nss: fails to install provided programs, but no error msg on build/nix-shell -p

[Illusion65]

Nixpkgs version

• Stable (24.11)

Describe the bug

I'm running Caddy and need to provide certutil for self-signed certificates, but when I add either nss or nss_latest to my packages, the build completes with no errors, but the programs provided by nss are not available. I also tried with nix-shell -p nss - completes with no error, but certutil isn't available.

Steps to reproduce

The simplest way to reproduce:

$ nix-shell -p nss
this path will be fetched (0.23 MiB download, 1.36 MiB unpacked):
  /nix/store/ylal7jslp1rjmavpp2szyd6xq4akc1zy-nss-3.101.2-dev
copying path '/nix/store/ylal7jslp1rjmavpp2szyd6xq4akc1zy-nss-3.101.2-dev' from 'https://cache.nixos.org'...

[nix-shell:~]$ command -v certutil

[nix-shell:~]$ certutil
The program 'certutil' is not in your PATH. It is provided by several packages.
You can make it available in an ephemeral shell by typing one of the following:
  nix-shell -p nss
  nix-shell -p nss_latest

I ran nix-shell -v ... but it produced much more output than I could reasonably analyze (I can provide that, if needed). I have a couple other servers (running 23.11 & 24.05), all produce the same results.

Expected behaviour

I expected to have the programs provided by the package

Screenshots

No response

Relevant log output

Additional context

No response

System metadata

$ nix-shell -p nix-info --run "nix-info -m"

• system: "x86_64-linux"
• host os: Linux 6.6.52, NixOS, 24.11 (Vicuna), 24.11.712148.edf04b75c13c
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.22.1
• channels(root): "nixos-24.11"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Notify maintainers

@mweinelt @ajs124

Note for maintainers: Please tag this issue in your pull request description. (i.e. Resolves #ISSUE.)

I assert that this issue is relevant for Nixpkgs

• I assert that this is a bug and not a support request.
• I assert that this is not a duplicate of an existing issue.
• I assert that I have read the NixOS Code of Conduct and agree to abide by it.

Is this issue important to you?

Add a 👍 reaction to issues you find important.

[mweinelt]

You want nss.tools instead.

[Illusion65]

Thanks for the quick response! I searched the package index and found nssTools also. Both nssTools and nss.tools install, and then link certutil in /run/current-system/sw/bin/, but Caddy still does not find it. I'm not sure what Caddy's $PATH is, but I expect it should have that in its path. I don't see any related caddy options in the "Appendix A" configuration options.

Now that my system has certutil, should this caddy problem be a separate bug report, or is this an easy fix?

Thanks again!
Doug

[mweinelt]

Is this a caddy problem? Does caddy actually expect certutil in PATH? Or is this your configuration calling certutil?

[Illusion65]

I believe it's a caddy problem, but I might be able to reconfig. I've had caddy running on NixOS for a few months with no problem, but just added a new service that is only served over my private VPNs (private IP addresses only). In order to serve those over https, caddy needs to generate self-signed certificates - using certutil. The caddy warning I get with this new config is (even when nss.tools is installed):

warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"

I get another caddy-related issue: failed to install root certificate, which I'll track down myself - it looks like others have seen that before in the caddy forums.

[mweinelt]

cc @techknowlogick @stepbrobd

[stepbrobd]

IMO you don't need the nss stuff and certutil

see if skip-install-trust helps

relevant: caddyserver/caddy#6729 (comment)

[Illusion65]

Yes, thank you. That makes more sense. I've been able to get my service served by caddy to a remote host on that VPN when requesting via curl; and also checked the SSL Cert to verify that it is serving a self-signed cert. So it appears that all is working on the server end - though not loading on my browser.

I still have nss.tools loaded. I'll try again removing them...

@mweinelt - is the documentation for nss and nss_latest wrong/obsolete? Those are the packages identified by package search as providing certutil (and other programs), while there's no listing for nss.tools, and nssTools (which is listed) apparently provides no programs, but actually does provide certutil.

If they should be updated, I can work on a documentation PR to fix them. In any case, thanks for your help!

Regards,
Doug

[stepbrobd]

They represent the same thing:

nix-repl> nss
«derivation /nix/store/7xanh3xdgiq4339k6gvkv7h1bzw7scqh-nss-3.101.2.drv»

nix-repl> nss.tools
«derivation /nix/store/7xanh3xdgiq4339k6gvkv7h1bzw7scqh-nss-3.101.2.drv»

nix-repl> nssTools
«derivation /nix/store/7xanh3xdgiq4339k6gvkv7h1bzw7scqh-nss-3.101.2.drv»

nix-repl> :b nss

This derivation produced the following outputs:
  dev -> /nix/store/sf1ymasnhp377g0kkb9imj9gn7y80bzv-nss-3.101.2-dev
  man -> /nix/store/hkzib2n3l9zpywqm51na1gp6cicvpih6-nss-3.101.2-man
  out -> /nix/store/00iwr69ba0hrxsg4xqghp87h7kphf5ya-nss-3.101.2
  tools -> /nix/store/khswnjidy2cm50rlxnyx1xxzql8818sn-nss-3.101.2-tools

certutil and other programs are in the tools drv output:

$ ls -la /nix/store/khswnjidy2cm50rlxnyx1xxzql8818sn-nss-3.101.2-tools/bin | grep certutil
.r-xr-xr-x root nixbld 173 KB Wed Dec 31 19:00:01 1969 certutil

[Illusion65]

Ah, ok, thanks! That makes sense. I saw in the .nix file that nss_latest and nss were the same thing, but I didn't notice the need for .tools when choosing the package.

[mweinelt]

Ah, ok, thanks! That makes sense. I saw in the .nix file that nss_latest and nss were the same thing, but I didn't notice the need for .tools when choosing the package.

nss is the ESR version, while nss_latest is the rapid version for Firefox Rapid.

[Illusion65]

I'll close this now. Thanks!