Add a setting for configuring the SSL certificates file

This provides a platform-independent way to configure the SSL certificates file in the Nix daemon. Previously we provided instructions for overriding the environment variable in launchd, but that obviously doesn't work with systemd. Now we can just tell users to add ssl-cert-file = /etc/ssl/my-certificate-bundle.crt to their nix.conf.
2025-11-11 21:16:02 +01:00 · 2023-03-17 18:32:18 +01:00 · 2023-03-17 18:32:18 +01:00 · e53e5c38d4
commit e53e5c38d4
parent 790dd2555b
5 changed files with 28 additions and 20 deletions
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@ -318,7 +318,7 @@ struct curlFileTransfer : public FileTransfer

            if (request.verifyTLS) {
                if (settings.caFile != "")
-                    curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.c_str());
+                    curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.get().c_str());
            } else {
                curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0);
                curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@ -44,14 +44,9 @@ Settings::Settings()
    lockCPU = getEnv("NIX_AFFINITY_HACK") == "1";
    allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1";

-    caFile = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
-    if (caFile == "") {
-        for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
-            if (pathExists(fn)) {
-                caFile = fn;
-                break;
-            }
-    }
+    auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
+    if (sslOverride != "")
+        caFile = sslOverride;

    /* Backwards compatibility. */
    auto s = getEnv("NIX_REMOTE_SYSTEMS");
@ -187,6 +182,13 @@ bool Settings::isWSL1()
    return hasSuffix(utsbuf.release, "-Microsoft");
 }

+Path Settings::getDefaultSSLCertFile()
+{
+    for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
+        if (pathExists(fn)) return fn;
+    return "";
+}
+
 const std::string nixVersion = PACKAGE_VERSION;

 NLOHMANN_JSON_SERIALIZE_ENUM(SandboxMode, {
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@ -64,6 +64,8 @@ class Settings : public Config {

    bool isWSL1();

+    Path getDefaultSSLCertFile();
+
 public:

    Settings();
@ -826,8 +828,17 @@ public:
          > `.netrc`.
        )"};

-    /* Path to the SSL CA file used */
-    Path caFile;
+    Setting<Path> caFile{
+        this, getDefaultSSLCertFile(), "ssl-cert-file",
+        R"(
+          The path of a file containing CA certificates used to
+          authenticate `https://` downloads. It defaults to the first
+          of `/etc/ssl/certs/ca-certificates.crt` and
+          `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
+          that exists. It can be overriden using the
+          `NIX_SSL_CERT_FILE` and `SSL_CERT_FILE` environment variable
+          (in that order of precedence).
+        )"};

 #if __linux__
    Setting<bool> filterSyscalls{