Broken /etc/ssl/certs/ca-certificates.crt symlink breaks SSL certs #560

Open
opened 2024-10-27 21:16:04 +00:00 by lilyball · 1 comment
Member

Describe the bug

When ssl-cert-file is not set, Lix tries /etc/ssl/certs/ca-certificates.crt and then /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt. The /etc path is where Linux distros (such as NixOS) place certs. If macOS has a broken symlink at that path, Lix will use that symlink and SSL certs will break. This can happen when uninstalling nix-darwin and doing a fresh Lix install.

Lix should check the /etc/ssl/certs/ca-certificates.crt path to make sure it's not a broken symlink before using it.

> nix eval --impure -E 'builtins.fetchurl { url = "https://example.com"; }'
error:
       … while calling the 'fetchurl' builtin
         at «string»:1:1:
            1| builtins.fetchurl { url = "https://example.com"; }
             | ^

       error: unable to download 'https://example.com': Problem with the SSL CA cert (path? access rights?) (77)
## Describe the bug When `ssl-cert-file` is not set, Lix tries `/etc/ssl/certs/ca-certificates.crt` and then `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`. The `/etc` path is where Linux distros (such as NixOS) place certs. If macOS has a broken symlink at that path, Lix will use that symlink and SSL certs will break. This can happen when uninstalling nix-darwin and doing a fresh Lix install. Lix should check the `/etc/ssl/certs/ca-certificates.crt` path to make sure it's not a broken symlink before using it. ```console > nix eval --impure -E 'builtins.fetchurl { url = "https://example.com"; }' error: … while calling the 'fetchurl' builtin at «string»:1:1: 1| builtins.fetchurl { url = "https://example.com"; } | ^ error: unable to download 'https://example.com': Problem with the SSL CA cert (path? access rights?) (77) ```
lilyball added the
bug
E/easy
OS/macOS
labels 2024-10-27 21:16:04 +00:00
Member

This issue was mentioned on Gerrit on the following CLs:

  • commit message in cl/2144 ("libstore: ignore broken symlinks in ssl-cert-file default")
<!-- GERRIT_LINKBOT: {"cls": [{"backlink": "https://gerrit.lix.systems/c/lix/+/2144", "number": 2144, "kind": "commit message"}], "cl_meta": {"2144": {"change_title": "libstore: ignore broken symlinks in ssl-cert-file default"}}} --> This issue was mentioned on Gerrit on the following CLs: * commit message in [cl/2144](https://gerrit.lix.systems/c/lix/+/2144) ("libstore: ignore broken symlinks in ssl-cert-file default")
Sign in to join this conversation.
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-project/lix#560
No description provided.