Setting `ssl-cert-file` is not enough to pass custom cacerts #1071

New issue

Open

opened 2025-12-09 12:31:29 +00:00 by flokli · 1 comment

flokli commented

2025-12-09 12:31:29 +00:00

Describe the bug

I'm using mitmproxy to observe all fetches a FOD is doing.

I read lix-project/lix@2d0109898a, and only configured the daemon with ssl-cert-file.

The ssl-cert-file is not picked, I also need to run nix-daemon.service with NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt (logicalTargetPath from that commit) to get it to work.

Steps To Reproduce

Setup is as follows:

Substitute a FOD store path to ensure you have all inputs available locally:

cd /path/to/nixpkgs
nix-build -A mdbook.cargoDeps.vendorStaging

Invoke mitmproxy in a separate terminal, producing a mitm-tun interface:

sudo mitmproxy --showhost --mode tun:mitm-tun --set block_global=false

Do some ip {rule,route} trickery to route all network requests coming from nixbld users via that tun interface (double-check your uids):

sudo ip r add default dev mitm-tun table 8000
sudo ip -6 r add default dev mitm-tun table 8000
sudo ip rule add uidrange 30001-30032 table 8000
sudo ip -6 rule add uidrange 30001-30032 table 8000

Copy the mitmproxy ca cert to a readable location:

sudo cp /root/.mitmproxy/mitmproxy-ca-cert.pem /etc/ssl/minica.pem
sudo chmod 444 /etc/ssl/minica.pem

Reconfigure your local nix-daemon.service to use it; in my case, I sudo systemctl edit --runtime nix-daemon.service && sudo systemctl restart nix-daemon.service, but editing your NixOS config should work the same:

[Service]
ExecStart=
ExecStart=@/nix/store/...-lix-2.93.3/bin/nix-daemon nix-daemon --daemon --option ssl-cert-file /etc/ssl/minica.pem

Run the build:

nix-build -A mdbook.cargoDeps.vendorStaging --check --substituters '' --builders ''

See it getting "stuck" (only a few lines of output, then only a new line every once in a while). Observe how mitmproxy doesn't show flows, but instead complains about SSL handshake failures.

Then edit and restart nix-daemon.service again, while addding Environment=NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt to the service section.

Run the build command again, observe how now flows do show up in the mitmproxy window, and how the fetches progress through.

Expected behavior

I'd expect setting ssl-cert-file to be sufficient.

`nix --version` output

nix (Lix, like Nix) 2.93.3
System type: x86_64-linux
Additional system types: i686-linux, x86_64-v1-linux, x86_64-v2-linux, x86_64-v3-linux, x86_64-v4-linux
Features: gc, signed-caches
System configuration file: /etc/nix/nix.conf
User configuration files: /home/flokli/.config/nix/nix.conf:/etc/xdg/nix/nix.conf:/home/flokli/.nix-profile/etc/xdg/nix/nix.conf:/nix/profile/etc/xdg/nix/nix.conf:/home/flokli/.local/state/nix/profile/etc/xdg/nix/nix.conf:/etc/profiles/per-user/flokli/etc/xdg/nix/nix.conf:/nix/var/nix/profiles/default/etc/xdg/nix/nix.conf:/run/current-system/sw/etc/xdg/nix/nix.conf:/nix/store/2ldavd7sprmnfg06n6mj20lfrvmkvg4z-gnome-settings-daemon-48.1/etc/xdg/nix/nix.conf
Store directory: /nix/store
State directory: /nix/var/nix
Data directory: /nix/store/kg6pv5f01vj5w6k7scy2zfvnkcgbifcw-lix-2.93.3/share

Additional context

I tried with nixpkgs checkouts of both release-25.05 (9393af3b506fc38ff805cef7baf912e97d1f4ed3) and release-25.11 (517bc6ca281d991ad28a322299b285dd47fd9c4f)

## Describe the bug I'm using `mitmproxy` to observe all fetches a FOD is doing. I read https://git.lix.systems/lix-project/lix/commit/2d0109898a65884e8953813c0391ad8b3be0d929, and only configured the daemon with `ssl-cert-file`. The `ssl-cert-file` is not picked, I also need to run `nix-daemon.service` with `NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt` (`logicalTargetPath` from that commit) to get it to work. ## Steps To Reproduce Setup is as follows: Substitute a FOD store path to ensure you have all inputs available locally: ``` cd /path/to/nixpkgs nix-build -A mdbook.cargoDeps.vendorStaging ``` Invoke `mitmproxy` in a separate terminal, producing a `mitm-tun` interface: ``` sudo mitmproxy --showhost --mode tun:mitm-tun --set block_global=false ``` Do some `ip {rule,route}` trickery to route all network requests coming from nixbld users via that `tun` interface (double-check your uids): ``` sudo ip r add default dev mitm-tun table 8000 sudo ip -6 r add default dev mitm-tun table 8000 sudo ip rule add uidrange 30001-30032 table 8000 sudo ip -6 rule add uidrange 30001-30032 table 8000 ``` Copy the `mitmproxy` ca cert to a readable location: ``` sudo cp /root/.mitmproxy/mitmproxy-ca-cert.pem /etc/ssl/minica.pem sudo chmod 444 /etc/ssl/minica.pem ``` Reconfigure your local `nix-daemon.service` to use it; in my case, I `sudo systemctl edit --runtime nix-daemon.service && sudo systemctl restart nix-daemon.service`, but editing your NixOS config should work the same: ``` [Service] ExecStart= ExecStart=@/nix/store/...-lix-2.93.3/bin/nix-daemon nix-daemon --daemon --option ssl-cert-file /etc/ssl/minica.pem ``` Run the build: ``` nix-build -A mdbook.cargoDeps.vendorStaging --check --substituters '' --builders '' ``` See it getting "stuck" (only a few lines of output, then only a new line every once in a while). Observe how `mitmproxy` doesn't show flows, but instead complains about SSL handshake failures. Then edit and restart `nix-daemon.service` again, while addding `Environment=NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt` to the service section. Run the build command again, observe how now flows do show up in the `mitmproxy` window, and how the fetches progress through. ## Expected behavior I'd expect setting `ssl-cert-file` to be sufficient. ## `nix --version` output ``` nix (Lix, like Nix) 2.93.3 System type: x86_64-linux Additional system types: i686-linux, x86_64-v1-linux, x86_64-v2-linux, x86_64-v3-linux, x86_64-v4-linux Features: gc, signed-caches System configuration file: /etc/nix/nix.conf User configuration files: /home/flokli/.config/nix/nix.conf:/etc/xdg/nix/nix.conf:/home/flokli/.nix-profile/etc/xdg/nix/nix.conf:/nix/profile/etc/xdg/nix/nix.conf:/home/flokli/.local/state/nix/profile/etc/xdg/nix/nix.conf:/etc/profiles/per-user/flokli/etc/xdg/nix/nix.conf:/nix/var/nix/profiles/default/etc/xdg/nix/nix.conf:/run/current-system/sw/etc/xdg/nix/nix.conf:/nix/store/2ldavd7sprmnfg06n6mj20lfrvmkvg4z-gnome-settings-daemon-48.1/etc/xdg/nix/nix.conf Store directory: /nix/store State directory: /nix/var/nix Data directory: /nix/store/kg6pv5f01vj5w6k7scy2zfvnkcgbifcw-lix-2.93.3/share ``` ## Additional context I tried with nixpkgs checkouts of both `release-25.05` (`9393af3b506fc38ff805cef7baf912e97d1f4ed3`) and `release-25.11` (`517bc6ca281d991ad28a322299b285dd47fd9c4f`)

flokli added the

bug

label

2025-12-09 12:31:29 +00:00

flokli commented

2025-12-09 15:05:22 +00:00

Author

I also tested with CppNix (2.31.2).

As it doesn't copy ssl-cert-file to a well-known location, it needs --option ssl-cert-file /etc/ssl/minica.pem --extra-sandbox-paths /etc/ssl/minica.pem for nix-daemon and Environment=NIX_SSL_CERT_FILE=/etc/ssl/minica.pem.

Maybe I'm just misreading things, but the release notes in lix-project/lix@2d0109898a did read like NIX_SSL_CERT_FILE should point to /etc/ssl/certs/ca-certificates.crt inside the build without needing to configure Lix' nix-daemon with it.

I also tested with CppNix (2.31.2). As it doesn't copy `ssl-cert-file` to a well-known location, it needs `--option ssl-cert-file /etc/ssl/minica.pem --extra-sandbox-paths /etc/ssl/minica.pem` for `nix-daemon` and `Environment=NIX_SSL_CERT_FILE=/etc/ssl/minica.pem`. Maybe I'm just misreading things, but the release notes in https://git.lix.systems/lix-project/lix/commit/2d0109898a65884e8953813c0391ad8b3be0d929 did read like `NIX_SSL_CERT_FILE` should point to `/etc/ssl/certs/ca-certificates.crt` inside the build without needing to configure Lix' nix-daemon with it.