Add Nix's pkgs.cacert path to CA certificates

[autrilla]

Fixes #48

This is probably not just used by Nix's cacerts package, but also other distros. My LLM of choice tells me OpenWRT also uses this path.

[djc]

We do have /etc/ssl/certs in CERTIFICATE_DIRS on Linux. rustls-native-certs loads PEM certs from any files found in any of these directories. Is there a reason why native-tls does not do that?

[ctz]

I guess, reading between the lines, that Go also does not work in your environment?

Please also review/explain these commits:

• NixOS/nixpkgs@bfebc73
• NixOS/nixpkgs@58dbaf6

[autrilla]

Thank you both for the comments.

To be clear, this is a real regression, not a hypothetical one: I bisected it first to the version bump from 0.1.6 to 0.2.1, and then to a0ae1a2.

I do have workarounds here, like setting SSL_CERT_FILE, and I may migrate to rustls anyway. Still, this change broke my environment, and I suspect it may have affected other nixpkgs-based environments as well (e.g. see https://github.com/hasura/graphql-engine/blob/e17369d5a80fc483d98e09ac9371b121a0402bd7/v3/flake.nix#L55-L59, https://github.com/Cosmian/kms/blob/bb944861ff74ed1c2041f9613e0c18c6b98f836c/shell.nix#L293-L298). Given that the file list contains entries for distributions that I assumed to be more niche than nixpkgs, this PR seemed reasonable to me.

The nixpkgs commits seem to be NixOS standardizing on /etc/ssl/certs/ca-certificates.crt, but that does not solve the pkgs.cacert case in generic nixpkgs environments. The current cacert package still installs ca-bundle.crt under /etc/ssl/certs/: https://github.com/NixOS/nixpkgs/blob/fd3a7ffc50c6eb681ce2707a03099009a64d377e/pkgs/by-name/ca/cacert/package.nix#L89

I don't run Go in this environment, so I can't say from direct experience whether Go is affected. My guess is that yes, it's also broken.

If you don't want to accept this change, that's fine; I just wanted to prevent more people from being broken and having to go through the same investigation I did.

[djc]

If you don't want to accept this change, that's fine; I just wanted to prevent more people from being broken and having to go through the same investigation I did.

Curious about your answer to my earlier question in an inline comment:

We do have /etc/ssl/certs in CERTIFICATE_DIRS on Linux. rustls-native-certs loads PEM certs from any files found in any of these directories. Is there a reason why native-tls does not do that?

[djc]

If you don't want to accept this change, that's fine; I just wanted to prevent more people from being broken and having to go through the same investigation I did.

Of course we would also like to prevent more people from being broken, but it's also good to make sure we don't jsut add a bunch of paths because people randomly ask us to -- we think the software stack will be better off if things get fixed at the right level.

[ctz]

I don't run Go in this environment, so I can't say from direct experience whether Go is affected. My guess is that yes, it's also broken.

So my confusion here is why pkgs.cacert's current behaviour, which doesn't work with Go, and also has caused a bunch of other issues: NixOS/nixpkgs#94666 NixOS/nixpkgs#394380 NixOS/nixpkgs#395206 -- is actually the right one and is worth supporting in other software. Rather than, for example, simply having pkgs.cacert do something which does work?

I also found NixOS/nixpkgs#8247 and specifically NixOS/nixpkgs#8247 (comment) which doesn't seem to match reality.

(Not a nix user, so appreciate your patience in explaining basic concepts to me!)