[Nix-dev] Installing CA certificates
zimbatm
zimbatm at zimbatm.com
Fri Feb 19 18:36:00 CET 2016
curl should work just fine then. Can you paste the output of `curl -v
https://yoursite.com` ?
Chromium uses NSS which has another mechanism for it's PKI which I don't
know. Can you confirm that your cert is also in
/etc/pki/tls/certs/ca-bundle.crt ?
Also do you have anything under ~/.pki ?
On Fri, 19 Feb 2016 at 16:47 Adam Russell <adamlr6 at gmail.com> wrote:
> The output is:
>
> $ echo $SSL_CERT_FILE
> /etc/ssl/certs/ca-certificates.crt
> $ echo $CURL_CA_BUNDLE
>
> $
>
> And yes, the certificates are in that file. Is there another step that
> needs to happen for curl and Chromium to be able to use them?
>
> On Fri, Feb 19, 2016 at 9:26 AM zimbatm <zimbatm at zimbatm.com> wrote:
>
>> What is the output of `echo $SSL_CERT_FILE` and `echo $CURL_CA_BUNDLE` ?
>> If one of those is set, look in the pointed file if you can find your
>> certificate.
>>
>> On Fri, 19 Feb 2016 at 15:12 Adam Russell <adamlr6 at gmail.com> wrote:
>>
>>> Thomas, I've not used the openssl command-line tool before, and looking
>>> at its documentation I'm not sure what command I would run in order to test
>>> it, or what output to look for. I can tell you that curl doesn't work
>>> against the domains in question, though (at least without the insecure
>>> flag).
>>>
>>> Regardless, with or without the "comment" with the equal signs
>>> separator, adding things to security.pki.certificates has no effect for me.
>>> Is there a bug, or am I doing something wrong?
>>>
>>> On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger <tehunger at gmail.com>
>>> wrote:
>>>
>>>> Hi Adam,
>>>>
>>>> Can you make the TLS call work with a command line tool like openssl?
>>>> I'm not 100% sure but I think that Chrome might use a different set of
>>>> trusted certs (based on the Mozilla ones) [1].
>>>>
>>>> ~
>>>>
>>>> [1]
>>>> https://www.chromium.org/Home/chromium-security/root-ca-policy
>>>>
>>>> On 18 February 2016 at 13:53, Adam Russell <adamlr6 at gmail.com> wrote:
>>>>
>>>>> Hello Nix-Dev,
>>>>>
>>>>> I'm trying to understand how to install CA certificates in NixOS.
>>>>>
>>>>> If I visit my work's webmail in Chromium, I get an indicator that my
>>>>> connection is not private. Clicking the padlock icon in the address bar,
>>>>> then the "Certificate information" link in the Connection tab, going to the
>>>>> "Details" tab, and clicking "Export" allows me to download a certificate.
>>>>>
>>>>> The text in this export is what I am supposed to put in the array in
>>>>> `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
>>>>> correct? Am I missing something?
>>>>>
>>>>> The documentation I am using is at:
>>>>> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>>>>>
>>>>> Does the text above the equal signs have any significance ("NixOS.org"
>>>>> in the example), or is it just a comment?
>>>>>
>>>>> Thanks,
>>>>> -Adam
>>>>>
>>>>> _______________________________________________
>>>>> nix-dev mailing list
>>>>> nix-dev at lists.science.uu.nl
>>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>>
>>>>> _______________________________________________
>>> nix-dev mailing list
>>> nix-dev at lists.science.uu.nl
>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160219/e49d8450/attachment.html
More information about the nix-dev
mailing list