nix icon indicating copy to clipboard operation
nix copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Nix install script fails on MacOS due to SSL error

Open sweller999 opened this issue 1 year ago • 3 comments

Platform

  • [ ] Linux:
  • [X] macOS
  • [ ] WSL

Additional information

Line used to run script:

sh <(curl -L https://nixos.org/nix/install)

Previously attempted installation via the script available here: https://nix.dev/tutorials/install-nix

The above script failed due to the same SSL error I encountered while using the nix.dev script

Output

Output 
I am executing:

    $ sudo HOME=/var/root NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt /nix/store/1wn9jkvi2zqfjnjgg7lnp30r2q2y8whd-nix-2.13.3/bin/nix-channel --update nixpkgs

to update the default channel in the default profile

warning: error: unable to download 'https://nixos.org/channels/nixpkgs-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 254 ms
warning: error: unable to download 'https://nixos.org/channels/nixpkgs-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 502 ms
warning: error: unable to download 'https://nixos.org/channels/nixpkgs-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 1028 ms
warning: error: unable to download 'https://nixos.org/channels/nixpkgs-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 2765 ms
error: unable to download 'https://nixos.org/channels/nixpkgs-unstable': SSL peer certificate or SSH remote key was not OK (60)

Priorities

Add :+1: to issues you find important.

sweller999 avatar Mar 20 '23 22:03 sweller999

Likely related:

  • #7808
  • #7914
  • #8022

abathur avatar Mar 21 '23 01:03 abathur

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nix-installer-workgroup/21495/20

nixos-discourse avatar Mar 29 '23 15:03 nixos-discourse

Got the same issue on my company mac M1 laptop that uses netskope to "secure" internet traffic(doing man-in-the-middle using company certificate). I guess many companies uses similar proxy software that will break nix the same way. I was able to fix the installation by following those steps ( based on last post in https://discourse.nixos.org/t/ssl-ca-cert-error-on-macos/31171/6)

Run the installer that will fail due to SSL errors, and then fix the install by:

  1. First you generate a new bundle containing all your custom certificates to be used by nix
security export -t certs -f pemseq -k /Library/Keychains/System.keychain -o /tmp/certs-system.pem
security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o /tmp/certs-root.pem
cat /tmp/certs-root.pem /tmp/certs-system.pem > /tmp/ca_cert.pem
sudo mv /tmp/ca_cert.pem /etc/nix/
  1. Update the conf file /etc/nix/nix.conf to reference the bundle
ssl-cert-file = /etc/nix/ca_cert.pem
  1. Relaunch the daemon
sudo launchctl unload /Library/LaunchDaemons/org.nixos.nix-daemon.plist
sudo launchctl load /Library/LaunchDaemons/org.nixos.nix-daemon.plist

You should now be able to resume the install by running the command displayed at the end of the installer output

sudo -i nix-channel --update nixpkgs

jlhuilier-1a avatar Feb 24 '24 16:02 jlhuilier-1a