Merge pull request #8062 from edolstra/ssl-cert-file

Add a setting for configuring the SSL certificates file
2025-11-21 09:49:36 +01:00 · 2023-03-27 15:37:15 +02:00 · 2023-03-27 15:37:15 +02:00 · 5a0f5b5c34
commit 5a0f5b5c34
parent 570829d67e a519436e9d
5 changed files with 33 additions and 20 deletions
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@ -63,6 +63,8 @@ class Settings : public Config {

    bool isWSL1();

+    Path getDefaultSSLCertFile();
+
 public:

    Settings();
@ -825,8 +827,22 @@ public:
          > `.netrc`.
        )"};

-    /* Path to the SSL CA file used */
-    Path caFile;
+    Setting<Path> caFile{
+        this, getDefaultSSLCertFile(), "ssl-cert-file",
+        R"(
+          The path of a file containing CA certificates used to
+          authenticate `https://` downloads. Nix by default will use
+          the first of the following files that exists:
+
+          1. `/etc/ssl/certs/ca-certificates.crt`
+          2. `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
+
+          The path can be overridden by the following environment
+          variables, in order of precedence:
+
+          1. `NIX_SSL_CERT_FILE`
+          2. `SSL_CERT_FILE`
+        )"};

 #if __linux__
    Setting<bool> filterSyscalls{