nix
nix copied to clipboard
NixOS
Nix-daemon systemd unit missing `NIX_SSL_CERT_FILE`
If NIX_SSL_CERT_FILE exist during the multi-user installation it will be used and the Nix provided bundle will not be installed (c.f https://github.com/NixOS/nix/pull/2181). In this case I think the installed systemd unit file for nix-daemon.service should also provide this environment variable:
[Service]
...
Environment="NIX_SSL_CERT_FILE=<value>"
Otherwise the installation will succeed but any non-root user will not be able to download anything via the daemon due to missing environment unless:
-
SSL_CERT_FILEis exported (unlikely in systemd units) - You happen to use a distribution with a bundle in "/etc/ssl/certs/ca-certificates.crt" C.f.: https://github.com/NixOS/nix/blob/ab4dd1d78306c58cb9ee1fa5009ef18b67e26314/src/libstore/globals.cc#L48-L55
See also https://github.com/NixOS/nix/pull/3141 where I try to get some observability logging accepted.
cc: @grahamc
Ran into this while installing Nix in Fedora 32 just now; ugly workaround for the meantime is a ln -sf /etc/ssl/certs/ca-{bundle,certificates}.crt.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
I ran into this while doing a multi-user Nix installation on AlmaLinux.
Xbreak's solution mentioned in a nixpkgs issue worked for me: systemctl edit nix-daemon.service, paste in:
[Service]
Environment="NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
Same issue in RHEL 7, modifying the systemd service file worked for me as well
Users are still reporting issues with this in https://github.com/NixOS/nixpkgs/issues/70939
Same issue in Fedora 35.
Doing @zakame workaround, solved for me:
sudo ln -sf /etc/ssl/certs/ca-{bundle,certificates}.crt
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/nix-cannot-find-my-custom-ssl-certificate/27361/5
