You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I am back with the ssl_cert_file issue. I had originally reported this issue and it was fixed in the previous installer. But I recently wiped out the laptop and reinstalled the with the latest version. This time I set the environment variable export NIX_INSTALLER_SSL_CERT_FILE=/Library/Application Support/Netskope/STAgent/download/nscacert_combined.pem
Installer succeeded. I see in the receipt.json the following lines.
the important part here is the opentelemetry-cpp overrideAttrs section. I wanted to use the latest version available from github rather than the nixpkgs one.
When I save this file nix tries to download the archive tar.gz file through curl but fails.
source> error: cannot download source from any mirror
error: builder for '/nix/store/ms5g9il49nlb0mp4n6cgmr70chvkq3wy-source.drv' failed with exit code 1;
last 19 log lines:
> error checking the existence of https://tarballs.nixos.org/sha256/:
> curl: (60) SSL certificate problem: self-signed certificate in certificate chain
> More details here: https://curl.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
>
> trying https://github.com/open-telemetry/opentelemetry-cpp/archive/v1.15.0.tar.gz
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
> curl: (60) SSL certificate problem: self-signed certificate in certificate chain
> More details here: https://curl.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
> error: cannot download source from any mirror
For full logs, run 'nix log /nix/store/ms5g9il49nlb0mp4n6cgmr70chvkq3wy-source.drv'.
error: 1 dependencies of derivation '/nix/store/z891gdjgr144f2z7iniw0dli7pm8426k-opentelemetry-cpp-1.15.0.drv'
Last time, I remember that I had to modify the launch daemon, so i checked and found that
The nix-daemon environment section does not have the NIX_SSL_CERT_FILE set to the file I passed.
cat /etc/nix/nix.conf has the attribute ssl-cert-file = /Library/Application Support/Netskope/STAgent/download/nscacert_combined.pem
I tried to change the nix-daemon.plist to add the environment variable as well and relaunch the daemon.
However, I still get the same error on the project level flake.
I then tried to override the file ( which is the 2nd thing I used to do before ) /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
with my concatenated version of the file. I use the original append mine and put it there. These 2 things in the past seemed to have worked, but not anymore.
Other observation.
After installation I did not have a the directory cd /nix/var/nix/profiles/per-user/<My user> created. So, when I ran nix build .#laptop it failed . I had to create this directory and put the correct chown permission.
The directory ~/.nix-profile which gets symlinked does not have the /etc/ssl/certs folder which means the per-user directory does not have this folder, but the default profile directory does have this. I don't know the repercusions of this.
I also found that the documentation around ssl-cert-file is not clear and hidden. It would be nice to document what are the changes that happen to the system when someone passes in ssl-cert-file during installation. For example, is the nix-daemon plist modified or not, if not why not.
Also, where should the per project flakes which use fetchFromGithub get the correct settings so that the internal usage of curl can get the proper certificates to be able to download.
If within that project directory ( where direnv and nix develop failed with the curl ssl error ) i manually do the curl on that above URL it can download the file, which means that during the develop it's not getting the same settings.
You can see that the SSL_CERT_FILE is set to /no-cert-file.crt instead of the one that I provided during install.
I build my system using nix flake and am also noticing that
~/.nix-profile/etc points to etc -> /nix/store/v1v6sq5w6p6jbqbf1l7myms27mfi71w2-home-manager-path/etc now which does not have ssl certs
The text was updated successfully, but these errors were encountered:
I tried to create a symlink in ~/.nix-profile/etc to the /nix/var/nix/profiles/default/etc/ssl such that ~/.nix-profile/ points to /nix/var/nix/profiles/per-user/USER/profile ~/.nix-profile/bin/ -> points to /nix/store/v1v6sq5w6p6jbqbf1l7myms27mfi71w2-home-manager-path/bin <- home manager
~/.nix-profile/etc` points to -> /nix/store/v1v6sq5w6p6jbqbf1l7myms27mfi71w2-home-manager-path/etc <- home-manager tc.
However, inside ~/.nix-profile/etc/ssl points to /nix/var/nix/profiles/default/etc/ssl and now my flake works fine. So, I am not sure how all of this lines up but I find that everytime I find a new way to do things.
The /nix/var/nix/profiles/default/etc has ssl directory but /nix/var/nix/profiles/per-user/<myuser>/profile/etc does not have ssl directory.
The later is what is linked to ~/.nix-profile and hence, I believe the SSL certificates are not factored when running nix flakes.
Hi,
I am back with the ssl_cert_file issue. I had originally reported this issue and it was fixed in the previous installer. But I recently wiped out the laptop and reinstalled the with the latest version. This time I set the environment variable
export NIX_INSTALLER_SSL_CERT_FILE=/Library/Application Support/Netskope/STAgent/download/nscacert_combined.pem
Installer succeeded. I see in the receipt.json the following lines.
All good so far.
Now, I have a project level nix flake
flake.nix
file and I use direnv.My
.envrc
file is as followsNow inside the flake I have the following lines
the important part here is the opentelemetry-cpp
overrideAttrs
section. I wanted to use the latest version available from github rather than the nixpkgs one.When I save this file nix tries to download the archive tar.gz file through curl but fails.
Last time, I remember that I had to modify the launch daemon, so i checked and found that
not
have the NIX_SSL_CERT_FILE set to the file I passed./etc/nix/nix.conf
has the attributessl-cert-file = /Library/Application Support/Netskope/STAgent/download/nscacert_combined.pem
I tried to change the nix-daemon.plist to add the environment variable as well and relaunch the daemon.
I confirmed with the
launchctl procinfo
command that it indeed does have this variable set.However, I still get the same error on the project level flake.
I then tried to override the file ( which is the 2nd thing I used to do before )
/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
with my concatenated version of the file. I use the original append mine and put it there. These 2 things in the past seemed to have worked, but not anymore.
Other observation.
cd /nix/var/nix/profiles/per-user/<My user>
created. So, when I rannix build .#laptop
it failed . I had to create this directory and put the correct chown permission.~/.nix-profile
which gets symlinked doesnot
have the/etc/ssl/certs
folder which means theper-user
directory does not have this folder, but thedefault
profile directory does have this. I don't know the repercusions of this.I also found that the documentation around
ssl-cert-file
is not clear and hidden. It would be nice to document what are the changes that happen to the system when someone passes inssl-cert-file
during installation. For example, is the nix-daemon plist modified or not, if not why not.Also, where should the per project flakes which use
fetchFromGithub
get the correct settings so that the internal usage ofcurl
can get the proper certificates to be able to download.If within that project directory ( where direnv and nix develop failed with the curl ssl error ) i manually do the
curl
on that above URL it can download the file, which means that during thedevelop
it's not getting the same settings.I picked one output derivation that gave error.
You can see that the SSL_CERT_FILE is set to /no-cert-file.crt instead of the one that I provided during install.
I build my system using nix flake and am also noticing that
~/.nix-profile/etc points to etc -> /nix/store/v1v6sq5w6p6jbqbf1l7myms27mfi71w2-home-manager-path/etc now which does not have ssl certs
The text was updated successfully, but these errors were encountered: