Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix the nix-daemon Mac OS SSL CA cert #4023

Merged
merged 1 commit into from
Sep 21, 2020
Merged

Fix the nix-daemon Mac OS SSL CA cert #4023

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions misc/launchd/org.nixos.nix-daemon.plist.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
<dict>
<key>EnvironmentVariables</key>
<dict>
<key>NIX_SSL_CERT_FILE</key>
<string>/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt</string>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When NIX_SSL_CERT_FILE is unset, Nix should default to this:

nix/src/libstore/globals.cc

Line 47 in 5080d4e

for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})

see also 847f19a

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. Something very weird must be going on then. Perhaps it was restarting the daemon rather than this setting that fixed it for me. I removed the environment variable and the daemon is still working ok.

Is it possible that the daemon is unable to access the certificate the first time it is started for some reason? Since it's clear from the other reports that I'm not the only one who had this problem with a fresh installation of Nix.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point. caFile is set only once, when the daemon starts, so if the CA bundle is installed afterwards, the daemon needs to be restarted.

<key>OBJC_DISABLE_INITIALIZE_FORK_SAFETY</key>
<string>YES</string>
</dict>
Expand Down