Nix: SSL_CERT_FILE causes SSL certificate errors with other tools

Can you print the value of SSL_CERT_FILE?

> echo $SSL_CERT_FILE
/Users/kevinballard/.nix-profile/etc/ssl/certs/ca-bundle.crt

I just hit this again with the trivial case curl https://google.com.

The cause seems to be that the nix CA bundle requires a curl with OpenSSL support, which (current) builtin versions don’t have.

> /usr/bin/curl --version
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5 

I worked around this using more Homebrew:

> brew install curl --with-openssl
> brew link --force curl
> /usr/local/bin/curl --version
curl 7.49.1 (x86_64-apple-darwin15.5.0) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.5

That version works, but Homebrew won’t use it unless I also patch /usr/local/Library/brew.sh to set HOMEBREW_CURL to it (or to comment it out and set it in my shell config).

I assume a similar workaround can work by installing curl from nix, but I haven’t checked yet.

This seems kind of bad and off-putting for new OSX users. Is anyone looking into it?

Might be good to start using tags in this repo and let more of us tag issues. Would be good for those of us wanting to improve the darwin experience to track down darwin-specific pain.

I just wasted ~30 min on this bug; please fix!

I also hit this today. 😭

Any brew install command on my host would fail with:

curl: (51) SSL: certificate verification failed (result: 5)

I finally tracked it down to the SSL_CERT_FILE environment variable setting, which was being set indirectly by the following line in my .profile which had been added by the Nix installer:

if [ -e /Users/pmoore/.nix-profile/etc/profile.d/nix.sh ]; then . /Users/pmoore/.nix-profile/etc/profile.d/nix.sh; fi # added by Nix installer

Here are some other issues which appear to be related to (or a duplicate of) this:

• #853
• NixOS/nixpkgs#8247
• NixOS/nixpkgs#8486
• NixOS/nixpkgs#13744

Unsetting SSL_CERT_FILE resolved the issue for me.

@layus FYI - thanks! :smile:

So if I understand correctly, Nix CA requires curl with OpenSSL built, but the default curl on OSX doesn't have that.

What are the options here? I don't have a darwin platform, but would love to help this getting fixed.

Thanks @domenkozar for helping out. 👍

I suspect now the problem might be that the cacerts file I had on my machine at the time I installed nix was invalid...

I installed curl via homebrew and get the same problem when using the cacerts file that nix was pointing to, and I suspect the brew version of curl should work with OpenSSL as it has it as a dependency.

Here is a demo of the problem I have when using the a cacerts file:

First I download the latest version of the file in pem format:

pmoore@Petes-iMac:~ $ curl -L https://curl.haxx.se/ca/cacert.pem > ~/cacert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  244k  100  244k    0     0   252k      0 --:--:-- --:--:-- --:--:--  252k

Next I try to use it with a curl command:

pmoore@Petes-iMac:~ $ /usr/local/Cellar/curl/7.50.1/bin/curl --cacert ~/cacert.pem -I https://storage.googleapis.com/golang/go1.7.src.tar.gz
curl: (51) SSL: certificate verification failed (result: 5)

Now I use curl without specifying a cacert file, and problem goes away:

pmoore@Petes-iMac:~ $ /usr/local/Cellar/curl/7.50.1/bin/curl -I https://storage.googleapis.com/golang/go1.7.src.tar.gz
HTTP/1.1 200 OK
X-GUploader-UploadID: AEnB2Up4se5f2ui1T_LnBvu_vQfEMh6RtBVrT2mPuVpnC6STOQHN1nOsRdSsvs3aJo9TDrL5M2McVm29XvXGoKCWW2U4fw2g3A
Expires: Mon, 22 Aug 2016 20:59:49 GMT
Date: Mon, 22 Aug 2016 19:59:49 GMT
Cache-Control: public, max-age=3600
Last-Modified: Mon, 15 Aug 2016 23:20:30 GMT
ETag: "a30c3bd1a7fcc6a48acfb74936a19b4c"
x-goog-generation: 1471303230615000
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 14091954
Content-Type: application/x-gzip
x-goog-hash: crc32c=B1onUw==
x-goog-hash: md5=oww70af8xqSKz7dJNqGbTA==
x-goog-storage-class: STANDARD
Accept-Ranges: bytes
Content-Length: 14091954
Server: UploadServer
Alternate-Protocol: 443:quic
Alt-Svc: quic=":443"; ma=2592000; v="35,34,33,32,31,30"

And now, to show the format of the cacert file:

pmoore@Petes-iMac:~ $ head -30 ~/cacert.pem 
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Wed Apr 20 03:12:05 2016
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.25.
## SHA1: 5df367cda83086392e1acdf22bfef00c48d5eba6
##


GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
pmoore@Petes-iMac:~ $ 

The curl version I am using above is /usr/local/Cellar/curl/7.50.1/bin/curl which is the version installed by homebrew, rather than the native apple version.

I'm wondering now if the problem is that I shouldn't use this file, but some adapted version of it, and maybe when I installed nix I referred to (an older version of) this file, and the mistake was made then (I don't remember where that file came from, if it was shipped with nix, or if I had my own version etc).

Thanks @domenkozar for any ideas you might have!

Note, the version that my nix installation was pointing to was a bit older (see below - from Nov 9 last year). In my demonstration above, I was just trying with the latest version of the file, in case that might have fixed things (which it didn't).

Also when I was using brew to install things originally, or using curl directly, I was not explicitly specifying --cacert. Above I used this command line option to demonstrate that the problem occurs also when using --cacert, like it does when having environment variable SSL_CERT_FILE pointing to the file.

pmoore@Petes-iMac:~ $ head -30 /Users/pmoore/.nix-profile/etc/ssl/certs/ca-bundle.crt
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Mon Nov  9 05:12:59 2015
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## file:///private/var/tmp/nix-build-nss-cacert-3.21.drv-0/nss-3.21/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.25.
## SHA1: 0ab47e2f41518f8d223eab517cb799e5b071231e
##


GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
pmoore@Petes-iMac:~ $ 

I suspect the brew version of curl should work with OpenSSL as it has it as a dependency.

It has OpenSSL as an _optional_ dependency, which is used _if_ you install it with --with-openssl.

You can check whether your version uses OpenSSL by checking the output of curl --version | head -n1. On my system:

> /usr/bin/curl --version | head -n1
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
> /usr/local/opt/curl/bin/curl --version | head -n1
curl 7.50.1 (x86_64-apple-darwin15.6.0) libcurl/7.50.1 OpenSSL/1.0.2h zlib/1.2.5

Nix ships a curl package that trusts /etc/ssl/certs/ca-bundle.crt by default. This is not always available on non NixOS distros. To make nix-only installs working on other distros, we make the nix setup script export SSL_CERT_FILE to some existing cert bundle to ensure that the curl package shipped and used by Nix works properly. (Otherwise, nix cannot download derivations.)

I i understand this bug, the issue is that this behavior breaks curl builds without openssl support, right ? Now, I have a few questions:

1. How come you are using MacOS's curl while you are in a nix environment? Your PATH settings should default to using nix's curl. Does homebrew use an absolute path to curl?
2. Could you install some package with nix after unsetting SSL_CERT_FILE? I bet it would break nix. If not, please report as it could be a potential fix here.
3. How come curl does honor SSL_CERT_FILE if it is built without OpenSSL? This could be an upstream bug. This is not needed as macosx does not use a trust file, but SecureTransport and a very different scheme to store certificates. SSL_CERT_FILE should be irrelevant to that TLS engine.

1. I don't have Nix's curl installed. That said, Homebrew does indeed use /usr/bin/curl unless the env var HOMEBREW_CURL has been set to another path.
2. It does seem to work (I interrupted it halfway through), but only because Nix ends up falling back to an http URL instead if the https ones fail (all the https URLs it tries fail with Curl error 60).
3. I have no idea. This does seem like a bug.

https://docwhat.org/el-capitan-and-the-evils-of-openssl/ has it all explained. Apparently, setting SSL_CERT_FILE makes SecureTransport fall back to the (very old) openssl shipped by MacOS. This old version is incompatible with current certificates.

This is a hard problem, because this is not a problem only with curl. SSL_CERT_FILE is required by every package using openssl.

@kballard, @petemoore you should really contact apple about this. Their version of openssl is very old, and setting SSL_CERT_FILE to a recent bundle makes it fail...

But this is also something I am not willing to investigate. I do not want to spend time understanding and fixing closed source software.
That being said, pushing a work-around in nix may be acceptable. I just have no idea how to do that sanely.

I see two solutions:

• Rename SSL_CERT_FILE to NIX_CERT_FILE or something like that, so that we don't interfere with the native /usr/bin/curl on OS X.
• Build curl in Nixpkgs with SecureTransport support, which (I assume) would make it use OS X's native certificate store. Then we don't need to set SSL_CERT_FILE anymore.

Build curl in Nixpkgs with SecureTransport support, which (I assume) would make it use OS X's native certificate store. Then we don't need to set SSL_CERT_FILE anymore.

If I understand the Homebrew formula correctly, this can be done by passing --with-darwinssl to curl’s configure script (and leaving out --with-ssl).

@mkhl Thanks, I'll give that a try.

I see two solutions:

• Rename SSL_CERT_FILE to NIX_CERT_FILE or something like that, so that we don't interfere with the native /usr/bin/curl on OS X.
• Build curl in Nixpkgs with SecureTransport support, which (I assume) would make it use OS X's native certificate store. Then we don't need to set SSL_CERT_FILE anymore.

I would trust the second option, but be aware that it may break applications relying on the default trust store of openssl, as openssl will no more find the trust store in ~/.nix-profile/... and probably fail to provide a default.

Hm, curl segfaults when built with darwinssl:

# gdb --args ./result-bin/bin/curl -v https://google.com
GNU gdb (GDB) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin15.2.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./result-bin/bin/curl...(no debugging symbols found)...done.
(gdb) r
Starting program: /nix/store/6x66y4k6dx61dzpn7g5b2dn4l0dzwrpp-curl-7.50.1-bin/bin/curl -v https://google.com
* Rebuilt URL to: https://google.com/
*   Trying 74.125.136.102...
* Connected to google.com (74.125.136.102) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.google.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
[New Thread 0x1b13 of process 60442]
[New Thread 0x1c03 of process 60442]
[New Thread 0x1d03 of process 60442]

Thread 1 received signal SIGSEGV, Segmentation fault.
0x0000000100130a28 in CFRelease () from /nix/store/8grzfkqh0gipg8jrczmwdrmc06w0qmdy-CF-osx-10.9.5/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
(gdb) bt
#0  0x0000000100130a28 in CFRelease () from /nix/store/8grzfkqh0gipg8jrczmwdrmc06w0qmdy-CF-osx-10.9.5/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
#1  0x0000000100062ed3 in darwinssl_connect_common () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#2  0x0000000100061460 in Curl_ssl_connect_nonblocking () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#3  0x00000001000286c3 in https_connecting () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#4  0x0000000100048445 in multi_runsingle () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#5  0x000000010004815d in curl_multi_perform () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#6  0x00000001000423c0 in curl_easy_perform () from /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib
#7  0x000000010000c82c in operate_do ()
#8  0x0000000100008e24 in operate ()
#9  0x00000001000086e4 in main ()

@copumpkin @pikajude Could the segfault above be caused by the mixing of the system Security framework and the Nixpkgs CoreFoundation framework?

$ otool -L ./result-bin/bin/curl 
./result-bin/bin/curl:
        /nix/store/b7w4h0wn1h003j9nqm49d6q0g2gmil59-curl-7.50.1/lib/libcurl.4.dylib (compatibility version 9.0.0, current version 9.0.0)
        /nix/store/adrpfqnbmx071vdv8gmxdzkdjamx4rhq-libssh2-1.7.0/lib/libssh2.1.dylib (compatibility version 2.0.0, current version 2.1.0)
        /nix/store/i4klhk599pbabpc5fkcy6bmbf212l6di-zlib-1.2.8/lib/libz.dylib (compatibility version 1.0.0, current version 1.2.8)
        /System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 57337.60.2)
        /nix/store/8grzfkqh0gipg8jrczmwdrmc06w0qmdy-CF-osx-10.9.5/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 855.15.0)
        /nix/store/n5w3cs7hb2ffd47ycarjyz5kg8pq4n2l-Libsystem-osx-10.9.5/lib/libSystem.dylib (compatibility version 1.0.0, current version 1197.1.1)

Indeed

$ DYLD_FRAMEWORK_PATH=/System/Library/Frameworks ./result-bin/bin/curl -v https://google.com

fixes the segfault. But is there a proper solution for this?

@layus

@kballard, @petemoore you should really contact apple about this. Their version of openssl is very old, and setting SSL_CERT_FILE to a recent bundle makes it fail...

I've raised Bug 27968953 _"SecureTransport problem causes /usr/bin/curl to fail if env var SSL_CERT_FILE is set, or --cacert option is passed"_ with the Apple Bug Reporter, against product "OS X". The content of the bug is essentially the same as for the github curl/curl issue referenced above.

Yeah, that's it. I'd be reluctant to introduce more impurity into nix itself, but we could probably make it work if you think the pros outweigh the cons here.

On Aug 23, 2016, at 15:40, Eelco Dolstra [email protected] wrote:

Indeed

$ DYLD_FRAMEWORK_PATH=/System/Library/Frameworks ./result-bin/bin/curl -v https://google.com
fixes the segfault.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

I've run into this issue the last several times I've given nix-on-darwin a try and it's really discouraging. I decided to do some research and found this issue which exactly described my experience. As nix is just the package manager here, it seems odd that it wouldn't integrate with the system trust store. I know it's unfortunate that macOS is using such an old openssl package, but it would really help me if I could try out nix alongside my existing homebrew setup which is broken any time I activate nix (preventing me from adding it to my zshrc).

More duplicates of this issue:

https://github.com/Homebrew/brew/issues/1284
https://github.com/Homebrew/legacy-homebrew/issues/49373
https://github.com/Homebrew/legacy-homebrew/issues/32019, from September 2014.

A simple workaround I'd like: stop modifying ~/.bash_profile to include ~/.nix-profile/etc/profile.d/nix.sh—such environment changes should be done when I request them explicitly. I thought for a second https://github.com/NixOS/nixpkgs/pull/15571 might do this, but in fact it doesn't at all.

But in general, here a rant seems due:

I can't demand that you make sure to not break my system by default (cue in standard disclaimer about open source software and entitled users).

But if the Nix team doesn't treat issues like this as "MAX PRIORITY UNACCEPTABLE BREAKAGE" and leave them unsolved for so long, I'm afraid I have to stop trusting anything Nix-related near my systems. Which is really sad because in theory Nix seems really cool.

And I'm sorry to rant on a system I'm barely using. My plan was to install it and slowly start learning it when I find time, especially because of Stack's integration so that I could test my changes to Stack on Nix.

And sorry to ask, but is there a more constructive way to request an approach change than a rant like that?

@Blaisorblade once we find a proper solution, this will be implemented. It doesn't make sense to ship new Nix with half-baked solution and break the behaviour each release without knowing all the consequences. It gives a false hope.

@domenkozar That is, altering .bash_profile is not negotiable?

We don't modify .bash_profile, because there is no way to do that without possibly breaking your bash.

@domenkozar I don't think that's true: https://github.com/NixOS/nix/blob/master/scripts/install-nix-from-closure.sh#L96

I've never seen those lines to work (I always get the message to do it myself). So I didn't know we even try to do such thing.

Yeah, the message seems to suggest that it didn't do it for you, but I've installed it on a bunch of machines recently and it usually does do it.

When I mentioned that I had just double-checked—erased Nix, reran installation, and observed .bash_profile being extended.

FWIW, that bash code (if run) would totally extend .bash_profile, unless the Nix profile is already mentioned there. In that case, the script makes no change but assumes the Nix profile script is already sourced—which is often true but unsound.

To get an "edit your config yourself" message, IIUC, none of .bash_profile .bash_login .profile must exist in the $HOME folder.

If that's the case, we should move this discussion into another issue, since it's not the same thing. It does relate however.

@edolstra does that mean programs in nixpkgs will need to update the env var they look at too?

Yes, I already have a patch for openssl, but curl will need a separate patch (because it doesn't use OpenSSL's standard function for finding certificates).

Ah, awesome, thanks!

Thanks a lot @edolstra!

If that's the case, we should move this discussion into another issue, since it's not the same thing.

You mean about not altering Nix's env. vars in the system profile? If there's anything else dangerous not covered by @edolstra's fix, that's still relevant, but otherwise that might not be needed.

I've noticed that there's still no release that includes the fixes for this issue. When can I expect Nix to put out a release that's actually usable on OS X?

Still got bitten by this when trying to use homebrew alongside nix.

$ env | grep SSL
SSL_CERT_FILE=$HOME/.nix-profile/etc/ssl/certs/ca-bundle.crt

$ tail -1 ~/.bash_profile
if [ -e $HOME/.nix-profile/etc/profile.d/nix.sh ]; then . $HOME/.nix-profile/etc/profile.d/nix.sh; fi # added by Nix installer

$ nix-env --version
nix-env (Nix) 1.11.6

How to upgrade to fixed version?

@lkraider The issue is fixed in nixpkgs (master) and nix (master), but we are waiting for a release to incllude these. If you are running on nixpkgs unstable, then all you need to do is to run the following commands after sourcing ~/.nix-profile/etc/profile.d/nix.sh.

export NIX_SSL_CERT_FILE="$SSL_CERT_FILE"
unset SSL_CERT_FILE

nixpkgs fixes will be released with 17.03, and nix fixes should be released with 1.12 which has no eta (sadly, see #1219).
@globin, I think 17.03 should come these fixes included in nix. Could we get a new version of nix together with 17.03 ?

Maybe NixOS 17.03 should also release Nix 1.11.7 with this fix (and not backport the new Nix version to older NixOS releases)

ping @edolstra

@layus are you sure that works?

downloading ‘https://github.com/NixOS/nixpkgs/archive/6a8790429692280998801c96660dcc85e30fb759.tar.gz’... error: unable to download ‘https://github.com/NixOS/nixpkgs/archive/6a8790429692280998801c96660dcc85e30fb759.tar.gz’: Problem with the SSL CA cert (path? access rights?) (77)

Here is the 1.11.7 candidate, testing on non-NixOS systems (especially OS X) welcome: http://hydra.nixos.org/eval/1335054

@edolstra I tried nix-install-package --non-interactive --url http://hydra.nixos.org/build/49130459/nix/pkg/nix-1.11.7-x86_64-darwin.nixpkg (as suggested by the Hydra UI) on macOS and it told me "Installation failed: invalid package contents". Am I doing something wrong?

Edit: I guess

$ curl --head http://hydra.nixos.org/build/49130459/nix/pkg/nix-1.11.7-x86_64-darwin.nixpkg
HTTP/1.1 404 Not Found
Date: Wed, 22 Feb 2017 14:15:54 GMT
Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2k
Vary: Accept
Content-Type: text/html; charset=utf-8

I'm now trying https://github.com/domenkozar/test-nix-1-11-7/blob/master/.travis.yml at https://travis-ci.org/domenkozar/test-nix-1-11-7/builds/204208039

I can not reproduce this bug on 10.12.2, but I can reproduce it on 10.11.6 and confirm Nix 1.11.7 fixes the issue.

$ nix-env -i /nix/store/9hbq6vrrm5mp9w124qdza2m3kpc52rac-nix-1.11.7
$ . /Users/admin/.nix-profile/etc/profile.d/nix.sh
$ nix-env --version
nix-env (Nix) 1.11.7
$ curl --version
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets 
$ curl https://google.com/
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.co.uk/?gfe_rd=cr&amp;ei=t5-tWKaLKsTv8AfH5YG4CQ">here</A>.
</BODY></HTML>
$ export SSL_CERT_FILE="$NIX_SSL_CERT_FILE"
$ curl https://google.com/a
curl: (51) SSL: certificate verification failed (result: 5)

Waiting on https://travis-ci.org/domenkozar/test-nix-1-11-7/builds/204213775 as well

@edolstra nix-env fails to work:

$ nix-env -i curl
warning: there are multiple derivations named ‘curl-7.51.0’; using the first one
installing ‘curl-7.51.0’
these paths will be fetched (0.94 MiB download, 3.14 MiB unpacked):
  /nix/store/3vyj968sa8rhyy88pavicj9957x0b3nn-libssh2-1.7.0-dev
  /nix/store/54iylcd3awfv7s0rpan7wzcyyyqi3ghw-curl-7.51.0-bin
  /nix/store/6ps44is1czbmnrx7d55dbyfdf44h7zan-openssl-1.0.2j-dev
  /nix/store/a5hr0bd8g2c5lxlajkgnzs0j00n0cv3m-curl-7.51.0-dev
  /nix/store/brh9gixb2hzyslk9b53x5g0jw4rz5s13-curl-7.51.0-man
  /nix/store/fra3hffk8j66ikgcj8k9i0sr6ba72vq6-curl-7.51.0-devdoc
  /nix/store/zry44lfn71rx6768yijyd2zg4gawnc5s-openssl-1.0.2j-bin
fetching path ‘/nix/store/fra3hffk8j66ikgcj8k9i0sr6ba72vq6-curl-7.51.0-devdoc’...

*** Downloading ‘https://cache.nixos.org/nar/018ic903flb5wxkfz82rah8gy5y8zf95bj9zyz9h2hmb5bdg30r9.nar.xz’ to ‘/nix/store/fra3hffk8j66ikgcj8k9i0sr6ba72vq6-curl-7.51.0-devdoc’...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /Users/admin/.nix-profile/etc/ssl/certs/ca-bundle.crt
/nix/store/cygk7m0q7819rc1xb8pr8nzpj44msbyy-xz-5.2.2-bin/bin/xz: (stdin): File format not recognized
error: unexpected end-of-file
download of ‘https://cache.nixos.org/nar/018ic903flb5wxkfz82rah8gy5y8zf95bj9zyz9h2hmb5bdg30r9.nar.xz’ failed: No such file or directory
could not download ‘/nix/store/fra3hffk8j66ikgcj8k9i0sr6ba72vq6-curl-7.51.0-devdoc’ from any binary cache
fetching path ‘/nix/store/fra3hffk8j66ikgcj8k9i0sr6ba72vq6-curl-7.51.0-devdoc’ failed with exit code 1
fetching path ‘/nix/store/54iylcd3awfv7s0rpan7wzcyyyqi3ghw-curl-7.51.0-bin’...
killing process 48520
error: build of ‘/nix/store/gbbqdh0yj6wswjywzhany7hllamdmwqn-curl-7.51.0.drv’ failed

@domenkozar Is my input still needed ? Do you mean that apple fixed their curl with 10.12.x ?

@layus no, I think Nix is currently broken with this fix (see below). But this fix is not needed on Sierra.

$ echo $NIX_SSL_CERT_FILE
/Users/admin/.nix-profile/etc/ssl/certs/ca-bundle.crt
$ echo $SSL_CERT_FILE

$ git clone https://github.com/NixOS/nix.git
Cloning into 'nix'...
fatal: unable to access 'https://github.com/NixOS/nix.git/': error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none

travis-ci confirms my findings for last three OSX versions: https://travis-ci.org/domenkozar/test-nix-1-11-7/builds/204213775

@domenkozar #1247 unbreaks this for me

I can confirm that, at least as of macOS 10.12.3, $SSL_CERT_FILE no longer seems to interfere with /usr/bin/curl.

Testing http://hydra.nixos.org/build/49226380 at https://travis-ci.org/domenkozar/test-nix-1-11-7/builds/204512720

@domenkozar weird results...

/home/travis/build.sh: line 62: /home/travis/.nix-profile/bin/nix-env: cannot execute binary file: Exec format error
...
$ git clone github.com/NixOS/nix
fatal: repository 'github.com/NixOS/nix' does not exist

Edit: Of course, you install only the osx executable, it cannot work on linux.

Don't mind Linux, just OSX.

@domenkozar Right, but git clone github.com/NixOS/nix does not work for me. Do you really want to wait for this to fail before updating ? To test ssl you most certainly want https://github.com/NixOS/nix or am I missing something ?

Thanks, fixed

Travis build succeeded, I'll now build a few things on OSX to verify more broadly.

@edolstra looks good to me on OSX, curl and git work from nix and from OSX itself.

I think I might be facing a related problem. I'm using a recently updated macOS Nix installation with Nix-installed version of Mercurial (hg) and I'm getting this error:

hg clone https://bitbucket.org/eigen/eigen/
abort: could not find web.cacerts: /etc/ssl/certs/ca-certificates.crt

echo $NIX_SSL_CERT_FILE 
/Users/xpe/.nix-profile/etc/ssl/certs/ca-bundle.crt

I'm using macOS 10.12.6 with nix-env (Nix) 1.11.13.

What should I try to diagnose, debug, and fix or workaround?

@xpe: follow-up in https://github.com/NixOS/nixpkgs/issues/27928