3 files changed, 20 insertions, 12 deletions

diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in
index e272f139cf8c..6285a0503682 100644
--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@@ -42,9 +42,16 @@ my $curlIdCount = 1;
 my %requests;
 my %scheduled;
 my $caBundle = $ENV{"SSL_CERT_FILE"} // $ENV{"CURL_CA_BUNDLE"} // $ENV{"OPENSSL_X509_CERT_FILE"};
+$caBundle = "/etc/ssl/certs/ca-bundle.crt" if !$caBundle && -f "/etc/ssl/certs/ca-bundle.crt";
+$caBundle = "/etc/ssl/certs/ca-certificates.crt" if !$caBundle && -f "/etc/ssl/certs/ca-certificates.crt";
 
 my $userName = getpwuid($<) || $ENV{"USER"} or die "cannot figure out user name";
 
+sub isTrue {
+    my ($x) = @_;
+    return $x eq "true" || $x eq "1";
+}
+
 my $requireSignedBinaryCaches = ($Nix::Config::config{"signed-binary-caches"} // "0") ne "0";
 
 my $curlConnectTimeout = int(
@@ -67,6 +74,7 @@ sub addRequest {
     $curl->setopt(CURLOPT_WRITEDATA, $fh);
     $curl->setopt(CURLOPT_FOLLOWLOCATION, 1);
     $curl->setopt(CURLOPT_CAINFO, $caBundle) if defined $caBundle;
+    $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0) unless isTrue($Nix::Config::config{"verify-https-binary-caches"} // "1");
     $curl->setopt(CURLOPT_USERAGENT, "Nix/$Nix::Config::version");
     $curl->setopt(CURLOPT_NOBODY, 1) if $head;
     $curl->setopt(CURLOPT_FAILONERROR, 1);
@@ -218,7 +226,7 @@ sub getAvailableCaches {
     }
 
     my @urls = strToList($Nix::Config::config{"binary-caches"} //
-        ($Nix::Config::storeDir eq "/nix/store" ? "http://cache.nixos.org" : ""));
+        ($Nix::Config::storeDir eq "/nix/store" ? "https://cache.nixos.org" : ""));
 
     my $urlsFiles = $Nix::Config::config{"binary-cache-files"}
         // "$Nix::Config::stateDir/profiles/per-user/$userName/channels/binary-caches/*";
diff --git a/scripts/install-nix-from-closure.sh b/scripts/install-nix-from-closure.sh
index 60ec1ea93219..c9ba9a2a280a 100644
--- a/scripts/install-nix-from-closure.sh
+++ b/scripts/install-nix-from-closure.sh
@@ -5,6 +5,7 @@ set -e
 dest="/nix"
 self="$(dirname "$0")"
 nix="@nix@"
+cacert="@cacert@"
 
 if ! [ -e $self/.reginfo ]; then
     echo "$0: incomplete installer (.reginfo is missing)" >&2
@@ -66,26 +67,25 @@ fi
 
 . $nix/etc/profile.d/nix.sh
 
-if ! $nix/bin/nix-env -i $nix; then
+if ! $nix/bin/nix-env -i "$nix"; then
     echo "$0: unable to install Nix into your default profile" >&2
     exit 1
 fi
 
+# Install an SSL certificate bundle.
+if [ -z "$SSL_CERT_FILE" -o ! -f "$SSL_CERT_FILE" ]; then
+    $nix/bin/nix-env -i "$cacert"
+    export SSL_CERT_FILE="$HOME/.nix-profile/etc/ca-bundle.crt"
+fi
+
 # Subscribe the user to the Nixpkgs channel and fetch it.
 if ! $nix/bin/nix-channel --list | grep -q "^nixpkgs "; then
-    if [ -n "$SSL_CERT_FILE" ]; then
-        $nix/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
-    else
-        $nix/bin/nix-channel --add http://nixos.org/channels/nixpkgs-unstable
-    fi
+    $nix/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
 fi
 if [ -z "$_NIX_INSTALLER_TEST" ]; then
     $nix/bin/nix-channel --update nixpkgs
 fi
 
-# Install an SSL certificate bundle.
-$nix/bin/nix-env -iA nixpkgs.cacert || true
-
 # Make the shell source nix.sh during login.
 p=$NIX_LINK/etc/profile.d/nix.sh
 
diff --git a/scripts/nix-profile.sh.in b/scripts/nix-profile.sh.in
index 7dd7968c314a..a91b54bd589f 100644
--- a/scripts/nix-profile.sh.in
+++ b/scripts/nix-profile.sh.in
@@ -10,9 +10,9 @@ if [ -n "$HOME" ]; then
 
     export PATH=$NIX_LINK/bin:$NIX_LINK/sbin:$PATH
 
-    # Subscribe the root user to the Nixpkgs channel by default.
+    # Subscribe the user to the Nixpkgs channel by default.
     if [ ! -e $HOME/.nix-channels ]; then
-        echo "http://nixos.org/channels/nixpkgs-unstable nixpkgs" > $HOME/.nix-channels
+        echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > $HOME/.nix-channels
     fi
 
     # Append ~/.nix-defexpr/channels/nixpkgs to $NIX_PATH so that