Nix install script fails on MacOS due to SSL error

[sweller999]

Platform

• Linux:
• macOS
• WSL

Additional information

Line used to run script:

sh <(curl -L https://nixos.org/nix/install)

Previously attempted installation via the script available here: https://nix.dev/tutorials/install-nix

The above script failed due to the same SSL error I encountered while using the nix.dev script

Output

Output

I am executing:

    $ sudo HOME=/var/root NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt /nix/store/1wn9jkvi2zqfjnjgg7lnp30r2q2y8whd-nix-2.13.3/bin/nix-channel --update nixpkgs

to update the default channel in the default profile

warning: error: unable to download 'https://nixos.org/channels/nixpkgs-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 254 ms
warning: error: unable to download 'https://nixos.org/channels/nixpkgs-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 502 ms
warning: error: unable to download 'https://nixos.org/channels/nixpkgs-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 1028 ms
warning: error: unable to download 'https://nixos.org/channels/nixpkgs-unstable': SSL peer certificate or SSH remote key was not OK (60); retrying in 2765 ms
error: unable to download 'https://nixos.org/channels/nixpkgs-unstable': SSL peer certificate or SSH remote key was not OK (60)

Priorities

Add 👍 to issues you find important.

[abathur]

Likely related:

• nix-build uses fails on SSL peer certificate error where other nix commands do not, likely not respecting NIX_SSL_CERT_FILE #7808
• nix-shell doesn't seem to respect NIX_SSL_CERT_FILE #7914
• nix-channel --update not working behind company certificate #8022

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nix-installer-workgroup/21495/20

[jlhuilier-1a]

Got the same issue on my company mac M1 laptop that uses netskope to "secure" internet traffic(doing man-in-the-middle using company certificate). I guess many companies uses similar proxy software that will break nix the same way.
I was able to fix the installation by following those steps ( based on last post in https://discourse.nixos.org/t/ssl-ca-cert-error-on-macos/31171/6)

Run the installer that will fail due to SSL errors, and then fix the install by:

1. First you generate a new bundle containing all your custom certificates to be used by nix

security export -t certs -f pemseq -k /Library/Keychains/System.keychain -o /tmp/certs-system.pem
security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o /tmp/certs-root.pem
cat /tmp/certs-root.pem /tmp/certs-system.pem > /tmp/ca_cert.pem
sudo mv /tmp/ca_cert.pem /etc/nix/

2. Update the conf file /etc/nix/nix.conf to reference the bundle

ssl-cert-file = /etc/nix/ca_cert.pem

3. Relaunch the daemon

sudo launchctl unload /Library/LaunchDaemons/org.nixos.nix-daemon.plist
sudo launchctl load /Library/LaunchDaemons/org.nixos.nix-daemon.plist

You should now be able to resume the install by running the command displayed at the end of the installer output

sudo -i nix-channel --update nixpkgs