curl: (77) error setting certificate file

[philipmw]

Describe the bug

Starting with commit f829274, Nix on my system is unable to download any packages, resulting in output like this:

these 2 derivations will be built:
  /nix/store/7pmnsnhc1l8s2q29z1hfvvcgwc445cvz-node-v22.10.0.tar.xz.drv
  /nix/store/fv893kirwawhrsb8ra63zmcidlfx69fg-nodejs-22.10.0.drv
building '/nix/store/7pmnsnhc1l8s2q29z1hfvvcgwc445cvz-node-v22.10.0.tar.xz.drv'...
error checking the existence of https://tarballs.nixos.org/sha256/:
curl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crt

trying https://nodejs.org/dist/v22.10.0/node-v22.10.0.tar.xz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crt
error: cannot download node-v22.10.0.tar.xz from any mirror
error: builder for '/nix/store/7pmnsnhc1l8s2q29z1hfvvcgwc445cvz-node-v22.10.0.tar.xz.drv' failed with exit code 1;

Steps To Reproduce

Steps to reproduce the behavior:

1. Update nodejs or any other package that would require a download
2. nix-build -A nodejs_22 (or whatever package you updated)

Expected behavior

trying https://nodejs.org/dist/v22.10.0/node-v22.10.0.tar.xz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 44.8M  100 44.8M    0     0  12.3M      0  0:00:03  0:00:03 --:--:-- 12.3M

Additional context

Using git bisect, I narrowed down the problem to commit f829274. I don't have enough Nix knowledge to fix it myself.

Notify maintainers

@LeSuisse

Metadata

% nix-shell -p nix-info --run "nix-info -m" --show-trace --extra-experimental-features flakes
 - system: `"x86_64-darwin"`
 - host os: `Darwin 24.0.0, macOS 10.16`
 - multi-user?: `no`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.8`
 - channels(root): `"nixpkgs"`
 - nixpkgs: `not found`

---

Add a 👍 reaction to issues you find important.

[mweinelt]

nix-build -A nodejs_22.src --check

works fine on NixOS Unstable, but apparently not on MacOS.

[symphorien]

I had exactly the same issue yesterday when reviewing pr #350779 with nixpkgs-review

hese 3 derivations will be built:
  /nix/store/99nxp0xcys0mgkif8in62ncw21ifsr47-source.drv
  /nix/store/ydlxr4bi1imfw4wnbyzndr5qbr4l9blm-bitwuzla-0.6.0.drv
  /nix/store/hwpkfbd31miz1akc9kr9qfygbiv9081n-review-shell.drv
source> building '/nix/store/99nxp0xcys0mgkif8in62ncw21ifsr47-source.drv'
source> error checking the existence of https://tarballs.nixos.org//sha256-xO9+hixboGaCAIi01sWuIYtPamIwUpiTujmOD60NEm0=:
source> curl: (77) error setting certificate file: /nix/store/pd56ggd50sxnaggw5c533na2w10sncg3-nss-cacert-3.104/etc/ssl/certs/ca-bundle.crt
source> 
source> trying https://github.com/bitwuzla/bitwuzla/archive/0.6.0.tar.gz
source>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
source>                                  Dload  Upload   Total   Spent    Left  Speed
source>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
source> curl: (77) error setting certificate file: /nix/store/pd56ggd50sxnaggw5c533na2w10sncg3-nss-cacert-3.104/etc/ssl/certs/ca-bundle.crt
source> error: cannot download source from any mirror

I am on NixOS 24.04 x86_64-linux

[LeSuisse]

Ok I'm a bit surprised, NIX_SSL_CERT_FILE is also used by fetchgit which is widely used, I would have expected this sort of issues to have been spotted already 🤔

For the macOS issue, what's the output of ls -la /etc/ssl/certs/ca-certificates.crt, it might be similar to https://discourse.nixos.org/t/ssl-ca-cert-error-on-macos/31171/5

I am on NixOS 24.04 x86_64-linux

Does /nix/store/pd56ggd50sxnaggw5c533na2w10sncg3-nss-cacert-3.104/etc/ssl/certs/ca-bundle.crt exists and is not empty?

[SuperSandro2000]

source> error checking the existence of https://tarballs.nixos.org//sha256-Qcie7sbXcMbQkMoFIYBfttmvlYooESdSk2DyebHKPlk=:
source> curl: (77) error setting certificate file: /nix/store/h8qhspg7pml84z8s4ghrhmx6m77rs161-nss-cacert-3.104/etc/ssl/certs/ca-bundle.crt
source>
source> trying https://github.com/sraoss/pg_ivm/archive/v1.9.tar.gz
source>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
source>                                  Dload  Upload   Total   Spent    Left  Speed
source>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
source> curl: (77) error setting certificate file: /nix/store/h8qhspg7pml84z8s4ghrhmx6m77rs161-nss-cacert-3.104/etc/ssl/certs/ca-bundle.crt
source> error: cannot download source from any mirror
source> error checking the existence of https://tarballs.nixos.org//sha256-t1DpFkPiSfdoGG2NgNT7g1lkvSooZoRoUrix6cBID40=:
source> curl: (77) error setting certificate file: /nix/store/h8qhspg7pml84z8s4ghrhmx6m77rs161-nss-cacert-3.104/etc/ssl/certs/ca-bundle.crt
source>
source> trying https://github.com/citusdata/pg_cron/archive/v1.6.4.tar.gz
source>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
source>                                  Dload  Upload   Total   Spent    Left  Speed
source>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
source> curl: (77) error setting certificate file: /nix/store/h8qhspg7pml84z8s4ghrhmx6m77rs161-nss-cacert-3.104/etc/ssl/certs/ca-bundle.crt
source> error: cannot download source from any mirror

Does /nix/store/pd56ggd50sxnaggw5c533na2w10sncg3-nss-cacert-3.104/etc/ssl/certs/ca-bundle.crt exists and is not empty?

Yep and it has content.

[LeSuisse]

Ok let's revert, it's not ideal but I cannot troubleshoot it properly for now. #351420

[fabaff]

nix-review now works for me.