nix
nix copied to clipboard
NixOS
Not all fetches use system ssl certs
Describe the bug
Some fetchers (at least fetchgit) do not use extra certificates set in the nixos option security.pki.certificates or certificateFiles, or the system certs on any OS. This causes builds to fail when used with a TLS intercepting proxy.
The security implication here is that fetches could use out of date certs specified in an old nixpkgs revision.
see also https://github.com/NixOS/nixpkgs/issues/89526 and https://github.com/NixOS/nixpkgs/issues/101119
To Reproduce
Steps to reproduce the behavior:
-
be behind a TLS intercepting proxy
-
Set the nixos option
security.pki.certificatesto include the MITM certs and switch -
Observe that a user can use curl and git and successfully navigate through the proxy
-
Observe that builtins.fetchurl works
nix-build $(nix-instantiate --expr 'builtins.fetchurl{url="https://github.com"; sha256="1111111111111111111111111111111111111111111111111111111111111111";}') # Fails after fetching the file -
Observe that
fetchgitfailsnix-build $(nix-instantiate --expr 'with (import <nixpkgs>{}); fetchgit{url="https://github.com/nixos/nixpkgs";sha256="1111111111111111111111111111111111111111111111111111111111111111";rev="foo";}') warning: you did not specify '--add-root'; the result might be removed by the garbage collector these derivations will be built: /nix/store/iskxcb2sqzfqicgdx7dryrj5kiacm6ma-nixpkgs.drv building '/nix/store/iskxcb2sqzfqicgdx7dryrj5kiacm6ma-nixpkgs.drv'... exporting https://github.com/nixos/nixpkgs (rev foo) into /nix/store/wqfh9mzx0c2c47dz59yc2wrck49zslrm-nixpkgs Initialized empty Git repository in /nix/store/wqfh9mzx0c2c47dz59yc2wrck49zslrm-nixpkgs/.git/ fatal: unable to access 'https://github.com/nixos/nixpkgs/': SSL certificate problem: unable to get local issuer certificate fatal: unable to access 'https://github.com/nixos/nixpkgs/': SSL certificate problem: unable to get local issuer certificate fatal: unable to access 'https://github.com/nixos/nixpkgs/': SSL certificate problem: unable to get local issuer certificate Unable to checkout refs/tags/foo from https://github.com/nixos/nixpkgs. builder for '/nix/store/iskxcb2sqzfqicgdx7dryrj5kiacm6ma-nixpkgs.drv' failed with exit code 1 -
Modify the
cacertpackage to include the MITM certs inca-bundle.crt -
Observe that
fetchgitworksnix-build $(nix-instantiate --expr 'with (import <nixpkgs>{}); fetchgit{url="https://github.com/nixos/nixpkgs";sha256="1111111111111111111111111111111111111111111111111111111111111111";rev="foo";}') ~ warning: you did not specify '--add-root'; the result might be removed by the garbage collector these derivations will be built: /nix/store/bwfscaj59r1vjhrvx6myny762s3szkkc-nixpkgs.drv building '/nix/store/bwfscaj59r1vjhrvx6myny762s3szkkc-nixpkgs.drv'... exporting https://github.com/nixos/nixpkgs (rev foo) into /nix/store/wqfh9mzx0c2c47dz59yc2wrck49zslrm-nixpkgs Initialized empty Git repository in /nix/store/wqfh9mzx0c2c47dz59yc2wrck49zslrm-nixpkgs/.git/ fatal: couldn't find remote ref refs/tags/foo remote: Enumerating objects: 28, done. remote: Counting objects: 100% (28/28), done. remote: Compressing objects: 100% (28/28), done.
Expected behavior
The certs used for fetchers should be consistent. And if the MITM certs aren't used, then documentation should explain what a user must do to use them in fetchers.
Metadata
- system: `"x86_64-linux"`
- host os: `Linux 5.4.70, NixOS, 20.03.git.d3784204ba1 (Markhor)`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.3.6`
- channels(root): `"nixos-19.09.2152.790970f6b1c"`
- nixpkgs: `/home/j/src/nixpkgs`
Cc @roberth
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
This has suddenly become very relevant to us, as the company policy introduces deep packet inspection based on man-in-the-middle interception of ssl packets. Without trusting the company certificate, nix cannot download anything anymore in fixed-output derivations.(i.e. the TLS intercepting proxy mentioned above)
Other users have also encountered that need: https://stackoverflow.com/questions/61754673/how-to-access-ca-certificates-when-building-derivation
The straightforward solution is to provide (a copy) of system certificates in fixed-output derivation sandboxes and set NIX_SSL_CERT_PATH accordingly. WDYT ?
We already do it for network proxys anyway.
@layus I am facing the same issue to trust company certificate, but I don't know how to make it work.
Could you please explain your "straightforward" solution in more details. What exactly do you need to do with the company's .crt file to make it work again?
Do you refer to nixOS or single/multi user nix over some other OS?
@zoranbosnjak It depends on the kind of fetcher you are using, and the way you are using them.
- fetchurl with a fixed hash will not check ssl certs
- fetchurl with an empty hash will use system certs
- some fetchers are nix client actions
- fetchers implemented as derivations (well, fixed outptut derivations) do not have access to system certs.
Thre straightforward fix is to add NIX_SSL_CERT_FILE="${/etc/ssl/cert/...}"; to your fixed outptu derivations, and hope that your build logic will find it. I need more details to help you otherwise.
@layus I am using fetchgit. I am not exactly sure how to apply your suggestion. The fetcher has fixed (git) hash, but requires ssl cert anyway. I assume the fixed nix hash is required? The simplified problem with some experiments is described here: https://github.com/NixOS/nixpkgs/issues/201189
Started a fix in https://github.com/NixOS/nix/pull/7312.
It will require the fixed-output builders to adapt, as they apparently force the certificates to the vanilla ones in ${cacert}. (See fetchgit for example)
@layus This fix https://github.com/NixOS/nix/pull/7312 does not work for me. However, based on it, I found the fix that does work: https://github.com/zoranbosnjak/nix/commit/161e6c477cb881b46b7905426247ba61a299e960
Could you please help me integrate it to the nix upstream.