nix icon indicating copy to clipboard operation
nix copied to clipboard
verified publisher icon NixOS

nix `--ssl-cert-file` flag does not pass cert correctly to git fetchers

Open crabdancing opened this issue 2 months ago • 1 comments

Describe the bug

nix's git submodule fetch appears to completely ignore any and all command flag or env-wide, OR system-wide configuration for cacerts, causing requests to be erroneously rejected due to SSL verification failures, when using an HTTPS proxy.

Steps To Reproduce

These steps concern NixOS because it's what I'm familiar with, but it should be trivial to adapt them to other systems.

In order to reproduce this problem, you can setup a mitmproxy instance with a self-signed certificate. (There are other ways, though, probably)

mitmdump --set confdir=.mitmproxy

Then send SIGINT. You should see a full set of cert files generated under ./.mitmproxy/:

mitmproxy-ca-cert.cer  mitmproxy-ca-cert.pem  mitmproxy-ca.pem
mitmproxy-ca-cert.p12  mitmproxy-ca.p12       mitmproxy-dhparam.pem

Since certificateFiles is eval time, to add it to the system-wide config, we can do:

security.pki.certificateFiles = [
  ./mitmproxy-ca-cert.pem
];

(for flake-based systems, we must of course add the file to the git tracking)

Rebuild system however you do that; nixos-rebuild switch or whathaveyou.

Next we run this again:

mitmdump --set confdir=.mitmproxy

And while it's running, try to build & fetch using this proxy:

http_proxy=http://127.0.0.1:8080 https_proxy=http://127.0.0.1:8080 NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt nix build github:SaumonNet/proxmox-nixos#proxmox-ve --ssl-cert-file /etc/ssl/certs/ca-certificates.crt --accept-flake-config false

Expected behavior

I expect to when I pass a --ssl-cert-file or set NIX_SSL_CERT_FILE, all subprocesses Nix calls for fetching deps should trust what I told it to trust.

Metadata

nix-env (Nix) 2.28.5

Additional context

Here is the full output of the failure mode against the repo on which I first tried this. I've also tried adding my path to extra-sandbox-paths in case that'd do something -- it does not make a difference. For convienence, the repo for the target package I was trying to build (pve-qemu) is here.

Checklist

Add :+1: to issues you find important.

crabdancing avatar Nov 12 '25 07:11 crabdancing

Is this using the builtin nix fetchers (eval-time builtins.fetchGit) or nixpkgs ones? From the looks of things in the log it's the nixpkgs FOD fetcher. Could you clarify that?

xokdvium avatar Dec 01 '25 21:12 xokdvium