-
-
Notifications
You must be signed in to change notification settings - Fork 467
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
treewide: use NIX_SSL_CERT_FILE instead of pkgs.cacert #1174
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should instead not set NIX_SSL_CERT_FILE
at all as Nix 2.0 (possibly even earlier) has used /etc/ssl/certs/ca-certificates.crt
as one of the default locations which we already populate
I don't understand? |
We should remove this line:
As well as removing all usage of We could even add an assertion to prevent users from setting that environment variable and tell them to use |
How will problems like #657 (comment) be handled? |
I had a look at that issue and it's not really clear to me why setting
{
launchd.daemons.my-test-daemon = {
script = ''
set -x
env | grep NIX_SSL_CERT_FILE || true
rm -rf /tmp/my-test-daemon
${lib.getExe pkgs.git} clone -v https://github.com/LnL7/nix-darwin /tmp/my-test-daemon
'';
serviceConfig = {
RunAtLoad = true;
StandardOutPath = "/var/log/my-test-daemon.log";
StandardErrorPath = "/var/log/my-test-daemon.log";
};
};
}
|
Interesting, that doesn't work for me:
|
What version of macOS are you using? In a regular terminal:
|
|
Can you run:
Also could you try with a more up to date
|
|
Hmm, very odd, it works for me
Do you have any packages installed through Homebrew? |
This error seems significant, but it's not very clear what file is not found and I'm not sure if there's an easy way to get OpenSSL to print it out Can you print out:
|
No, homebrew has never been installed. I've been testing this on the on the nix-community darwin-build-box so I can give you ssh access to it if you'd like. I can reproduce the same error via remote desktop and ssh on this machine and on our CI builder, they both on the same flake and macos version. Honestly, I'm rather surprised that it works for you. I don't recall curl, git, etc ever working if NIX_SSL_CERT_FILE is unset, either in a launchd daemon or when run manually. |
Yeah if you could give me access, I can investigate further From my understanding, setting |
Ah, I always forget keys are accessible via github. Deployed in nix-community/infra@1f97557. I gave you access to the nixos community box as well, it is only x86_64 at the moment but nix-community will likely be running a replacement for https://github.com/NixOS/aarch64-build-box in a few weeks so you'll have access to that as well. |
I think I've figured it out OpenSSL is patched to look at As I have not uninstalled anything from the default profile since I installed Nix,
I think the correct solution would be to update the OpenSSL patches to check both |
Yes, that is it, good find.
Agreed. |
Based on the discussion in #675 this seems to be the preferred style.