Image for post zscaler-macos-and-nix-on-corporate-networks
Sep 27, 2024 by Graham Christensen

Solving corporate TLS certificates for Nix on macOS

announcement nix determinate

Enterprises often use tools like Zscaler to bolster their overall security posture. Zscaler is an intercepting TLS proxy that inspects the traffic coming in and going out of the network. Because it intercepts all traffic, clients have to be configured with a custom TLS certificate for the connections to be trusted. This doesn’t always play nicely with other tools, especially tools that require TLS certificates—like Nix.

Zscaler and Nix used to be a big pain

Nix users in enterprise environments have run head-first into this problem countless times:

warning: unable to download '...': SSL peer certificate or SSH remote key was not OK (60)

On Linux, this isn’t a huge issue. Users and admins can add the certificate to their trusted bundle at a standard location like /etc/ssl/certs/ca-certificates.crt or /etc/pki/tls/certs/ca-bundle.crt.

On macOS, however, the story is slightly more annoying for Nix because macOS stores the custom certificates in Keychain, a key and secret store used by applications across the macOS ecosystem. If you’re fully steeped in macOS, this is fine and works out of the box. But if you’re using a tool like Nix that’s mostly designed and used by Linux users to build Linux software then… things can get unpleasant.

Users have long had to export their enterprise certificate from Keychain, reconfigure Nix, and manage this over time. When the certificate eventually expires and needs rotating, the user has to figure out how they fixed it the first time and try again.

Uff da… what a headache.

Determinate means Nix + Zscaler doesn’t have to be a huge pain

Our goal with Determinate is to make Nix a pleasure to use across these platforms and to elegantly solve thorny problems for both users and IT administrators.

So we fixed the Nix/Zscaler certificate issue on macOS. Determinate automatically configures Nix on macOS with an up-to-date certificate bundle from Keychain and synchronizes the bundle with Keychain over time.

How to install Determinate

Install Determinate with the Determinate Nix Installer by passing the --determinate flag:

Terminal window
curl --proto '=https' --tlsv1.2 -sSf -L \
  https://install.determinate.systems/nix | sh -s -- install --determinate

Alternatively, you can use our signed macOS .pkg for easier distribution. If Installomator is your thing, we provide a Mobile Device Management (MDM) script that integrates especially well with automated processes.

Determinate is available on all systems that the Determinate Nix Installer supports.

More to come

This is just the beginning of a series of posts about what we’re doing to improve the experience of using Nix in the enterprise. If this is music to your ears, join our Discord at https://determinate.systems/discord and come chat.

Share
Avatar for Graham Christensen
Written by Graham Christensen

Graham is a Nix and Rust developer, with a passion and focus on reliability in the lower levels of the stack. He founded Determinate Systems, Inc to support Nix adoption at your workplace.