Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No SSL certificates in nix-shell --pure #66716

Open
mb21 opened this issue Aug 16, 2019 · 13 comments
Open

No SSL certificates in nix-shell --pure #66716

mb21 opened this issue Aug 16, 2019 · 13 comments
Labels
0.kind: bug Something is broken 6.topic: darwin Running or building packages on Darwin

Comments

@mb21
Copy link
Contributor

mb21 commented Aug 16, 2019
edited
Loading

Describe the bug

On macOS, SSL certificates work when using nix-shell, but are non-existing in nix-shell --pure.

To Reproduce

nix-shell -p curl --pure

curl https://google.com
curl: (77) error setting certificate verify locations:
  CAfile: /no-cert-file.crt
  CApath: none

But this doesn't seem limited to curl.

Metadata
nix run nixpkgs.nix-info -c nix-info -m output:

 - system: `"x86_64-darwin"`
 - host os: `Darwin 18.7.0, macOS 10.14.6`
 - multi-user?: `no`
 - sandbox: `no`
 - version: `nix-env (Nix) 2.2.2`
 - channels(maurobieg): `"nixpkgs-19.09pre188239.c0e56afddbc"`
 - nixpkgs: `/Users/maurobieg/.nix-defexpr/channels/nixpkgs`

Is this expected? If so, feel free to close this issue.

Maybe related to NixOS/nix#921?
@mb21 mb21 added the 0.kind: bug Something is broken label Aug 16, 2019
@mb21 mb21 changed the title SSL certificate on macOS with nix-shell --pure No SSL certificates on macOS with nix-shell --pure Aug 16, 2019
@mb21
Copy link
Contributor Author

mb21 commented Aug 16, 2019

Found #13744 Apparently this is intended behaviour?

I still don't understand why there isn't a bundled cert file though.

@matthewbauer matthewbauer added this to the 20.03 milestone Aug 16, 2019
@matthewbauer matthewbauer self-assigned this Aug 16, 2019
@matthewbauer
Copy link
Member

The reason that SSL certificates are not bundled with OpenSSL is to allow system-wide certificates to be usable. For instance NixOS has the security.pki module that can be used to add custom certificates. Unfortunately, macOS does not come with an equivalent .crt bundle for us to use. As a result we rely on NIX_SSL_CERT_FILE, SSL_CERT_FILE, or /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt to exist.

I think we can make this situation better by using the SecureTransport backend for curl by default (while still using the purer openssl and gnutls for fetchurl). This would use macOS's Security framework and still allow you to add custom certificates where needed.

@mb21
Copy link
Contributor Author

mb21 commented Aug 17, 2019

Thanks for the quick reply! I actually stumbled over this when using bundix and the http requests from inside ruby failed... so I'm not sure using a different cert file for curl and openssl would make things more understandable...

Currently, NIX_SSL_CERT_FILE points to /no-cert-file.crt in a pure shell. Couldn't it just point to a bundled fallback cert file if the user doesn't set NIX_SSL_CERT_FILE to something else in the derivation or wherever (sorry if this doesn't make sense, I'm still fairly new to nix). Ideally, this would be a dependency of builtins.currentSystem on macOS?

@veprbl veprbl added the 6.topic: darwin Running or building packages on Darwin label Aug 17, 2019
@disassembler disassembler modified the milestones: 20.03, 20.09 Feb 10, 2020
@rpearce rpearce mentioned this issue Apr 4, 2020
Open
@matthewbauer matthewbauer removed their assignment May 15, 2020
@stale
Copy link

stale bot commented Nov 11, 2020

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Nov 11, 2020
@FRidh FRidh modified the milestones: 20.09, 21.03 Dec 20, 2020
@stale stale bot removed 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md labels Dec 20, 2020
@stale
Copy link

stale bot commented Jun 18, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 18, 2021
@bouk
Copy link
Contributor

bouk commented Jul 20, 2021

For others finding this: you can also add cacert as a package to load—nix-shell --pure curl cacert works

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 20, 2021
@samuela
Copy link
Member

samuela commented Aug 30, 2021

I'm seeing this same issue on NixOS nixos-20.09.3301.42809feaa9f and Ubuntu ubuntu-latest on github actions. Adding cacert fixes it though.

@OliverEvans96 OliverEvans96 mentioned this issue Apr 27, 2022
Closed
@stale
Copy link

stale bot commented Apr 28, 2022

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Apr 28, 2022
@Artturin Artturin modified the milestones: 21.05, 23.05 Dec 31, 2022
@stale stale bot removed 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md labels Dec 31, 2022
@hypevhs hypevhs mentioned this issue Jan 16, 2023
Closed
@RaitoBezarius
Copy link
Member

I don't see any actionable way to fix this except by bundling cacert in curl whenever on macOS or using SecureTransport.

Can @NixOS/darwin-maintainers chime in and suggest the forward way?

@uri-canva
Copy link
Contributor

This isn't macOS specific, as noted in #66716 (comment), and I can confirm we've seen this issue too when using nix as a package manager on ubuntu. How does NixOS handle this? Or are pure nix shells used much more rarely on NixOS, so this hasn't surfaced?

@uri-canva
Copy link
Contributor

I always thought it was working as intended, but I'm not sure, will edit the title to reflect it's not macOS specific though.

@uri-canva
Copy link
Contributor

Linux repro:

[nix-shell:~/github/NixOS/nixpkgs]$ curl https://google.com
curl: (77) error setting certificate file: /no-cert-file.crt
  • system: "x86_64-linux"
  • host os: Linux 5.15.0-1031-aws, Ubuntu, 20.04.6 LTS (Focal Fossa), nobuild
  • multi-user?: yes
  • sandbox: yes
  • version: nix-env (Nix) 2.3.15
  • channels(root): "nixpkgs-23.05pre469610.3364b5b117f"
  • nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixpkgs

@uri-canva uri-canva changed the title No SSL certificates on macOS with nix-shell --pure No SSL certificates in nix-shell --pure Apr 4, 2023
@Artturin Artturin removed this from the 23.05 milestone Apr 15, 2023
@jeiang jeiang mentioned this issue Apr 17, 2023
Closed
@Rijndael1998
Copy link

Rijndael1998 commented Jul 23, 2024
edited
Loading

Still affects me, but I'm not on MacOS.

[r@Smol:~]$ nix-shell -p curl --pure

[nix-shell:~]$ curl https://google.com
curl: (77) error setting certificate file: /no-cert-file.crt

[nix-shell:~]$ 
exit

[r@Smol:~]$ curl https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
  • system: "x86_64-linux"
  • host os: Linux 6.6.41, NixOS, 24.05 (Uakari), 24.05.3109.74435c9234c7
  • multi-user?: yes
  • sandbox: yes
  • version: nix-env (Nix) 2.18.5
  • channels(root): "nixos-24.05-small, nixos-unstable"
  • nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Note: the only unstable package on my system is Joplin.

>For others finding this: you can also add cacert as a package to load—nix-shell --pure curl cacert works

This does work:

[r@Smol:~]$ nix-shell --pure -p curl -p cacert

[nix-shell:~]$ curl https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug Something is broken 6.topic: darwin Running or building packages on Darwin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests