[Nix-dev] Installing CA certificates

Adam Russell adamlr6 at gmail.com
Fri Feb 19 23:28:37 CET 2016


Using that page as reference, I ran this command:

certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n DEV.LOCAL -i
/etc/ssl/certs/ca-certificates.crt

That page did lead me to some other pages that might be helpful:
https://wiki.archlinux.org/index.php/Chromium/Tips_and_tricks#Adding_CAcert_certificates_for_self-signed_certificates
http://blog.xelnor.net/firefox-systemcerts/
https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md

And in particular, http://superuser.com/a/719047/73086

However, things still don't work, and running the openssl command as
recommended in the last link doesn't give me the expected "verify return
code" of 0 (ok). Instead, it's 21 (unable to verify the first certificate).

This is all way over my head. I have some more reading to do. Once I do
figure it out, I think I will suggest having the NixOS module take care of
whatever steps are necessary to fix this, assuming it can be done in a
reproducible manner.

On Fri, Feb 19, 2016 at 11:42 AM zimbatm <zimbatm at zimbatm.com> wrote:

> Found this which might be useful to you:
> http://mindref.blogspot.co.uk/2011/02/nssdb-add-ca-certificate.html
>
>
> On Fri, 19 Feb 2016 at 17:36 zimbatm <zimbatm at zimbatm.com> wrote:
>
>> curl should work just fine then. Can you paste the output of `curl -v
>> https://yoursite.com` ?
>>
>> Chromium uses NSS which has another mechanism for it's PKI which I don't
>> know. Can you confirm that your cert is also in
>> /etc/pki/tls/certs/ca-bundle.crt ?
>> Also do you have anything under ~/.pki ?
>>
>>
>> On Fri, 19 Feb 2016 at 16:47 Adam Russell <adamlr6 at gmail.com> wrote:
>>
>>> The output is:
>>>
>>> $ echo $SSL_CERT_FILE
>>> /etc/ssl/certs/ca-certificates.crt
>>> $ echo $CURL_CA_BUNDLE
>>>
>>> $
>>>
>>> And yes, the certificates are in that file. Is there another step that
>>> needs to happen for curl and Chromium to be able to use them?
>>>
>>> On Fri, Feb 19, 2016 at 9:26 AM zimbatm <zimbatm at zimbatm.com> wrote:
>>>
>>>> What is the output of `echo $SSL_CERT_FILE` and `echo $CURL_CA_BUNDLE` ?
>>>> If one of those is set, look in the pointed file if you can find your
>>>> certificate.
>>>>
>>>> On Fri, 19 Feb 2016 at 15:12 Adam Russell <adamlr6 at gmail.com> wrote:
>>>>
>>>>> Thomas, I've not used the openssl command-line tool before, and
>>>>> looking at its documentation I'm not sure what command I would run in order
>>>>> to test it, or what output to look for. I can tell you that curl doesn't
>>>>> work against the domains in question, though (at least without the insecure
>>>>> flag).
>>>>>
>>>>> Regardless, with or without the "comment" with the equal signs
>>>>> separator, adding things to security.pki.certificates has no effect for me.
>>>>> Is there a bug, or am I doing something wrong?
>>>>>
>>>>> On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger <tehunger at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Adam,
>>>>>>
>>>>>> Can you make the TLS call work with a command line tool like openssl?
>>>>>> I'm not 100% sure but I think that Chrome might use a different set of
>>>>>> trusted certs (based on the Mozilla ones) [1].
>>>>>>
>>>>>> ~
>>>>>>
>>>>>> [1]
>>>>>> https://www.chromium.org/Home/chromium-security/root-ca-policy
>>>>>>
>>>>>> On 18 February 2016 at 13:53, Adam Russell <adamlr6 at gmail.com> wrote:
>>>>>>
>>>>>>> Hello Nix-Dev,
>>>>>>>
>>>>>>> I'm trying to understand how to install CA certificates in NixOS.
>>>>>>>
>>>>>>> If I visit my work's webmail in Chromium, I get an indicator that my
>>>>>>> connection is not private. Clicking the padlock icon in the address bar,
>>>>>>> then the "Certificate information" link in the Connection tab, going to the
>>>>>>> "Details" tab, and clicking "Export" allows me to download a certificate.
>>>>>>>
>>>>>>> The text in this export is what I am supposed to put in the array in
>>>>>>> `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
>>>>>>> correct? Am I missing something?
>>>>>>>
>>>>>>> The documentation I am using is at:
>>>>>>> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>>>>>>>
>>>>>>> Does the text above the equal signs have any significance
>>>>>>> ("NixOS.org" in the example), or is it just a comment?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> -Adam
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> nix-dev mailing list
>>>>>>> nix-dev at lists.science.uu.nl
>>>>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>>>>
>>>>>>> _______________________________________________
>>>>> nix-dev mailing list
>>>>> nix-dev at lists.science.uu.nl
>>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160219/53fea208/attachment-0001.html 


More information about the nix-dev mailing list