Skip to content

Instantly share code, notes, and snippets.

@CMCDragonkai

CMCDragonkai/nix_ca_certificate_handling.md

Created October 16, 2018 07:02
Show Gist options
  • Save CMCDragonkai/1ae4f4b5edeb021ca7bb1d271caca999 to your computer and use it in GitHub Desktop.
Save CMCDragonkai/1ae4f4b5edeb021ca7bb1d271caca999 to your computer and use it in GitHub Desktop.
Download ZIP
Nix CA Certificate Handling #nix
Raw
nix_ca_certificate_handling.md

Nix CA Certificate Handling

Some applications requires contacting HTTPS endpoints. In those cases you need to supply the CA certificates.

Most Nix applications won't package in the CA certificates, this is because they can make use of the OS provided CA certificate store.

The NixOS location for this is at: /etc/ssl/certs.

The OpenSSL library in Nixpkgs is compiled to use that path if there is no environment variables such as SSL_CERT_FILE.

In cases where you must specify the location explicitly such as when you're packaging a derivation into a Docker container.

You want to explicitly state the SSL_CERT_FILE environment variable while also bringning in the cacert package.

The cacert package has a setup hook that brings in the SSL_CERT_FILE, however that's only useful for nix-shell.

In most cases you want to do something like:

wrapProgram $out/bin/program \
  --set SSL_CERT_FILE "${cacert}/etc/ssl/certs/ca-bundle.crt"
@punnie
Copy link

punnie commented Jan 9, 2023

Thank you for this. It helped!

I've found while packaging a ruby program as a docker image that the wrapper approach doesn't work. However, setting the environment variable pointing to the CA bundle works:

        dockerImage = pkgs.dockerTools.buildImage {
          name = "application";
          tag = "latest";
          created = "now";

          copyToRoot = appPackage;

          config = {
            WorkingDir = "/app";
            Volumes = { "/tmp" = { }; };
            Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
          };
        };

@CMCDragonkai
Copy link
Author

That's a docker image, so yes you want to set an env variable.

However that should be set as a default variable, so it allows the user to override it with their own certs later.

@punnie
Copy link

punnie commented Jan 10, 2023

💯

@argonym
Copy link

argonym commented Oct 25, 2024

Note when using security.pki.certificateFiles or security.pki.certificates, ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt will not (anymore?) contain the certificate(s) specified this way. This is due to the NixOS "CA" module creating a derivation(?) of the "[nss-]cacert" package.

config.environment.etc."ssl/certs/ca-bundle.crt".source may be used instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment