

Metadata

• system: "x86_64-linux"
• host os: Linux 5.4.35, NixOS, 20.09pre-git (Nightingale)
• multi-user?: no
  • sandbox: yes
• version: nix-env (Nix) 2.3.4
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute: 
- rustplatform.buildRustPackage

[Mic92]

Related to #82496

[stale]

I marked this as stale due to inactivity. → More info

[makefu]

still an issue for me!

[stale]

I marked this as stale due to inactivity. → More info

[makefu]

still an issue for me

[makefu]

Hey all, i may be alone with this issue but i still do not have a good solution for it. Overriding either cacert or cargo is no option for me as this means the system will essentially build everything from scratch.
Has anyone a solution (e.g. overriding only the rust environment or something )?
Cheers!

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/cannot-fetch-rust-cargo-packages-through-intercepting-proxy/15726/1

[ghost]

@makefu https://git.ingolf-wagner.de/palo/nixos-config/src/master/pkgs/navi/default.nix yields a 404 for me FYI.

[ghost]

If I am understanding this issue correctly, it seems like buildRustPackage needs to allow consumers to disable the TLS chain overriding that happens here:

nixpkgs/pkgs/development/compilers/rust/cargo.nix

Lines 34 to 42 in 419513c

	postInstall = ''
	# NOTE: We override the `http.cainfo` option usually specified in
	# `.cargo/config`. This is an issue when users want to specify
	# their own certificate chain as environment variables take
	# precedence
	wrapProgram "$out/bin/cargo" \
	--suffix PATH : "${rustc}/bin" \
	--set CARGO_HTTP_CAINFO "${cacert}/etc/ssl/certs/ca-bundle.crt" \
	--set SSL_CERT_FILE "${cacert}/etc/ssl/certs/ca-bundle.crt"

[makefu]

@efx is there any chance to override just the cargo rust is using for fetching packages with a provided cacert package?

Today i tried to install https://github.com/Mic92/nur-packages/blob/master/pkgs/vaultwarden_ldap/default.nix behind the intercepting proxy

[Mic92]

@makefu I think you found the solution in the end, right?

[makefu]

@Mic92 right, i somehow found a solution for the proxying issue, however the intercepting proxy is also messing with the source files when building from source. For reference, this is the solution i came up with:

let
  fetchCargoTarball = rustPlatform.fetchCargoTarball.override { cargo = cargo.override { cacert = my-cacert;}; };
in
(rustPlatform.buildRustPackage.override { inherit fetchCargoTarball;  }) rec {
...

this will result in a rebuild of the rustPlatform with the injected cacert file. However it would be great if this would not be necessary in first place and cargo would honor the ca-bundle set via SSL_CERT_FILE

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/cannot-fetch-rust-cargo-packages-through-intercepting-proxy/15726/3

[stale]

I marked this as stale due to inactivity. → More info

[linsui]

A easier workaround which doesn't rebuild the cargo:

  buildRustPackage = rustPlatform.buildRustPackage.override {
    fetchCargoTarball = rustPlatform.fetchCargoTarball.override {
      cargo = writeShellScriptBin "cargo" ''
        export CARGO_HTTP_CAINFO="${cacert}/etc/ssl/certs/ca-bundle.crt"
        export SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"
        ${cargo}/bin/.cargo-wrapped "$@"
      '';
    };
  };

[zowoq]

Should be resolved by #210366