Some applications requires contacting HTTPS endpoints. In those cases you need to supply the CA certificates.
Most Nix applications won't package in the CA certificates, this is because they can make use of the OS provided CA certificate store.
The NixOS location for this is at: /etc/ssl/certs
.
The OpenSSL library in Nixpkgs is compiled to use that path if there is no environment variables such as SSL_CERT_FILE
.
In cases where you must specify the location explicitly such as when you're packaging a derivation into a Docker container.
You want to explicitly state the SSL_CERT_FILE
environment variable while also bringning in the cacert
package.
The cacert
package has a setup hook that brings in the SSL_CERT_FILE
, however that's only useful for nix-shell
.
In most cases you want to do something like:
wrapProgram $out/bin/program \
--set SSL_CERT_FILE "${cacert}/etc/ssl/certs/ca-bundle.crt"
Note when using
security.pki.certificateFiles
orsecurity.pki.certificates
,${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
will not (anymore?) contain the certificate(s) specified this way. This is due to the NixOS "CA" module creating a derivation(?) of the "[nss-]cacert" package.config.environment.etc."ssl/certs/ca-bundle.crt".source
may be used instead.