Some applications requires contacting HTTPS endpoints. In those cases you need to supply the CA certificates.
Most Nix applications won't package in the CA certificates, this is because they can make use of the OS provided CA certificate store.
The NixOS location for this is at: /etc/ssl/certs
.
The OpenSSL library in Nixpkgs is compiled to use that path if there is no environment variables such as SSL_CERT_FILE
.
In cases where you must specify the location explicitly such as when you're packaging a derivation into a Docker container.
You want to explicitly state the SSL_CERT_FILE
environment variable while also bringning in the cacert
package.
The cacert
package has a setup hook that brings in the SSL_CERT_FILE
, however that's only useful for nix-shell
.
In most cases you want to do something like:
wrapProgram $out/bin/program \
--set SSL_CERT_FILE "${cacert}/etc/ssl/certs/ca-bundle.crt"
That's a docker image, so yes you want to set an env variable.
However that should be set as a default variable, so it allows the user to override it with their own certs later.