Installer not working on mac os aarch64-darwin with Internal Certificate Proxy #289
Comments
|
Thanks for this report! I think this will require a patch on our end. I'll try to get it into next release! |
|
I just wanted to mention some of the issues i have faced with normal nix installer with trying to get it to work within our company and those have slowed down my push / adoption effort. Thanks for your time and help. |
|
Are these certificates present on your system root? If so, I'm testing #332 which may help. If they're not in your native roots, that PR won't help. |
|
If that PR doesn't help, it does appear I'm pondering if we should add an explicit option or document support of this. |
|
Can confirm a977370 works on a a previously failed Apple M1 macOS. Steps: |
|
I will give this a try as well. I will have to create a build environment
for this first i guess to try it.
The other issue once this install succeeds is that the per project flakes
still face an issue.
Where does this flag put the certificate to make the install process
succeed and is there a way then so that curl and other fetchurl commands
automatically work by finding this location and using the nix daemon that
has this setting.
Also with normal installer since it only supports multi user i have to do
sudo now to run nix commands , is that still required with this as well.
I noticed even for per project flakes i had to sudo nix build and also
pass SSL cert file but it still failed with SSL errors. I am hoping you all
are experts and can help out .
…On Tue, Mar 14, 2023, 02:27 Bruce Wang ***@***.***> wrote:
Can confirm a977370
<a977370>
works on a a previously failed Apple M1 macOS.
Steps:
λ RUSTFLAGS="--cfg tokio_unstable" cargo build
# /opt/homebrew/etc/ca-certificates/cert.pem has the Netskope self-signed cert appended at the end
λ export NIX_SSL_CERT_FILE=/opt/homebrew/etc/ca-certificates/cert.pem
λ ./target/debug/nix-installer install
`nix-installer` needs to run as `root`, attempting to escalate now via `sudo`...
Password:
Nix install plan (v0.5.1-unreleased)
Planner: macos
The following actions will be taken:
* Create an APFS volume `Nix Store` for Nix on `disk3` and add it to `/etc/fstab` mounting on `/nix`
* Fetch `https://releases.nixos.org/nix/nix-2.13.3/nix-2.13.3-aarch64-darwin.tar.xz` <https://releases.nixos.org/nix/nix-2.13.3/nix-2.13.3-aarch64-darwin.tar.xz> to `/nix/temp-install-dir`
* Create build users (UID 300-332) and group (GID 30000)
* Create a directory tree in `/nix`
* Move the downloaded Nix into `/nix`
* Setup the default Nix profile
* Place the Nix configuration in `/etc/nix/nix.conf`
* Configure the shell profiles
* Configure Nix daemon related settings with launchctl
* Remove directory `/nix/temp-install-dir`
Proceed? ([Y]es/[n]o/[e]xplain):
INFO Step: Create an APFS volume `Nix Store` for Nix on `disk3` and add it to `/etc/fstab` mounting on `/nix`
INFO Step: Provision Nix
INFO Step: Configure Nix
INFO Step: Configure Nix daemon related settings with launchctl
INFO Step: Remove directory `/nix/temp-install-dir`
Nix was installed successfully!
To get started using Nix, open a new shell or run `. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh`
—
Reply to this email directly, view it on GitHub
<#289 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABW4SVEI3EL7PRAUJQSGOELW4A2XBANCNFSM6AAAAAAVMRQPKE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
The installation process succeeds, but if I try to build my flake to setup my home and laptop I still get the following. |
|
@Hoverbear I was trying to debug this issue and tried the following command. I ran ps on the nix-daemon, it seems like the NIX_SSL_CERT_FILE is NOT pointing to the one i set before running the installer. It points to the default I believe. |
|
I looked at the plist file and it points to the default path i am guessing. |
|
Hi @mohnishkodnani ! It's not a surprise that However, this doesn't help the installed Nix does it? :( Looking at that plist, It makes sense the official install scripts worked for you, however I'm a bit curious how Nix worked for you after... Referring to this documentation, you should have needed to set the environment manually: I think we could actually handle this inside the installer... Do you happen to know if you had to change that setting with the official scripts? |
It shouldn't be, if you need |
|
So it seems like setting the environment may be sufficient on Linux:
As well as on Mac:
So it seems like if we set |
|
@Hoverbear First of all I would like to thank you , for even taking the time to get back to me on this. mkodnani@C2CKVCFH3G home-config % NIX_SSL_CERT_FILE=/Library/Application\ Support/Netskope/STAgent/download/nscacert_combined.pem nix run nixpkgs#hello
warning: error: unable to download 'https://cache.nixos.org/g2y7yvdrhb9l037c8v79lcxk5lxwgdvp.narinfo': SSL peer certificate or SSH remote key was not OK (60); retrying in 304 ms
warning: error: unable to download 'https://cache.nixos.org/g2y7yvdrhb9l037c8v79lcxk5lxwgdvp.narinfo': SSL peer certificate or SSH remote key was not OK (60); retrying in 550 ms
warning: error: unable to download 'https://cache.nixos.org/g2y7yvdrhb9l037c8v79lcxk5lxwgdvp.narinfo': SSL peer certificate or SSH remote key was not OK (60); retrying in 1287 ms
warning: error: unable to download 'https://cache.nixos.org/g2y7yvdrhb9l037c8v79lcxk5lxwgdvp.narinfo': SSL peer certificate or SSH remote key was not OK (60); retrying in 2236 ms
error: unable to download 'https://cache.nixos.org/g2y7yvdrhb9l037c8v79lcxk5lxwgdvp.narinfo': SSL peer certificate or SSH remote key was not OK (60)mkodnani@C2CKVCFH3G home-config % env
NIX_PROFILES=/nix/var/nix/profiles/default /Users/mkodnani/.nix-profile
NIX_SSL_CERT_FILE=/Library/Application Support/Netskope/STAgent/download/nscacert_combined.pem
NIX_REMOTE=daemonmkodnani@C2CKVCFH3G home-config % echo $SHELL
/bin/zshmkodnani@C2CKVCFH3G home-config % cat /etc/zshenv
# Nix
if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
. '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
fi
# End Nix
I checked root user's profile, it's shell is set to /bin/sh and there are no configs that set the certificate correctly for that user. |
|
Happy to help -- I want to get this sorted for others too! Could you remove your existing install ( curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/pr/341 | sh -s -- install --ssl-cert-file $YOUR_CERT_FILE_PATHI'm very curious if it works for you. This branch should both use that certificate while downloading Nix, and set up your shell profiles to include the |
|
@Hoverbear Happy to try it out ofcourse. I tried to put the certificate in my home path to see if spaces was an issue, but got the same error, but at this point i am unsure if NIX_SSL_CERT_FILE is having any impact. One thing I did try honestly as a last ditch effort. However, this is not something i would like to do, but it might point to the fact that somewhere something is not fully setup. The other worry even if I get your way to work, is that how to per project flakes work, they are pure and how to pass this to them such that curl, fetchurl etc work. However, for now, let me try your approach and report back. |
A valid concern! The |
mkodnani@C2CKVCFH3G home-config % curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/pr/341 | sh -s -- install --ssl-cert-file /Library/Application\ Support/Netskope/STAgent/download/nscacert_combined.pem
info: downloading installer https://install.determinate.systems/nix/rev/37da214bf9ad37915acc7ebec44f9865100ea406/nix-installer-aarch64-darwin
`nix-installer` needs to run as `root`, attempting to escalate now via `sudo`...
Nix install plan (v0.5.1-unreleased)
Planner: macos
Planner settings:
* ssl_cert_file: "/Library/Application Support/Netskope/STAgent/download/nscacert_combined.pem"
The following actions will be taken:
* Create an APFS volume `Nix Store` for Nix on `disk3` and add it to `/etc/fstab` mounting on `/nix`
* Fetch `https://releases.nixos.org/nix/nix-2.13.3/nix-2.13.3-aarch64-darwin.tar.xz` to `/nix/temp-install-dir`
* Create build users (UID 300-332) and group (GID 30000)
* Create a directory tree in `/nix`
* Move the downloaded Nix into `/nix`
* Setup the default Nix profile
* Place the Nix configuration in `/etc/nix/nix.conf`
* Configure the shell profiles
* Configure Nix daemon related settings with launchctl
* Remove directory `/nix/temp-install-dir`
Proceed? ([Y]es/[n]o/[e]xplain): Y
INFO Step: Create an APFS volume `Nix Store` for Nix on `disk3` and add it to `/etc/fstab` mounting on `/nix`
INFO Step: Provision Nix
INFO Step: Configure Nix
INFO Step: Configure Nix daemon related settings with launchctl
INFO Step: Remove directory `/nix/temp-install-dir`
Nix was installed successfully!
To get started using Nix, open a new shell or run `. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh` |
|
Looked at /etc/zshenv and it has the following However, on my terminal i do see breaking line error.
|
|
|
|
|
|
Not sure what's wrong with my system. |
|
More debugging on my end to get things working.
As can be seen the NIX_SSL_CERT_FILE is pointing to the default bundle and not the one we pass during install. Now it points to the correct location. Since it couldn't download from cache, the command is taking very long, since everything is locally built 150/390 packages :) This tells me one thing, that the certificate took effect, but probably some are missing which are in the default ca-bundle.crt to cause that warning. When i combined the files in default ca-bundle from Nix with mine, i think it worked well however, I think any nix upgrade would overwrite it. |
|
If I setenv using launchctl as the regular install I see this difference in the running environment, however, same SSL errors. As you can see there is an inherited NIX_SSL_CERT_FILE pointing to my path and then a environment section with default. |
|
In #289 (comment) you describe how even if you do set the environment correctly in the plist, it still doesn't work correctly? You may have actually bumped into a Nix bug if that is the case. I'm going to try to set up a more complete reproduction to test. If we can confirm it's a bug then I'd like to see the outcome of that fix before we make additional changes to the installer. |
|
My other suspicion is perhaps the Nix daemon (running in the |
|
I spoke with some folks today and it looks like we do need to set it on the init system, not in the shell profile. (Actually -- We need to in both places). I'll have a PR up soon for that. We're going to explore adding |
|
#352 includes a fix and should be out soon! |
|
Still hitting this bug. I transferred from intel to m2 and have not been able to get nix installed properly.
Any ideas? |
|
Running the command as root works: Once packages installed by root, it works as normal user: So this looks like the permissions are set wrongly somewhere. The sandbox and multi-user? flags also change. |
|
@aalexei I've been able to fix the issue by updating the Reload the daemon ... |
|
@aalexei did you happen to have nix-darwin installed before doing the manual uninstall? |
We have an internal proxy for all traffic. The original installer takes NIX_SSL_CERT_FILE as input and works fine, however with this installer I get the following error.
I did try to setup the location before running the install using the following.
Another issue is that even when the installer fails, the exit code after reverting some steps is 0, so I cannot use it inside a script.
Full stdout
The text was updated successfully, but these errors were encountered: