python-poetry
Prompt for git credentials when trying to install package from private repository when credential cache is empty
Issue Kind
Other
Description
One of the dependencies in my project comes from a private repository. I have git's credential.helper set to cache, and sometimes credentials in cache expire before i run poetry install (usually with --sync). This causes following error:
Failed to clone https://***.git, check your git configuration and permissions for this repository.
I understand that this happens due to the fact that Poetry is unable to get credentials from the cache (although, it was a bit confusing at first, as there is nothing wrong with git configuration and permissions), but it would've been nice, if i was prompted for credentials when this happens.
Impact
This would make it more obvious for users, why exactly is Poetry unable to install the package in this particular case. It would also save users from having to cache credentials and re-enter the command, by continuing execution after the prompt.
Workarounds
Executing any git command against repository in question caches credentials and allows Poetry to use credentials until they expire.
I've also just run into this and was able to figure out that one of my installation runs left a dangling symlink or malformed file at /Library/LaunchDaemons/org.nixos.nix-daemon.plist.
This prevented one of the final steps of the multi-user installer from being run, and it would consistently error out with what you've been describing.
Once I ran my cleanup scripts, deleted that file, and then reran the multi-user installer everything seemed to work.
Also of note is now my user-defined Nix channels aren’t being picked up by default.
I’m assuming that there’s some stale bashrc config somewhere that’s loading up a global list of channels and ignoring them. If I manually add $HOME/.nix-defexpr/channels (I think? I’m going off of memory) to my NIX_PATH and then install everything I had setup with nix-darwin and home-manager then it all seems to work out.
When I load the shell installed and configured by home-manager, all the paths are set appropriately again and my channels are locked up as expected.
I spoke too soon. I just tried to install nix-darwin and the error came back.
$ nix-build https://github.com/LnL7/nix-darwin/archive/master.tar.gz -A installer
error: unable to download 'https://github.com/LnL7/nix-darwin/archive/master.tar.gz': Problem with the SSL CA cert (path? access rights?) (77)
I just had the same issue, and removing the old plist and reinstalling appears to have resolved it.
Seems like there are two problems. One, the installer's uninstall instructions should mention to remove /Library/LaunchDaemons/org.nixos.nix-daemon.plist (not just stop and unload it), and two, the installer should do something reasonable if it sees a non-matching one.
I ran into a very similar issue. I reran the multi-user OSX install script in an effort to upgrade nix from 2.3.3 to 2.3.4. The issue was caused (at least for me) by /etc/ssl/certs/ca-certificates.crt being a dead link. It was previously linked to /etc/static/...... Im not sure which project added /etc/static, nix-darwin or nix-home (I use both..and love both ;)). Fixing the symlink and running
sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
sudo launchctl kickstart -k system/org.nixos.nix-daemon
fixed the issue for me. I initially got the same errors described in https://github.com/NixOS/nix/issues/2794 as well.
... the installer's uninstall instructions should mention to remove
/Library/LaunchDaemons/org.nixos.nix-daemon.plist
In my case (nix 2.3.5) there was a /Library/LaunchDaemons/org.nixos.activate-system.plist. I unloaded/removed it and reinstalled; afterwards the error Problem with the SSL CA cert was gone upon re-installation.
I'm having a different but seemingly related error... After installing Catalina, I reinstalled Nix with multiuser and added the line to the daemon conf that @maljub01 added. Now I'm getting SSL peer certificate or SSH remote key was not OK (60) when I try to hit the cache.
This also seems to happen without the daemon... And occurs during installation when the channel is initially updated, without any failure message from the installer?
Never mind, this is a problem with my work computer's environment, using their provided CA bundle fixed it.
For those still with the issue after trying the above, check to see if this PR helps: https://github.com/NixOS/nix/pull/4171
I also had the dead symlink mentioned in https://github.com/NixOS/nix/issues/3261#issuecomment-618045691. This worked for me:
sudo ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/anyone-up-for-picking-at-some-nix-onboarding-improvements/13152/6
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
I didn't come accross this problem anymore. There are also aparent fixes and an unchecked solution. Since this issue lacks a clear definition of done, I am taking the freedom as OP to close it now. If someone objects, it can be reopened.
I also had the dead symlink mentioned in #3261 (comment). This worked for me:
sudo ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt
I had to do the opposite 🙃 (MacOS Monterey, Nix 2.11.1, multi-user install (reinstall))
- After creating/confirming a
/etc/ssl/certs/ca-certificates.crt
and havingexport NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crtdidn't work/help - the
launchctl setenv NIX_SSL_CERT_FILEmethods didn't work - the
/nix/var/nix/profiles/default/etc/ssl/certs/folder didn't even exist
This was my solution
#
# create an up-to-date cert with keychain
#
sudo mkdir -p /etc/ssl/certs/
sudo rm -f /etc/ssl/certs/ca-certificates.crt
sudo security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o /etc/ssl/certs/ca-certificates.crt
# force/ensure correct permissions on folders/files
sudo chown root /etc /etc/ssl /etc/ssl/certs/ /etc/ssl/certs/ca-certificates.crt
sudo chmod u=rwx,g=rx,o=rx /etc
sudo chmod u=rwx,g=rx,o=rx /etc/ssl
sudo chmod u=rwx,g=rx,o=rx /etc/ssl/certs/
sudo chmod u=rw,g=r,o=r /etc/ssl/certs/ca-certificates.crt
#
# link cert into nix
#
target="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" # not sure if different for single-user install
export NIX_SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"
sudo mkdir -p "$(dirname "$target")"
# if one exists back it up
[ -f "$target" ] && { [ -f "$target.old" ] || sudo mv "$target" "$target.old" 2>/dev/null; }
# link into nix profile
sudo ln -s "$NIX_SSL_CERT_FILE" "$target"
Replying here to say I ran into the same issue today and the messages helped me fix it.
I don't feel like the issue should be closed until a good solution is found. Re-installing nix on a machine should not result in cryptic errors like an SSL certificate error.
I ran into a very similar issue. I reran the multi-user OSX install script in an effort to upgrade nix from
2.3.3to2.3.4. The issue was caused (at least for me) by/etc/ssl/certs/ca-certificates.crtbeing a dead link. It was previously linked to/etc/static/...... Im not sure which project added/etc/static,nix-darwinornix-home(I use both..and love both ;)). Fixing the symlink and runningsudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt sudo launchctl kickstart -k system/org.nixos.nix-daemonfixed the issue for me. I initially got the same errors described in #2794 as well.
This is still happening. Fixing the symlink was enough to fix the issue for me, though.
I got this problem as well. I did two fixes either which should work. The issue is to set NIX_SSL_CERT_FILE the launchctl setenv failed on my Ventura 13.4 as macOS blocked it due to SIP (or I made an error)
1. ZSH
I fixed it by changing the shell in the org.nixos.nix-daemon plist to /bin/zsh
Then moved the loading of /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh from /etc/zshrc to /etc/zshenv This means that zsh will load the environment variables for non interactive shells.
I suspect this change should be made for other uses of zsh - zshenv is the correct place for environment variables - the only issue is altering the path in macOS as Apple messes it up.
So I think the full zsh solution is to do this move to /etc/zshenv and then also do a correction to the $PATH in /etc/zshrc after Apple's path_helper is run.
2. Just alter the environment variable
I edited the org.nixos.nix-daemon plist adding to the EnvironmentVariables tag already there. End result is
<key>EnvironmentVariables</key>
<dict>
<key>NIX_SSL_CERT_FILE</key>
<string>/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt</string>
<key>OBJC_DISABLE_INITIALIZE_FORK_SAFETY</key>
<string>YES</string>
</dict>
I think the latter is now the best solution
@bestlem thank you. Your second solution is the only thing that worked for me. I've been experimenting with nix for three days now and it's been a wild ride thus far.
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/ssl-ca-cert-error-on-macos/31171/5
Same issue today. After following the uninstall instructions on MacOS (I was uninstalling as my system wasn't reflecting anything the documentation says), I couldn't get it to run at the nix-shell -p nix-info --run "nix-info -m" step mentioned by the installer:
...
error: unable to download 'https://cache.nixos.org/nar/1alkkz4r2l711j9wj9br4c3fbvf7mmvj7gn60gpdnbvvzmiqf8xs.nar.xz': Problem with the SSL CA cert (path? access rights?) (77)
copying path '/nix/store/v5ssy4lwf6jmffv1nqikbg8c4qhqym6n-libffi-3.4.6' from 'https://cache.nixos.org'...
copying path '/nix/store/mbs1jjyzy83vw85q8qiqj4r07z6ig4kw-openssl-3.0.13' from 'https://cache.nixos.org'...
error: some substitutes for the outputs of derivation '/nix/store/6y3knnwq4587k9ss025ir77d6ias1anm-bash-5.2p26.drv' failed (usually happens due to networking issues); try '--fallback' to build derivation from source
error: build of '/nix/store/3ys407788hnq08244fjijwix35za2mb7-stdenv-darwin.drv', '/nix/store/6y3knnwq4587k9ss025ir77d6ias1anm-bash-5.2p26.drv', '/nix/store/mqx8z4a2bhm8jq3sxilbrn0nq43ck1fa-bash-interactive-5.2p26.drv', '/nix/store/y8wb73lv7j1ryml818wvz86x9n8xycdw-nix-info.drv' failed
...
Steps above helped:
sudo rm /etc/ssl/certs/ca-certificates.crt
sudo ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt
The "problem" now though is that if we uninstall nix (and /nix gets removed), /etc/ssl/certs/ca-certificates.crt is a dead symlink. I need to check where the original file came from. As per the above discussion, it seemed to have linked to /etc/static/.... On my system now /etc/static is a broken symlink too:
$ file /etc/static
/etc/static: broken symbolic link to /nix/store/l6h2gq5xjpc5vb832pqcz4iazcn98n14-etc/etc
I'm not immediately able with my still inexperienced nix knowledge to find the right folder in the store.
=> It seems the uninstall instructions are in need for a review.
I'm not immediately able with my still inexperienced nix knowledge to find the right folder in the store.
Try doing an ls -l on the file to see where the symlink is pointing to. I'd recommend deleting broken symlinks to just clear everything out and then do a fresh install
Try doing an
ls -lon the file to see where the symlink is pointing to. I'd recommend deleting broken symlinks to just clear everything out and then do a fresh install
Yeah.. figured that out after I had already deleted the broken symlink :-) I couldn't find any <...>-etc/ folder in the nix store. I wiped it all out, and then was able to find the <...>-etc/ directory on the nix store and how it all was symlinked.
The uninstall instructions should contain some verbiage on deleting the files in /etc too. I'll see if I can find some time and make a PR for this in the next couple of days.
This seems to be an issue at least for some users. So it should be reopened.
Occasionally running this works as well.
$ security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain | sudo tee /etc/ssl/certs/ca-certificates.crt
$ security find-certificate -a -p /System/Library/Keychains/System.keychain | sudo tee -a /etc/ssl/certs/ca-certificates.crt
$ sudo chmod uog+r /etc/ssl/certs/ca-certificates.crt
Add something like this to the common error outputs? Or have nix doctor check for this problem and offer it?
Had to run the same command as @tomberek , but also bundle the cert with /Library/Keychains/System.keychain. Got info from this post
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/nix-darwin-installation-question/54502/3