nixos-install: fix SSL certificate error

[abbradar]

Things done

• Tested using sandboxing
  (nix.useSandbox on NixOS,
  or option build-use-sandbox in nix.conf
  on non-NixOS)
• Built on platform(s)
  • NixOS
  • OS X
  • Linux
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Fits CONTRIBUTING.md.

---

When trying to run nixos-install from the latest unstable ISO I got could not download https://cache.nixos.org/nix-cache-info with an SSL error. curling this URL worked fine. The problem, IIUC, is because we don't have SSL_CERT_FILE set in the ISO environment, so this (patched now) code hasn't copied the CA bundle. I don't see any reason why not just use CA bundle from nixpkgs, so this patch does just that. My theory appears to be correct because exporting this variable and running nixos-install from an unpatched ISO also fixes this problem.

cc @aszlig as the author of cf7f15c

[mention-bot]

By analyzing the blame information on this pull request, we identified @aszlig, @edolstra and @lethalman to be potential reviewers

[groxxda]

is this still relevant or can we remove it while at it?

[abbradar]

I'm not sure about this -- anyone?

[domenkozar]

We should also set SSL_CERT_FILE in installer tests.

[abbradar]

@domenkozar I think there's no need to with this patch (the test uses nixos-install which now always uses cacert from Nix store).

[edolstra]

I just did a 16.03 installation which succeeded fine without this, so I don't understand why this is necessary. What error message do you get exactly?

[abbradar]

Interesting. FWIW I was trying to install unstable release. I'll reproduce with screenshots when I get to the machine again.

Nikolay.

[abbradar]

Gettting this: https://i.imgur.com/qZmyU0z.png
With nixos-minimal-16.09pre83796.d541e0d-x86_64-linux.iso
When I export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt it works fine -- this could be a fix but this patch just uses cacert from nixpkgs always instead.

[boobiesinc]

Also see #14874 (comment)

[abbradar]

So... should we merge this? Given that this fixes an installation problem for several people, I'll do it in several days if there are no objections.

[domenkozar]

Backport to 16.03?

[abbradar]

Hm, I'm not sure this problem exists in 16.03. If the patch applies it probably is though -- I'll do it.

[domenkozar]

You might be right, I was mislead by @edolstra comment it says it works there.

[abbradar]

Well, this change seems harmless even if there's no problem with 16.03 so let's just backport -- fcd0923