nix `--ssl-cert-file` flag does not pass cert correctly to git fetchers

## Describe the bug



nix's git submodule fetch appears to _completely ignore_ any and all command flag or env-wide, OR system-wide configuration for cacerts, causing requests to be erroneously rejected due to SSL verification failures, when using an HTTPS proxy.

## Steps To Reproduce



These steps concern NixOS because it's what I'm familiar with, but it should be trivial to adapt them to other systems.

In order to reproduce this problem, you can setup a mitmproxy instance with a self-signed certificate. (There are other ways, though, probably)

```sh
mitmdump --set confdir=.mitmproxy
```

Then send SIGINT. You should see a full set of cert files generated under `./.mitmproxy/`:

```
mitmproxy-ca-cert.cer  mitmproxy-ca-cert.pem  mitmproxy-ca.pem
mitmproxy-ca-cert.p12  mitmproxy-ca.p12       mitmproxy-dhparam.pem
```

Since certificateFiles is eval time, to add it to the system-wide config, we can do:

```nix
security.pki.certificateFiles = [
  ./mitmproxy-ca-cert.pem
];
```

(for flake-based systems, we must of course add the file to the git tracking)

Rebuild system however you do that; `nixos-rebuild switch` or whathaveyou.

Next we run this again:


```sh
mitmdump --set confdir=.mitmproxy
```

And _while it's running_, try to build & fetch using this proxy:

```sh
http_proxy=http://127.0.0.1:8080 https_proxy=http://127.0.0.1:8080 NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt nix build github:SaumonNet/proxmox-nixos#proxmox-ve --ssl-cert-file /etc/ssl/certs/ca-certificates.crt --accept-flake-config false
```

## Expected behavior

I expect to when I pass a `--ssl-cert-file` or set `NIX_SSL_CERT_FILE`, all subprocesses Nix calls for fetching deps should _trust_ what I told it to trust.

## Metadata



```
nix-env (Nix) 2.28.5
```

## Additional context




[Here](https://gist.github.com/crabdancing/1b011d1df3fbd113bfeec151674e9c72) is the full output of the failure mode against the repo on which I first tried this. I've also tried adding my path to `extra-sandbox-paths` in case that'd do something -- it does not make a difference. For convienence, the repo for the target package I was trying to build (pve-qemu) is [here](https://github.com/SaumonNet/proxmox-nixos).

## Checklist



- [x] checked [latest Nix manual] \([source])
- [x] checked [open bug issues and pull requests] for possible duplicates

[latest Nix manual]: https://nix.dev/manual/nix/development/
[source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
[open bug issues and pull requests]: https://github.com/NixOS/nix/labels/bug

---

Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

nix `--ssl-cert-file` flag does not pass cert correctly to git fetchers #14546

Describe the bug

Steps To Reproduce

Expected behavior

Metadata

Additional context

Checklist

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

nix --ssl-cert-file flag does not pass cert correctly to git fetchers #14546

Description

Describe the bug

Steps To Reproduce

Expected behavior

Metadata

Additional context

Checklist

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

nix `--ssl-cert-file` flag does not pass cert correctly to git fetchers #14546