SSL Certificates not configured by default.

[kevincox]

% docker run nixery.dev/shell/cacert/wget wget https://google.com 
--2020-10-01 19:25:03--  https://google.com/
Resolving google.com (google.com)... 172.217.1.14, 2607:f8b0:400b:80f::200e
Connecting to google.com (google.com)|172.217.1.14|:443... connected.
ERROR: cannot verify google.com's certificate, issued by 'CN=GTS CA 1O1,O=Google Trust Services,C=US':
  Unable to locally verify the issuer's authority.
To connect to google.com insecurely, use `--no-check-certificate'.

It seems to be relatively easy to solve:

% docker run nixery.dev/shell/cacert/wget wget https://google.com --ca-certificate=/etc/ssl/certs/ca-bundle.crt

Maybe this should be added to the docs or ideally set the environment variable automatically.

[tazjin]

Hmm, this is a bit tricky potentially. In NixOS these environment variables are set up by a setup hook, which exports variables with the full store paths of the certificates. We don't really have a good point at which we can run the setup hooks.

An alternative - since we have the symlink layer - is to always set the variable to the path outside of the store. That's probably a decent initial solution.

[kevincox]

Docker does have support for setting default variables in the image. I don't know if the nix builder supports that but it might be a route to investigate.

https://docs.docker.com/engine/reference/builder/#env

[tazjin]

Yeah, we can set environment variables (the builder code is part of Nixery itself) in the image. The question is what to set them to. I have some ideas, but need to try it out ...

[florianrusch]

Is there any progress on this? Discovered the same problem with curl today.

[flokli]

This could probably be solved, by setting SSL_CERT_FILE to pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt by default.

Discussion on this (and some other basic guarantees on nixery-built containers) is happening in #133.