openssl: nixpkgs should unset NIX_SSL_FILE

[fzakaria]

Nixpkgs version

• Unstable (25.05)

Describe the bug

Nix uses a custom SSL environment variable to control it's SSL certificate loading distinct from the eventual packages it may run: NIX_SSL_CERT_FILE

You can see the patch: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/development/libraries/openssl/3.0/nix-ssl-cert-file.patch

For package authors in Nix, not Nix developers itself, follow OpenSSL guidelines/documentation to set SSL_CERT_FILE and SSL_CERT_DIR.

stdenv however includes a default NIX_SSL_CERT_FILE as /fake-cert.crt.

Even if you set the following in your derivation, it won't get picked up due to the presence of NIX_SSL_CERT_FILE

SSL_CERT_FILE= "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";

You can fix this by unset NIX_SSL_CERT_FILE

tl;dr; NIX_SSL_CERT_FILE is a special Nix environment variable meant for the application itself and not packages; having it explicitly set causes havoc.

Adding cacert seems to "make things work" since the setup-hook just makes all 3 variables the same thing https://github.com/NixOS/nixpkgs/blame/47c271667487cdcaa24c88d9b18b2df2bc47c30f/pkgs/data/misc/cacert/setup-hook.sh#L7 but this again is wrong; packages should not be setting NIX_SSL_CERT_FILE (which is done plenty in nixpkgs)

Steps to reproduce

Broken

let pkgs = import <nixpkgs> {};
in
with pkgs; stdenv.mkDerivation {
  name = "test-ssl";
  nativeBuildInputs = [ openssl];
  # There's no real "source" here, so just override buildPhase
  phases = [ "buildPhase" ];
  
  SSL_CERT_FILE= "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
  buildPhase = ''
    openssl s_client -showcerts -connect github.com:443
  '';
}

works

let pkgs = import <nixpkgs> {};
in
with pkgs; stdenv.mkDerivation {
  name = "test-ssl";
  nativeBuildInputs = [ openssl];
  # There's no real "source" here, so just override buildPhase
  phases = [ "buildPhase" ];
  
  SSL_CERT_FILE= "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
  buildPhase = ''
    unset NIX_SSL_CERT_FILE
    openssl s_client -showcerts -connect github.com:443
  '';
}

Expected behaviour

Expected behavior is only SSL_CERT_FILE is enough to make SSL work

Additional context

@markrwilliams helped me diagnose this.

System metadata

> nix-shell -p nix-info --run "nix-info -m"
these 2 paths will be fetched (0.01 MiB download, 0.10 MiB unpacked):
  /nix/store/b6c4gr52pv5df2wpdi7b0gkiqsfjm0sr-DarwinTools-1
  /nix/store/920c6q654ang4h351jq5a6nsvr44d9xz-nix-info
copying path '/nix/store/b6c4gr52pv5df2wpdi7b0gkiqsfjm0sr-DarwinTools-1' from 'https://cache.nixos.org'...
copying path '/nix/store/920c6q654ang4h351jq5a6nsvr44d9xz-nix-info' from 'https://cache.nixos.org'...
 - system: `"aarch64-darwin"`
 - host os: `Darwin 23.6.0, macOS 14.7.4`
 - multi-user?: `yes`
 - sandbox: `no`
 - version: `nix-env (Nix) 2.24.12`
 - channels(root): `""`
 - nixpkgs: `/nix/store/64lxq5kn85vglf3xhbh0zxjj8hin3m42-source

Notify maintainers

CC @baloo (Couldn't find official maintainers)

Note for maintainers: Please tag this issue in your pull request description. (i.e. Resolves #ISSUE.)

I assert that this issue is relevant for Nixpkgs

• I assert that this is a bug and not a support request.
• I assert that this is not a duplicate of an existing issue.
• I assert that I have read the NixOS Code of Conduct and agree to abide by it.

Is this issue important to you?

Add a 👍 reaction to issues you find important.

[baloo]

(I commited the patch for openssl 3, but that only a port of the existing patch on openssl 1.1. I have no clue if the behavior is correct)

This goes back to NixOS/nix#921 and 942dbf8

[fzakaria]

I wrote a post on it https://fzakaria.com/2025/03/01/nix-migraines-nix-ssl-cert-file
I couldn't figure out (really frustrated me) why there are two environment variables and when to apply each one.