SSL_CERT_FILE causes SSL certificate errors with other tools

[lilyball]

I tried to install something with Homebrew today (a package that is out of date on Nix) and it failed with the following error:

curl: (51) SSL: certificate verification failed (result: 5)

Digging into this, it's trying to download a file using curl that, after redirects, ends up fetching a URL like

https://akamai.bintray.com/5c/5ce4e36ed803d7ee2863b8a84b2123fb29f34e02e7c2f908284bb24408f94a65?__gda__=exp=1464730847~hmac=bfe122e8b6bcbf8d01952ab997861ac1fed2434aceccc74cf5c356ad107a1481&response-content-disposition=attachment%3Bfilename%3D%22git-lfs-1.2.0.el_capitan.bottle.tar.gz%22&response-content-type=application%2Fgzip

(I assume this URL is not permanent)

The fetch for this resource is what triggers the certificate verification failure. Unsetting $SSL_CERT_FILE fixes the issue. My assumption here is that the root certificate for that server isn't included in Nix's ca-bundle.crt, though I don't know why that would be.

This is with Nix 1.11.2 on OS X 10.11.5.

[domenkozar]

Can you print the value of SSL_CERT_FILE?

[lilyball]

> echo $SSL_CERT_FILE
/Users/kevinballard/.nix-profile/etc/ssl/certs/ca-bundle.crt

[lilyball]

I just hit this again with the trivial case curl https://google.com.

[mkhl]

The cause seems to be that the nix CA bundle requires a curl with OpenSSL support, which (current) builtin versions don’t have.

> /usr/bin/curl --version
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5 

I worked around this using more Homebrew:

> brew install curl --with-openssl
> brew link --force curl
> /usr/local/bin/curl --version
curl 7.49.1 (x86_64-apple-darwin15.5.0) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.5

That version works, but Homebrew won’t use it unless I also patch /usr/local/Library/brew.sh to set HOMEBREW_CURL to it (or to comment it out and set it in my shell config).

I assume a similar workaround can work by installing curl from nix, but I haven’t checked yet.

[copumpkin]

This seems kind of bad and off-putting for new OSX users. Is anyone looking into it?

[copumpkin]

Might be good to start using tags in this repo and let more of us tag issues. Would be good for those of us wanting to improve the darwin experience to track down darwin-specific pain.

[bhmiller]

I just wasted ~30 min on this bug; please fix!

[petemoore]

I also hit this today. 😭

Any brew install command on my host would fail with:

curl: (51) SSL: certificate verification failed (result: 5)

I finally tracked it down to the SSL_CERT_FILE environment variable setting, which was being set indirectly by the following line in my .profile which had been added by the Nix installer:

if [ -e /Users/pmoore/.nix-profile/etc/profile.d/nix.sh ]; then . /Users/pmoore/.nix-profile/etc/profile.d/nix.sh; fi # added by Nix installer

Here are some other issues which appear to be related to (or a duplicate of) this:

• nix-shell should preserve SSL_CERT_FILE #853
• SSL certificates: figure out how libs/apps find them by default nixpkgs#8247
• SSL_CERT_FILE should be in systemd.globalEnvironment (See #8247 instead) nixpkgs#8486
• curl doesn't work in nix-shell because of $SSL_CERT_FILE=/no-cert-file.crt default nixpkgs#13744

Unsetting SSL_CERT_FILE resolved the issue for me.

[petemoore]

@layus FYI - thanks! 😄

[domenkozar]

So if I understand correctly, Nix CA requires curl with OpenSSL built, but the default curl on OSX doesn't have that.

What are the options here? I don't have a darwin platform, but would love to help this getting fixed.

[petemoore]

Thanks @domenkozar for helping out. 👍

I suspect now the problem might be that the cacerts file I had on my machine at the time I installed nix was invalid...

I installed curl via homebrew and get the same problem when using the cacerts file that nix was pointing to, and I suspect the brew version of curl should work with OpenSSL as it has it as a dependency.

Here is a demo of the problem I have when using the a cacerts file:

First I download the latest version of the file in pem format:

pmoore@Petes-iMac:~ $ curl -L https://curl.haxx.se/ca/cacert.pem > ~/cacert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  244k  100  244k    0     0   252k      0 --:--:-- --:--:-- --:--:--  252k

Next I try to use it with a curl command:

pmoore@Petes-iMac:~ $ /usr/local/Cellar/curl/7.50.1/bin/curl --cacert ~/cacert.pem -I https://storage.googleapis.com/golang/go1.7.src.tar.gz
curl: (51) SSL: certificate verification failed (result: 5)

Now I use curl without specifying a cacert file, and problem goes away:

pmoore@Petes-iMac:~ $ /usr/local/Cellar/curl/7.50.1/bin/curl -I https://storage.googleapis.com/golang/go1.7.src.tar.gz
HTTP/1.1 200 OK
X-GUploader-UploadID: AEnB2Up4se5f2ui1T_LnBvu_vQfEMh6RtBVrT2mPuVpnC6STOQHN1nOsRdSsvs3aJo9TDrL5M2McVm29XvXGoKCWW2U4fw2g3A
Expires: Mon, 22 Aug 2016 20:59:49 GMT
Date: Mon, 22 Aug 2016 19:59:49 GMT
Cache-Control: public, max-age=3600
Last-Modified: Mon, 15 Aug 2016 23:20:30 GMT
ETag: "a30c3bd1a7fcc6a48acfb74936a19b4c"
x-goog-generation: 1471303230615000
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 14091954
Content-Type: application/x-gzip
x-goog-hash: crc32c=B1onUw==
x-goog-hash: md5=oww70af8xqSKz7dJNqGbTA==
x-goog-storage-class: STANDARD
Accept-Ranges: bytes
Content-Length: 14091954
Server: UploadServer
Alternate-Protocol: 443:quic
Alt-Svc: quic=":443"; ma=2592000; v="35,34,33,32,31,30"

And now, to show the format of the cacert file:

pmoore@Petes-iMac:~ $ head -30 ~/cacert.pem 
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Wed Apr 20 03:12:05 2016
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.25.
## SHA1: 5df367cda83086392e1acdf22bfef00c48d5eba6
##


GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
pmoore@Petes-iMac:~ $ 

The curl version I am using above is /usr/local/Cellar/curl/7.50.1/bin/curl which is the version installed by homebrew, rather than the native apple version.

I'm wondering now if the problem is that I shouldn't use this file, but some adapted version of it, and maybe when I installed nix I referred to (an older version of) this file, and the mistake was made then (I don't remember where that file came from, if it was shipped with nix, or if I had my own version etc).

Thanks @domenkozar for any ideas you might have!

[petemoore]

Note, the version that my nix installation was pointing to was a bit older (see below - from Nov 9 last year). In my demonstration above, I was just trying with the latest version of the file, in case that might have fixed things (which it didn't).

Also when I was using brew to install things originally, or using curl directly, I was not explicitly specifying --cacert. Above I used this command line option to demonstrate that the problem occurs also when using --cacert, like it does when having environment variable SSL_CERT_FILE pointing to the file.

pmoore@Petes-iMac:~ $ head -30 /Users/pmoore/.nix-profile/etc/ssl/certs/ca-bundle.crt
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Mon Nov  9 05:12:59 2015
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## file:///private/var/tmp/nix-build-nss-cacert-3.21.drv-0/nss-3.21/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.25.
## SHA1: 0ab47e2f41518f8d223eab517cb799e5b071231e
##


GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
pmoore@Petes-iMac:~ $ 

[mkhl]

I suspect the brew version of curl should work with OpenSSL as it has it as a dependency.

It has OpenSSL as an optional dependency, which is used if you install it with --with-openssl.

You can check whether your version uses OpenSSL by checking the output of curl --version | head -n1. On my system:

> /usr/bin/curl --version | head -n1
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
> /usr/local/opt/curl/bin/curl --version | head -n1
curl 7.50.1 (x86_64-apple-darwin15.6.0) libcurl/7.50.1 OpenSSL/1.0.2h zlib/1.2.5

[layus]

Nix ships a curl package that trusts /etc/ssl/certs/ca-bundle.crt by default. This is not always available on non NixOS distros. To make nix-only installs working on other distros, we make the nix setup script export SSL_CERT_FILE to some existing cert bundle to ensure that the curl package shipped and used by Nix works properly. (Otherwise, nix cannot download derivations.)

I i understand this bug, the issue is that this behavior breaks curl builds without openssl support, right ? Now, I have a few questions:

1. How come you are using MacOS's curl while you are in a nix environment? Your PATH settings should default to using nix's curl. Does homebrew use an absolute path to curl?
2. Could you install some package with nix after unsetting SSL_CERT_FILE? I bet it would break nix. If not, please report as it could be a potential fix here.
3. How come curl does honor SSL_CERT_FILE if it is built without OpenSSL? This could be an upstream bug. This is not needed as macosx does not use a trust file, but SecureTransport and a very different scheme to store certificates. SSL_CERT_FILE should be irrelevant to that TLS engine.

[lilyball]

1. I don't have Nix's curl installed. That said, Homebrew does indeed use /usr/bin/curl unless the env var HOMEBREW_CURL has been set to another path.
2. It does seem to work (I interrupted it halfway through), but only because Nix ends up falling back to an http URL instead if the https ones fail (all the https URLs it tries fail with Curl error 60).
3. I have no idea. This does seem like a bug.

[layus]

https://docwhat.org/el-capitan-and-the-evils-of-openssl/ has it all explained. Apparently, setting SSL_CERT_FILE makes SecureTransport fall back to the (very old) openssl shipped by MacOS. This old version is incompatible with current certificates.

This is a hard problem, because this is not a problem only with curl. SSL_CERT_FILE is required by every package using openssl.

[layus]

@kballard, @petemoore you should really contact apple about this. Their version of openssl is very old, and setting SSL_CERT_FILE to a recent bundle makes it fail...

But this is also something I am not willing to investigate. I do not want to spend time understanding and fixing closed source software.
That being said, pushing a work-around in nix may be acceptable. I just have no idea how to do that sanely.

[edolstra]

I see two solutions:

• Rename SSL_CERT_FILE to NIX_CERT_FILE or something like that, so that we don't interfere with the native /usr/bin/curl on OS X.
• Build curl in Nixpkgs with SecureTransport support, which (I assume) would make it use OS X's native certificate store. Then we don't need to set SSL_CERT_FILE anymore.

[mkhl]

Build curl in Nixpkgs with SecureTransport support, which (I assume) would make it use OS X's native certificate store. Then we don't need to set SSL_CERT_FILE anymore.

If I understand the Homebrew formula correctly, this can be done by passing --with-darwinssl to curl’s configure script (and leaving out --with-ssl).

[edolstra]

@mkhl Thanks, I'll give that a try.

[layus]

I see two solutions:

• Rename SSL_CERT_FILE to NIX_CERT_FILE or something like that, so that we don't interfere with the native /usr/bin/curl on OS X.
• Build curl in Nixpkgs with SecureTransport support, which (I assume) would make it use OS X's native certificate store. Then we don't need to set SSL_CERT_FILE anymore.

I would trust the second option, but be aware that it may break applications relying on the default trust store of openssl, as openssl will no more find the trust store in ~/.nix-profile/... and probably fail to provide a default.

[edolstra]

Hm, curl segfaults when built with darwinssl:

# gdb --args ./result-bin/bin/curl -v https://google.com
GNU gdb (GDB) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin15.2.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./result-bin/bin/curl...(no debugging symbols found)...done.
(gdb) r
Starting program: /nix/store/6x66y4k6dx61dzpn7g5b2dn4l0dzwrpp-curl-7.50.1-bin/bin/curl -v https://google.com
* Rebuilt URL to: https://google.com/
*   Trying 74.125.136.102...
* Connected to google.com (74.125.136.102) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.google.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
[New Thread 0x1b13 of process 60442]
[New Thread 0x1c03 of process 60442]
[New Thread 0x1d03 of process 60442]

Thread 1 received signal SIGSEGV, Segmentation fault.
0x0000000100130a28 in CFRelease () from /nix/store/8grzfkqh0gipg8jrczmwdrmc06w0qmdy-CF-osx-10.9.5/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
(gdb) bt
#0  0x0000000100130a28 in CFRelease () from /nix/store/8grzfkqh0gipg8jrczmwdrmc06w0qmdy-CF-osx-10.9.5/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
#1  0x0000000100062ed3 in darwinssl_connect_common () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#2  0x0000000100061460 in Curl_ssl_connect_nonblocking () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#3  0x00000001000286c3 in https_connecting () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#4  0x0000000100048445 in multi_runsingle () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#5  0x000000010004815d in curl_multi_perform () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#6  0x00000001000423c0 in curl_easy_perform () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#7  0x000000010000c82c in operate_do ()
#8  0x0000000100008e24 in operate ()
#9  0x00000001000086e4 in main ()

[edolstra]

@copumpkin @pikajude Could the segfault above be caused by the mixing of the system Security framework and the Nixpkgs CoreFoundation framework?

$ otool -L ./result-bin/bin/curl 
./result-bin/bin/curl:
        /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib (compatibility version 9.0.0, current version 9.0.0)
        /nix/store/adrpfqnbmx071vdv8gmxdzkdjamx4rhq-libssh2-1.7.0/lib/libssh2.1.dylib (compatibility version 2.0.0, current version 2.1.0)
        /nix/store/i4klhk599pbabpc5fkcy6bmbf212l6di-zlib-1.2.8/lib/libz.dylib (compatibility version 1.0.0, current version 1.2.8)
        /System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 57337.60.2)
        /nix/store/8grzfkqh0gipg8jrczmwdrmc06w0qmdy-CF-osx-10.9.5/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 855.15.0)
        /nix/store/n5w3cs7hb2ffd47ycarjyz5kg8pq4n2l-Libsystem-osx-10.9.5/lib/libSystem.dylib (compatibility version 1.0.0, current version 1197.1.1)

[edolstra]

Indeed

$ DYLD_FRAMEWORK_PATH=/System/Library/Frameworks ./result-bin/bin/curl -v https://google.com

fixes the segfault. But is there a proper solution for this?

[petemoore]

@layus

@kballard, @petemoore you should really contact apple about this. Their version of openssl is very old, and setting SSL_CERT_FILE to a recent bundle makes it fail...

I've raised Bug 27968953 "SecureTransport problem causes /usr/bin/curl to fail if env var SSL_CERT_FILE is set, or --cacert option is passed" with the Apple Bug Reporter, against product "OS X". The content of the bug is essentially the same as for the github curl/curl issue referenced above.

[copumpkin]

Yeah, that's it. I'd be reluctant to introduce more impurity into nix itself, but we could probably make it work if you think the pros outweigh the cons here.

On Aug 23, 2016, at 15:40, Eelco Dolstra [email protected] wrote:

Indeed

$ DYLD_FRAMEWORK_PATH=/System/Library/Frameworks ./result-bin/bin/curl -v https://google.com
fixes the segfault.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

[mmerickel]

I've run into this issue the last several times I've given nix-on-darwin a try and it's really discouraging. I decided to do some research and found this issue which exactly described my experience. As nix is just the package manager here, it seems odd that it wouldn't integrate with the system trust store. I know it's unfortunate that macOS is using such an old openssl package, but it would really help me if I could try out nix alongside my existing homebrew setup which is broken any time I activate nix (preventing me from adding it to my zshrc).

[globin]

ping @edolstra

[domenkozar]

@layus are you sure that works?

downloading ‘https://github.com/NixOS/nixpkgs/archive/6a8790429692280998801c96660dcc85e30fb759.tar.gz’... error: unable to download ‘https://github.com/NixOS/nixpkgs/archive/6a8790429692280998801c96660dcc85e30fb759.tar.gz’: Problem with the SSL CA cert (path? access rights?) (77)

[edolstra]

Here is the 1.11.7 candidate, testing on non-NixOS systems (especially OS X) welcome: http://hydra.nixos.org/eval/1335054

[copumpkin]

@edolstra I tried nix-install-package --non-interactive --url http://hydra.nixos.org/build/49130459/nix/pkg/nix-1.11.7-x86_64-darwin.nixpkg (as suggested by the Hydra UI) on macOS and it told me "Installation failed: invalid package contents". Am I doing something wrong?

Edit: I guess

$ curl --head http://hydra.nixos.org/build/49130459/nix/pkg/nix-1.11.7-x86_64-darwin.nixpkg
HTTP/1.1 404 Not Found
Date: Wed, 22 Feb 2017 14:15:54 GMT
Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2k
Vary: Accept
Content-Type: text/html; charset=utf-8

[domenkozar]

I'm now trying https://github.com/domenkozar/test-nix-1-11-7/blob/master/.travis.yml at https://travis-ci.org/domenkozar/test-nix-1-11-7/builds/204208039

[domenkozar]

I can not reproduce this bug on 10.12.2, but I can reproduce it on 10.11.6 and confirm Nix 1.11.7 fixes the issue.

$ nix-env -i /nix/store/9hbq6vrrm5mp9w124qdza2m3kpc52rac-nix-1.11.7
$ . /Users/admin/.nix-profile/etc/profile.d/nix.sh
$ nix-env --version
nix-env (Nix) 1.11.7
$ curl --version
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets 
$ curl https://google.com/
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.co.uk/?gfe_rd=cr&amp;ei=t5-tWKaLKsTv8AfH5YG4CQ">here</A>.
</BODY></HTML>
$ export SSL_CERT_FILE="$NIX_SSL_CERT_FILE"
$ curl https://google.com/a
curl: (51) SSL: certificate verification failed (result: 5)

[domenkozar]

Waiting on https://travis-ci.org/domenkozar/test-nix-1-11-7/builds/204213775 as well

[domenkozar]

@edolstra nix-env fails to work:

$ nix-env -i curl
warning: there are multiple derivations named ‘curl-7.51.0’; using the first one
installing ‘curl-7.51.0’
these paths will be fetched (0.94 MiB download, 3.14 MiB unpacked):
  /nix/store/3vyj968sa8rhyy88pavicj9957x0b3nn-libssh2-1.7.0-dev
  /nix/store/54iylcd3awfv7s0rpan7wzcyyyqi3ghw-curl-7.51.0-bin
  /nix/store/6ps44is1czbmnrx7d55dbyfdf44h7zan-openssl-1.0.2j-dev
  /nix/store/a5hr0bd8g2c5lxlajkgnzs0j00n0cv3m-curl-7.51.0-dev
  /nix/store/brh9gixb2hzyslk9b53x5g0jw4rz5s13-curl-7.51.0-man
  /nix/store/fra3hffk8j66ikgcj8k9i0sr6ba72vq6-curl-7.51.0-devdoc
  /nix/store/zry44lfn71rx6768yijyd2zg4gawnc5s-openssl-1.0.2j-bin
fetching path ‘/nix/store/fra3hffk8j66ikgcj8k9i0sr6ba72vq6-curl-7.51.0-devdoc’...

*** Downloading ‘https://cache.nixos.org/nar/018ic903flb5wxkfz82rah8gy5y8zf95bj9zyz9h2hmb5bdg30r9.nar.xz’ to ‘/nix/store/fra3hffk8j66ikgcj8k9i0sr6ba72vq6-curl-7.51.0-devdoc’...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /Users/admin/.nix-profile/etc/ssl/certs/ca-bundle.crt
/nix/store/cygk7m0q7819rc1xb8pr8nzpj44msbyy-xz-5.2.2-bin/bin/xz: (stdin): File format not recognized
error: unexpected end-of-file
download of ‘https://cache.nixos.org/nar/018ic903flb5wxkfz82rah8gy5y8zf95bj9zyz9h2hmb5bdg30r9.nar.xz’ failed: No such file or directory
could not download ‘/nix/store/fra3hffk8j66ikgcj8k9i0sr6ba72vq6-curl-7.51.0-devdoc’ from any binary cache
fetching path ‘/nix/store/fra3hffk8j66ikgcj8k9i0sr6ba72vq6-curl-7.51.0-devdoc’ failed with exit code 1
fetching path ‘/nix/store/54iylcd3awfv7s0rpan7wzcyyyqi3ghw-curl-7.51.0-bin’...
killing process 48520
error: build of ‘/nix/store/gbbqdh0yj6wswjywzhany7hllamdmwqn-curl-7.51.0.drv’ failed

[layus]

@domenkozar Is my input still needed ? Do you mean that apple fixed their curl with 10.12.x ?

[domenkozar]

@layus no, I think Nix is currently broken with this fix (see below). But this fix is not needed on Sierra.

$ echo $NIX_SSL_CERT_FILE
/Users/admin/.nix-profile/etc/ssl/certs/ca-bundle.crt
$ echo $SSL_CERT_FILE

$ git clone https://github.com/NixOS/nix.git
Cloning into 'nix'...
fatal: unable to access 'https://github.com/NixOS/nix.git/': error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none

[domenkozar]

travis-ci confirms my findings for last three OSX versions: https://travis-ci.org/domenkozar/test-nix-1-11-7/builds/204213775

[veprbl]

@domenkozar #1247 unbreaks this for me

[lilyball]

I can confirm that, at least as of macOS 10.12.3, $SSL_CERT_FILE no longer seems to interfere with /usr/bin/curl.

[domenkozar]

Testing http://hydra.nixos.org/build/49226380 at https://travis-ci.org/domenkozar/test-nix-1-11-7/builds/204512720

[layus]

@domenkozar weird results...

/home/travis/build.sh: line 62: /home/travis/.nix-profile/bin/nix-env: cannot execute binary file: Exec format error
...
$ git clone github.com/NixOS/nix
fatal: repository 'github.com/NixOS/nix' does not exist

Edit: Of course, you install only the osx executable, it cannot work on linux.

[domenkozar]

Don't mind Linux, just OSX.

[layus]

@domenkozar Right, but git clone github.com/NixOS/nix does not work for me. Do you really want to wait for this to fail before updating ? To test ssl you most certainly want https://github.com/NixOS/nix or am I missing something ?

[domenkozar]

Thanks, fixed

[domenkozar]

Travis build succeeded, I'll now build a few things on OSX to verify more broadly.

[domenkozar]

@edolstra looks good to me on OSX, curl and git work from nix and from OSX itself.

[xpe]

I think I might be facing a related problem. I'm using a recently updated macOS Nix installation with Nix-installed version of Mercurial (hg) and I'm getting this error:

hg clone https://bitbucket.org/eigen/eigen/
abort: could not find web.cacerts: /etc/ssl/certs/ca-certificates.crt

echo $NIX_SSL_CERT_FILE 
/Users/xpe/.nix-profile/etc/ssl/certs/ca-bundle.crt

I'm using macOS 10.12.6 with nix-env (Nix) 1.11.13.

What should I try to diagnose, debug, and fix or workaround?

[layus]

@xpe: follow-up in NixOS/nixpkgs#27928