Hi!

I’ve ran into an issue with nix develop shells.

My setup:

  • Nix Darwin (macos)
  • Custom TLS certificates installed via nix darwin

Everything works as expected with the installed certificates, but as soon as I enter into a development shell with nix develop, the certificates are not available and thus, I get TLS errors that break whatever I’m doing in the dev shell. If I use an impure development shell, the issue disappears.

Is there a way to use pure nix develop shells which respect the installed certificates?

  • @onlinepersona@programming.dev
    link
    fedilink
    English
    13 months ago

    Could you provide more information? Snippets of the config that are relevant e.g custom TLS certs config, what does the flake look like, self-signed TLS certs? What exactly is breaking? curl https://localhost:8080/something ?

    Have you compared the environment variables?

    Anti Commercial-AI license

    • Neo
      link
      English
      33 months ago

      It’s almost as if you’d like OP to provide a reproducible example. If only there was a tool for that /s

    • @secana@programming.devOP
      link
      fedilink
      English
      23 months ago

      Sure. I import the certificates like this:

      { config, pkgs, inputs, ... }:
      {
        security.pki.certificateFiles = [
          ./certificates/home.pem
        ];
      }
      

      where home.pem is a default PEM formatted certificate. It works fine to import the cert system wide this way.

      If I enter the flake.nix and run a simple curl against the remote server I get the following, which is typical for a TLS certificate error.

      curl https://webpage.home
      curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme
      

      So it seems to me that the development shell does not pick up the certificates installed on the system. I can work around that by using an impure shell, but I think that this is not how nix should be used.

      • @onlinepersona@programming.dev
        link
        fedilink
        English
        2
        edit-2
        3 months ago

        So the certs end up in these files:

        • /etc/ssl/certs/ca-certificates.crt
        • /etc/ssl/certs/ca-bundle.crt
        • / etc/pki/tls/certs/ca-bundle.crt

        Only the first one is mentioned on stackoverflow as being used by Go on debian.

        Curl seems to have its default location compiled in by passing --with-ca-bundle , but after installing curlFull and running curl-config --ca, it doesn’t look like that was used and the “default” path is guessed.

        Looking further in the curl derivation there are these lines for darwin :

        lib.optionals stdenv.isDarwin [
              # Disable default CA bundle, use NIX_SSL_CERT_FILE or fallback to nss-cacert from the default profile.
              # Without this curl might detect /etc/ssl/cert.pem at build time on macOS, causing curl to ignore NIX_SSL_CERT_FILE.
              "--without-ca-bundle"
              "--without-ca-path"
            ]
        

        So, check the value of NIX_SSL_CERT_FILE outside nix shell and within. The path might have to be set there. I dunno how to do that automatically with nix shell, so it might have to be done manually.

        Anti Commercial-AI license

  • Neo
    link
    English
    13 months ago

    deleted by creator