nix-shell doesn't seem to respect NIX_SSL_CERT_FILE

[ksalman]

Describe the bug

I am trying to use Nix at work on MacOS, where they've deployed Zscaler. I tried setting NIX_SSL_CERT_FILE to the Zscaler cert but it did not help.

Expected behavior

nix-shell should run without ssl errors

$ nix-shell -p bash
warning: error: unable to download 'https://cache.nixos.org/17b5l9alb7qpsp8lmr5n6wxb28gym4jr.narinfo': SSL peer certificate or SSH remote key was not OK (60); retrying in 259 ms
warning: error: unable to download 'https://cache.nixos.org/69yz72wwqfz7wbx1k2pd1f29wqzh3irl.narinfo': SSL peer certificate or SSH remote key was not OK (60); retrying in 291 ms
warning: error: unable to download 'https://cache.nixos.org/skr40k4d29vyv4nqdmi7dnfw1bvjqx89.narinfo': SSL peer certificate 
^Cerror: interrupted by the user

Priorities

Add :+1: to issues you find important.

[mode89]

Same here, while trying out minimal ISO.

[cole-h]

I think this will be fixed by https://github.com/NixOS/nix/pull/8062. IIRC, the issue is that NIX_SSL_CERT_FILE is also set in the nix-daemon LaunchDaemon. You might be able to run launchctl setenv NIX_SSL_CERT_FILE /path/to/cert and see if that works for you until that PR is merged and Nix is released with that option.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nix-cannot-find-my-custom-ssl-certificate/27361/3

[weberbr]

I think this will be fixed by #8062. IIRC, the issue is that NIX_SSL_CERT_FILE is also set in the nix-daemon LaunchDaemon. You might be able to run launchctl setenv NIX_SSL_CERT_FILE /path/to/cert and see if that works for you until that PR is merged and Nix is released with that option.

This, followed by stopping then starting nix-daemon (sudo launchctl stop org.nixos.nix-daemon && sudo launchctl start org.nixos.nix-daemon) solved my issue on macos with a corporate ssl strip proxy.

Thanks!