Nix: Problems with multi-user (re)installation of nix on macOS

Created on 11 Dec 2019 · 14Comments · Source: NixOS/nix

Preface

I do not know if this is a documentation issue, bug, or something different. Nevertheless it took me close to a day to get my nix working again - and I do not know if I solved the problem correctly.

Scenario

I'm running macOS Mojave 10.14.6 (18G1012) with a working single-user nix install and using darwin-nix. Before updating to macOS Catalina I wanted to switch to multi-user nix for all it's advantages.

Steps

I did not figure out how to convert from single to multi-user so the only viable solution I found was to remove my old installation and reinstall with bash <(curl https://nixos.org/nix/install) --daemon - after all my whole configuration is declaratively stored in my darwin-configuration.nix file.

I first tried the recommendations from that script if you run it with an existing install. After removing these nix related files, the installation went through and suggested I could run nix-shell -p nix-info --run "nix-info -m" in a new shell. But that failed with varying results between:

$ nix-shell -p nix-info --run "nix-info -m"
error (ignored): unable to download [...]: Problem with the SSL CA cert (path? access rights?) (77)
$ nix-shell -p nix-info --run "nix-info -m"
error: unexpected end-of-file

Now I tried several things and found many different potential reasons - not all documented. But to name a few:

clean macOS user account
trying to remove all traces of nix with a script expelledboy wrote
as root lead to another error:

$ sudo nix-shell -p nix-info --run "nix-info -m"
Password:
error: file 'nixpkgs' was not found in the Nix search path (add it using $NIX_PATH or -I), at (string):1:13

multiple variations of reboots and uninstall and reinstalls.
Trying to set NIX_SSL_CERT_FILE despite the file did not exist.
Finding someone with a virtually identical problem, who did not share his solution, because it was unrelated to the OPs question.

all without success.

Solution (working, but is it correct?)

The break through was, when I found expipiplus1's tutorial how to convert a nix single-user install into multi-user one:

There he linked NIX_SSL_CERT_FILE to /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt for the deamon on linux. This file did exist and so I tried:

$ sudo launchctl setenv NIX_SSL_CERT_FILE /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
$ sudo launchctl kickstart -k system/org.nixos.nix-daemon
$ nix-shell -p nix-info --run "nix-info -m"
[...]
 - system: `"x86_64-darwin"`
 - host os: `Darwin 18.7.0, macOS `
 - multi-user?: `yes`
 - sandbox: `no`
 - version: `nix-env (Nix) 2.3.1`
 - channels(root): `"nixpkgs-20.03pre204216.cc6cf0a96a6"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixpkgs`

and it worked. But I have my doubts that this is the correct way, since I found this comment on discourse:

Another option to consider is to change the Nix single-user install script to set up the default profile to include the cacert package. The downside here is it would likely never get updated again unless the user intentionally mucks with the default profile.

Context

$  nix --version
nix (Nix) 2.3.1

installer

Source

janvogt

👍2

Most helpful comment

I also had the dead symlink mentioned in https://github.com/NixOS/nix/issues/3261#issuecomment-618045691. This worked for me:

sudo ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt

paulyoung on 4 Nov 2020

👍3

All 14 comments

I've also just run into this and was able to figure out that one of my installation runs left a dangling symlink or malformed file at /Library/LaunchDaemons/org.nixos.nix-daemon.plist.

This prevented one of the final steps of the multi-user installer from being run, and it would consistently error out with what you've been describing.

Once I ran my cleanup scripts, deleted that file, and then reran the multi-user installer everything seemed to work.

jkachmar on 14 Jan 2020

Also of note is now my user-defined Nix channels aren’t being picked up by default.

I’m assuming that there’s some stale bashrc config somewhere that’s loading up a global list of channels and ignoring them. If I manually add $HOME/.nix-defexpr/channels (I think? I’m going off of memory) to my NIX_PATH and then install everything I had setup with nix-darwin and home-manager then it all seems to work out.

When I load the shell installed and configured by home-manager, all the paths are set appropriately again and my channels are locked up as expected.

jkachmar on 14 Jan 2020

I had the same issue and your solution worked for me.

mpfaff on 8 Apr 2020

I spoke too soon. I just tried to install nix-darwin and the error came back.

$ nix-build https://github.com/LnL7/nix-darwin/archive/master.tar.gz -A installer
error: unable to download 'https://github.com/LnL7/nix-darwin/archive/master.tar.gz': Problem with the SSL CA cert (path? access rights?) (77)

mpfaff on 8 Apr 2020

👍1

I just had the same issue, and removing the old plist and reinstalling appears to have resolved it.

Seems like there are two problems. One, the installer's uninstall instructions should mention to remove /Library/LaunchDaemons/org.nixos.nix-daemon.plist (not just stop and unload it), and two, the installer should do something reasonable if it sees a non-matching one.

mrdomino on 13 Apr 2020

I ran into a very similar issue. I reran the multi-user OSX install script in an effort to upgrade nix from 2.3.3 to 2.3.4. The issue was caused (at least for me) by /etc/ssl/certs/ca-certificates.crt being a dead link. It was previously linked to /etc/static/...... Im not sure which project added /etc/static, nix-darwin or nix-home (I use both..and love both ;)). Fixing the symlink and running

sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
sudo launchctl kickstart -k system/org.nixos.nix-daemon

fixed the issue for me. I initially got the same errors described in https://github.com/NixOS/nix/issues/2794 as well.

CorbanR on 22 Apr 2020

👍1

cc @LnL7

domenkozar on 23 Apr 2020

... the installer's uninstall instructions should mention to remove /Library/LaunchDaemons/org.nixos.nix-daemon.plist

In my case (nix 2.3.5) there was a /Library/LaunchDaemons/org.nixos.activate-system.plist. I unloaded/removed it and reinstalled; afterwards the error Problem with the SSL CA cert was gone upon re-installation.

wav on 31 May 2020

I believe this was fixed in #4023. Perhaps someone here can confirm this?

maljub01 on 21 Sep 2020

I'm having a different but seemingly related error... After installing Catalina, I reinstalled Nix with multiuser and added the line to the daemon conf that @maljub01 added. Now I'm getting SSL peer certificate or SSH remote key was not OK (60) when I try to hit the cache.

shlevy on 21 Oct 2020

This also seems to happen without the daemon... And occurs during installation when the channel is initially updated, without any failure message from the installer?

shlevy on 21 Oct 2020

Never mind, this is a problem with my work computer's environment, using their provided CA bundle fixed it.

shlevy on 21 Oct 2020

For those still with the issue after trying the above, check to see if this PR helps: https://github.com/NixOS/nix/pull/4171

jdheyburn on 26 Oct 2020

I also had the dead symlink mentioned in https://github.com/NixOS/nix/issues/3261#issuecomment-618045691. This worked for me:

sudo ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt

paulyoung on 4 Nov 2020

👍3

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Restrict fixed-output derivations

edolstra · 49Comments

error: moving build output '/nix/store/...-source' from the sandbox to the Nix store: Permission denied

fzakaria · 39Comments

Support private files in the Nix store

edolstra · 65Comments

Setuid root does not work in sandbox

lukego · 34Comments

`nix-build' freezes system on High Sierra with multi-user install

matthewbauer · 64Comments