Broken `/etc/ssl/certs/ca-certificates.crt` symlink breaks SSL certs #560

New issue

Closed

opened 2024-10-27 21:16:04 +00:00 by lilyball · 1 comment

lilyball commented

2024-10-27 21:16:04 +00:00

Member

Describe the bug

When ssl-cert-file is not set, Lix tries /etc/ssl/certs/ca-certificates.crt and then /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt. The /etc path is where Linux distros (such as NixOS) place certs. If macOS has a broken symlink at that path, Lix will use that symlink and SSL certs will break. This can happen when uninstalling nix-darwin and doing a fresh Lix install.

Lix should check the /etc/ssl/certs/ca-certificates.crt path to make sure it's not a broken symlink before using it.

> nix eval --impure -E 'builtins.fetchurl { url = "https://example.com"; }'
error:
       … while calling the 'fetchurl' builtin
         at «string»:1:1:
            1| builtins.fetchurl { url = "https://example.com"; }
             | ^

       error: unable to download 'https://example.com': Problem with the SSL CA cert (path? access rights?) (77)

## Describe the bug When `ssl-cert-file` is not set, Lix tries `/etc/ssl/certs/ca-certificates.crt` and then `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`. The `/etc` path is where Linux distros (such as NixOS) place certs. If macOS has a broken symlink at that path, Lix will use that symlink and SSL certs will break. This can happen when uninstalling nix-darwin and doing a fresh Lix install. Lix should check the `/etc/ssl/certs/ca-certificates.crt` path to make sure it's not a broken symlink before using it. ```console > nix eval --impure -E 'builtins.fetchurl { url = "https://example.com"; }' error: … while calling the 'fetchurl' builtin at «string»:1:1: 1| builtins.fetchurl { url = "https://example.com"; } | ^ error: unable to download 'https://example.com': Problem with the SSL CA cert (path? access rights?) (77) ```

lilyball added the

bug

E/easy

OS/macOS

labels 2024-10-27 21:16:04 +00:00

lilyball referenced this issue

2024-10-27 21:16:13 +00:00

Nix SSL path set incorrectly in the daemon on macOS #226

lix-bot commented

2024-10-30 06:47:56 +00:00

Member

This issue was mentioned on Gerrit on the following CLs:

commit message in cl/2144 ("libstore: ignore broken symlinks in ssl-cert-file default")

This issue was mentioned on Gerrit on the following CLs: * commit message in [cl/2144](https://gerrit.lix.systems/c/lix/+/2144) ("libstore: ignore broken symlinks in ssl-cert-file default")