Nix CA Certificate Handling #nix

nix_ca_certificate_handling.md

Nix CA Certificate Handling

Some applications requires contacting HTTPS endpoints. In those cases you need to supply the CA certificates.

Most Nix applications won't package in the CA certificates, this is because they can make use of the OS provided CA certificate store.

The NixOS location for this is at: /etc/ssl/certs.

The OpenSSL library in Nixpkgs is compiled to use that path if there is no environment variables such as SSL_CERT_FILE.

In cases where you must specify the location explicitly such as when you're packaging a derivation into a Docker container.

You want to explicitly state the SSL_CERT_FILE environment variable while also bringning in the cacert package.

The cacert package has a setup hook that brings in the SSL_CERT_FILE, however that's only useful for nix-shell.

In most cases you want to do something like:

wrapProgram $out/bin/program \
  --set SSL_CERT_FILE "${cacert}/etc/ssl/certs/ca-bundle.crt"

Thank you for this. It helped!

I've found while packaging a ruby program as a docker image that the wrapper approach doesn't work. However, setting the environment variable pointing to the CA bundle works:

        dockerImage = pkgs.dockerTools.buildImage {
          name = "application";
          tag = "latest";
          created = "now";

          copyToRoot = appPackage;

          config = {
            WorkingDir = "/app";
            Volumes = { "/tmp" = { }; };
            Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
          };
        };

That's a docker image, so yes you want to set an env variable.

However that should be set as a default variable, so it allows the user to override it with their own certs later.

💯