Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

treewide: use NIX_SSL_CERT_FILE instead of pkgs.cacert #1174

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

zowoq
Copy link
Contributor

@zowoq zowoq commented Nov 16, 2024

Based on the discussion in #675 this seems to be the preferred style.

Copy link
Collaborator

@Enzime Enzime left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should instead not set NIX_SSL_CERT_FILE at all as Nix 2.0 (possibly even earlier) has used /etc/ssl/certs/ca-certificates.crt as one of the default locations which we already populate

@zowoq
Copy link
Contributor Author

zowoq commented Nov 16, 2024

I don't understand?

@Enzime
Copy link
Collaborator

Enzime commented Nov 16, 2024

We should remove this line:

environment.variables.NIX_SSL_CERT_FILE = mkDefault "/etc/ssl/certs/ca-certificates.crt";

As well as removing all usage of NIX_SSL_CERT_FILE

We could even add an assertion to prevent users from setting that environment variable and tell them to use nix.settings.ssl-cert-file instead (available since 2.15.0)

@zowoq
Copy link
Contributor Author

zowoq commented Nov 16, 2024

How will problems like #657 (comment) be handled?

@Enzime
Copy link
Collaborator

Enzime commented Nov 17, 2024

I had a look at that issue and it's not really clear to me why setting NIX_SSL_CERT_FILE is necessary

$ env | grep NIX_SSL_CERT_FILE
NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
$ unset NIX_SSL_CERT_FILE
$ env | grep NIX_SSL_CERT_FILE
$ which git
/etc/profiles/per-user/enzime/bin/git
$ git clone https://github.com/LnL7/nix-darwin
Cloning into 'nix-darwin'...
remote: Enumerating objects: 10857, done.
remote: Counting objects: 100% (2497/2497), done.
remote: Compressing objects: 100% (813/813), done.
remote: Total 10857 (delta 1927), reused 2014 (delta 1659), pack-reused 8360 (from 1)
Receiving objects: 100% (10857/10857), 5.70 MiB | 2.88 MiB/s, done.
Resolving deltas: 100% (6849/6849), done.
{
  launchd.daemons.my-test-daemon = {
    script = ''
      set -x

      env | grep NIX_SSL_CERT_FILE || true
      rm -rf /tmp/my-test-daemon
      ${lib.getExe pkgs.git} clone -v https://github.com/LnL7/nix-darwin /tmp/my-test-daemon
    '';
    serviceConfig = {
      RunAtLoad = true;
      StandardOutPath = "/var/log/my-test-daemon.log";
      StandardErrorPath = "/var/log/my-test-daemon.log";
    };
  };
}
$ tail -F /var/log/my-test-daemon.log
+ env
+ grep NIX_SSL_CERT_FILE
+ true
+ rm -rf /tmp/my-test-daemon
+ /nix/store/cyd9di9q6vsdnffn63m75nsnpf425v90-git-2.47.0/bin/git clone -v https://github.com/LnL7/nix-darwin /tmp/my-test-daemon
Cloning into '/tmp/my-test-daemon'...
POST git-upload-pack (175 bytes)
POST git-upload-pack (317 bytes)
$ ls -lah /tmp/my-test-daemon
total 96
drwxr-xr-x  17 root  wheel   544B 17 Nov 04:56 .
drwxrwxrwt  10 root  wheel   320B 17 Nov 04:56 ..
drwxr-xr-x  13 root  wheel   416B 17 Nov 04:56 .git
drwxr-xr-x   4 root  wheel   128B 17 Nov 04:56 .github
-rw-r--r--   1 root  wheel    14B 17 Nov 04:56 .gitignore
-rw-r--r--   1 root  wheel   7.0K 17 Nov 04:56 CHANGELOG
-rw-r--r--   1 root  wheel   1.0K 17 Nov 04:56 LICENSE
-rw-r--r--   1 root  wheel   6.7K 17 Nov 04:56 README.md
-rw-r--r--   1 root  wheel   937B 17 Nov 04:56 default.nix
drwxr-xr-x   4 root  wheel   128B 17 Nov 04:56 doc
-rw-r--r--   1 root  wheel   640B 17 Nov 04:56 eval-config.nix
-rw-r--r--   1 root  wheel   508B 17 Nov 04:56 flake.lock
-rw-r--r--   1 root  wheel   2.8K 17 Nov 04:56 flake.nix
drwxr-xr-x  22 root  wheel   704B 17 Nov 04:56 modules
drwxr-xr-x   5 root  wheel   160B 17 Nov 04:56 pkgs
-rw-r--r--   1 root  wheel   5.6K 17 Nov 04:56 release.nix
drwxr-xr-x  57 root  wheel   1.8K 17 Nov 04:56 tests

@zowoq
Copy link
Contributor Author

zowoq commented Nov 17, 2024

Interesting, that doesn't work for me:

customer@darwin01 ~ % tail -F /var/log/my-test-daemon.log
+ env
+ grep NIX_SSL_CERT_FILE
+ true
+ rm -rf /tmp/my-test-daemon
+ /nix/store/cyd9di9q6vsdnffn63m75nsnpf425v90-git-2.47.0/bin/git clone -v https://github.com/LnL7/nix-darwin /tmp/my-test-daemon
Cloning into '/tmp/my-test-daemon'...
fatal: unable to access 'https://github.com/LnL7/nix-darwin/': OpenSSL/3.3.2: error:80000002:system library::No such file or directory

@Enzime
Copy link
Collaborator

Enzime commented Nov 17, 2024

What version of macOS are you using?

In a regular terminal:

$ echo $NIX_SSL_CERT_FILE
/etc/ssl/certs/ca-certificates.crt
$ ls -lah $NIX_SSL_CERT_FILE
lrwxr-xr-x  1 root  wheel    41B 13 Aug  2023 /etc/ssl/certs/ca-certificates.crt@ -> /etc/static/ssl/certs/ca-certificates.crt
$ realpath $NIX_SSL_CERT_FILE
/nix/store/npzsc982xmckzlmyissmw2r066d03353-ca-certificates.crt 

@zowoq
Copy link
Contributor Author

zowoq commented Nov 17, 2024

customer@darwin01 ~ % sw_vers
ProductName:            macOS
ProductVersion:         14.7.1
BuildVersion:           23H222
customer@darwin01 ~ % env | grep NIX_SSL_CERT_FILE
NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
customer@darwin01 ~ % unset NIX_SSL_CERT_FILE
customer@darwin01 ~ % env | grep NIX_SSL_CERT_FILE
customer@darwin01 ~ % which git
/run/current-system/sw/bin/git
customer@darwin01 ~ % git clone https://github.com/LnL7/nix-darwin
Cloning into 'nix-darwin'...
fatal: unable to access 'https://github.com/LnL7/nix-darwin/': OpenSSL/3.3.2: error:80000002:system library::No such file or directory
customer@darwin01 ~ % echo $NIX_SSL_CERT_FILE
/etc/ssl/certs/ca-certificates.crt
customer@darwin01 ~ % ls -lah $NIX_SSL_CERT_FILE
lrwxr-xr-x  1 root  wheel    41B 16 May  2024 /etc/ssl/certs/ca-certificates.crt -> /etc/static/ssl/certs/ca-certificates.crt
customer@darwin01 ~ % realpath $NIX_SSL_CERT_FILE
/nix/store/5yqs6fsgrxz5wvzlf6qv7ymhy5nmlkk3-ca-certificates.crt

@Enzime
Copy link
Collaborator

Enzime commented Nov 17, 2024

Can you run:

$ nix shell nixpkgs#cctools -c otool -L $(which git)
/etc/profiles/per-user/enzime/bin/git:
	/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 1122.11.0)
	/nix/store/rgc42scp99ji7mammdlmxg6jhb7sci5s-pcre2-10.44/lib/libpcre2-8.0.dylib (compatibility version 14.0.0, current version 14.0.0)
	/nix/store/9cpzwxa2fmkdl2da43968idffwfpcs53-zlib-1.3.1/lib/libz.dylib (compatibility version 1.0.0, current version 1.3.1)
	/nix/store/5v9hx01bnc73jrs2h6n8c1g1fq2g1038-gettext-0.21.1/lib/libintl.8.dylib (compatibility version 12.0.0, current version 12.0.0)
	/nix/store/cjzmz9dskblgkbv4by2wnsyvdjw6jpcm-libiconv-99/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1770.255.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1292.60.1)

Also could you try with a more up to date git maybe:

$ nix run nixpkgs/nixpkgs-unstable#git -- clone https://github.com/LnL7/nix-darwin

@zowoq
Copy link
Contributor Author

zowoq commented Nov 17, 2024

customer@darwin01 ~ % realpath $(which git) && nix shell nixpkgs#cctools -c otool -L $(which git)
/nix/store/cyd9di9q6vsdnffn63m75nsnpf425v90-git-2.47.0/bin/git
/run/current-system/sw/bin/git:
        /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 1122.33.0)
        /nix/store/7srv57hn2b24q7idwdc9a4y3pqkn6wy8-pcre2-10.44/lib/libpcre2-8.0.dylib (compatibility version 14.0.0, current version 14.0.0)
        /nix/store/lcdcai6gs0dbsx7a0hz43xb3xwwmb9dl-zlib-1.3.1/lib/libz.dylib (compatibility version 1.0.0, current version 1.3.1)
        /nix/store/dvmq3xa54hfik85259wyf281m076s14h-libiconv-107/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
        /nix/store/ymlrvh4zq6imlr4fqsricmhzyrf7g6s9-gettext-0.21.1/lib/libintl.8.dylib (compatibility version 12.0.0, current version 12.0.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1292.100.5)
customer@darwin01 ~ % nix run github:nixos/nixpkgs/nixpkgs-unstable#git -- clone https://github.com/LnL7/nix-darwin
Cloning into 'nix-darwin'...
fatal: unable to access 'https://github.com/LnL7/nix-darwin/': TLS connect error: error:80000002:system library::No such file or directory

@Enzime
Copy link
Collaborator

Enzime commented Nov 17, 2024

Hmm, very odd, it works for me

$ unset NIX_SSL_CERT_FILE
$ env | grep SSL
$ /nix/store/cyd9di9q6vsdnffn63m75nsnpf425v90-git-2.47.0/bin/git clone https://github.com/Enzime/aarch64-vm
Cloning into 'aarch64-vm'...
remote: Enumerating objects: 19, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 19 (delta 5), reused 16 (delta 2), pack-reused 0 (from 0)
Receiving objects: 100% (19/19), done.
Resolving deltas: 100% (5/5), done.

Do you have any packages installed through Homebrew?

@Enzime
Copy link
Collaborator

Enzime commented Nov 17, 2024

OpenSSL/3.3.2: error:80000002:system library::No such file or directory

This error seems significant, but it's not very clear what file is not found and I'm not sure if there's an easy way to get OpenSSL to print it out

Can you print out:

$ env | grep SSL
NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

@zowoq
Copy link
Contributor Author

zowoq commented Nov 17, 2024

customer@darwin01 ~ % env | grep SSL
NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

No, homebrew has never been installed.

I've been testing this on the on the nix-community darwin-build-box so I can give you ssh access to it if you'd like.

I can reproduce the same error via remote desktop and ssh on this machine and on our CI builder, they both on the same flake and macos version.

Honestly, I'm rather surprised that it works for you. I don't recall curl, git, etc ever working if NIX_SSL_CERT_FILE is unset, either in a launchd daemon or when run manually.

@Enzime
Copy link
Collaborator

Enzime commented Nov 17, 2024

Yeah if you could give me access, I can investigate further

From my understanding, setting NIX_SSL_CERT_FILE was mainly necessary when using custom SSL certificates, however adding them through security.pki.certificateFiles or security.pki.certificates should work

@zowoq
Copy link
Contributor Author

zowoq commented Nov 17, 2024

@Enzime
Copy link
Collaborator

Enzime commented Nov 17, 2024

Yep 👍

https://github.com/Enzime.keys

@zowoq
Copy link
Contributor Author

zowoq commented Nov 17, 2024

Ah, I always forget keys are accessible via github.

Deployed in nix-community/infra@1f97557. I gave you access to the nixos community box as well, it is only x86_64 at the moment but nix-community will likely be running a replacement for https://github.com/NixOS/aarch64-build-box in a few weeks so you'll have access to that as well.

https://nix-community.org/community-builder/

@Enzime
Copy link
Collaborator

Enzime commented Nov 17, 2024

I think I've figured it out

OpenSSL is patched to look at /etc/ssl/certs/ca-certificates.crt on Linux and /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt on macOS:

https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch

As I have not uninstalled anything from the default profile since I installed Nix, /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt exists:

$ nix profile list --profile /nix/var/nix/profiles/default
Name:               nix
Store paths:        /nix/store/x11cpsjg4q236msfz5scc325pfp9xy64-nix-2.15.1

Name:               nss-cacert
Store paths:        /nix/store/pl497357lkfpvdr8v4pfan16k7jna2l2-nss-cacert-3.83

I think the correct solution would be to update the OpenSSL patches to check both /etc/ssl/certs/ca-certificates.crt and /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt on macOS to better support nix-darwin

@zowoq
Copy link
Contributor Author

zowoq commented Nov 17, 2024

Yes, that is it, good find.

I think the correct solution would be to update the OpenSSL patches to check both /etc/ssl/certs/ca-certificates.crt and /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt on macOS to better support nix-darwin

Agreed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants