SSL Certificates not configured by default.
kevincox opened this issue · 5 comments
% docker run nixery.dev/shell/cacert/wget wget https://google.com
--2020-10-01 19:25:03-- https://google.com/
Resolving google.com (google.com)... 172.217.1.14, 2607:f8b0:400b:80f::200e
Connecting to google.com (google.com)|172.217.1.14|:443... connected.
ERROR: cannot verify google.com's certificate, issued by 'CN=GTS CA 1O1,O=Google Trust Services,C=US':
Unable to locally verify the issuer's authority.
To connect to google.com insecurely, use `--no-check-certificate'.
It seems to be relatively easy to solve:
% docker run nixery.dev/shell/cacert/wget wget https://google.com --ca-certificate=/etc/ssl/certs/ca-bundle.crt
Maybe this should be added to the docs or ideally set the environment variable automatically.
Hmm, this is a bit tricky potentially. In NixOS these environment variables are set up by a setup hook, which exports variables with the full store paths of the certificates. We don't really have a good point at which we can run the setup hooks.
An alternative - since we have the symlink layer - is to always set the variable to the path outside of the store. That's probably a decent initial solution.
Docker does have support for setting default variables in the image. I don't know if the nix builder supports that but it might be a route to investigate.
Yeah, we can set environment variables (the builder code is part of Nixery itself) in the image. The question is what to set them to. I have some ideas, but need to try it out ...
Is there any progress on this? Discovered the same problem with curl today.