Provide a builtin default for $NIX_SSL_CERT_FILE

This is mostly to ensure that when Nix is started on macOS via a launchd service or sshd (for a remote build), it gets a certificate bundle.
author: Eelco Dolstra <edolstra@gmail.com> 2017-06-12T14·44+0200
committer: Eelco Dolstra <edolstra@gmail.com> 2017-06-12T14·44+0200
commit: 847f19a5f7a558252bbde9b4c70efa5f7fac1f4f (patch)
tree: 42f5b98f0253065f6a10ae02f9fd9d4264990f8b /src/libstore/globals.cc
parent: 7f5b750b401e98e9e2a346552aba5bd2e0a9203f (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 2aceed2705..935018132d 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -41,7 +41,15 @@ Settings::Settings()
 {
     buildUsersGroup = getuid() == 0 ? "nixbld" : "";
     lockCPU = getEnv("NIX_AFFINITY_HACK", "1") == "1";
-    caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt"));
+
+    caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", ""));
+    if (caFile == "") {
+        for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
+            if (pathExists(fn)) {
+                caFile = fn;
+                break;
+            }
+    }
 
     /* Backwards compatibility. */
     auto s = getEnv("NIX_REMOTE_SYSTEMS");
author	Eelco Dolstra <edolstra@gmail.com>	2017-06-12T14·44+0200
committer	Eelco Dolstra <edolstra@gmail.com>	2017-06-12T14·44+0200
commit	847f19a5f7a558252bbde9b4c70efa5f7fac1f4f (patch)
tree	42f5b98f0253065f6a10ae02f9fd9d4264990f8b /src/libstore/globals.cc
parent	7f5b750b401e98e9e2a346552aba5bd2e0a9203f (diff)