Hi!
I’ve ran into an issue with nix develop
shells.
My setup:
- Nix Darwin (macos)
- Custom TLS certificates installed via nix darwin
Everything works as expected with the installed certificates, but as soon as I enter into a development shell with nix develop
, the certificates are not available and thus, I get TLS errors that break whatever I’m doing in the dev shell. If I use an impure development shell, the issue disappears.
Is there a way to use pure nix develop
shells which respect the installed certificates?
So the certs end up in these files:
Only the first one is mentioned on stackoverflow as being used by Go on debian.
Curl seems to have its default location compiled in by passing
--with-ca-bundle
, but after installingcurlFull
and runningcurl-config --ca
, it doesn’t look like that was used and the “default” path is guessed.Looking further in the
curl
derivation there are these lines for darwin :lib.optionals stdenv.isDarwin [ # Disable default CA bundle, use NIX_SSL_CERT_FILE or fallback to nss-cacert from the default profile. # Without this curl might detect /etc/ssl/cert.pem at build time on macOS, causing curl to ignore NIX_SSL_CERT_FILE. "--without-ca-bundle" "--without-ca-path" ]
So, check the value of
NIX_SSL_CERT_FILE
outsidenix shell
and within. The path might have to be set there. I dunno how to do that automatically withnix shell
, so it might have to be done manually.Anti Commercial-AI license
Thanks, I’ll try that!