Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix the nix-daemon Mac OS SSL CA cert #4023

Merged
merged 1 commit into from Sep 21, 2020
Merged

Fix the nix-daemon Mac OS SSL CA cert #4023

merged 1 commit into from Sep 21, 2020

Conversation

maljub01
Copy link
Contributor

Mac OS multi-user installations are currently broken because all requests
made by nix-daemon to the binary cache fail with:

unable to download ... Problem with the SSL CA cert (path? access rights?) (77).

This change ensures that the nix-daemon knows where to find the SSL CA cert file.

Fixes #2899 and #3261.

Mac OS multi-user installations are currently broken because all requests
made by nix-daemon to the binary cache fail with:

```
unable to download ... Problem with the SSL CA cert (path? access rights?) (77).
```

This change ensures that the nix-daemon knows where to find the SSL CA cert file.

Fixes #2899 and #3261.
@@ -4,6 +4,8 @@
<dict>
<key>EnvironmentVariables</key>
<dict>
<key>NIX_SSL_CERT_FILE</key>
<string>/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt</string>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When NIX_SSL_CERT_FILE is unset, Nix should default to this:

for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})

see also 847f19a

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. Something very weird must be going on then. Perhaps it was restarting the daemon rather than this setting that fixed it for me. I removed the environment variable and the daemon is still working ok.

Is it possible that the daemon is unable to access the certificate the first time it is started for some reason? Since it's clear from the other reports that I'm not the only one who had this problem with a fresh installation of Nix.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point. caFile is set only once, when the daemon starts, so if the CA bundle is installed afterwards, the daemon needs to be restarted.

@edolstra
Copy link
Member

Thanks. I've merged this since it seems the easiest way to make the daemon behave predictably.

@shlevy
Copy link
Member

shlevy commented Oct 21, 2020

@edolstra Can we get a new release with this?

@edolstra
Copy link
Member

@shlevy Sure, I've cherry-picked it to the 2.3 branch. Will do a release later today.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/user-study-learning-journey-1/21398/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Multi-user installation on OSX - SSL cert problem for user, not for root
5 participants