Document the known nix-darwin related uninstall issue (#687)

* Document the known nix-darwin related uninstall issue * Fix nits * Update README.md Co-authored-by: Cole Helbling <[email protected]> --------- Co-authored-by: Cole Helbling <[email protected]>
DeterminateSystems · Oct 24, 2023 · ccae8a0 · ccae8a0
1 parent 93cdd9b
commit ccae8a0
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -308,6 +308,41 @@ There are two possible workarounds for this:
 
   </details>
 
+### Using MacOS after removing `nix` while `nix-darwin` was still installed, network requests fail
+
+If `nix` was previously uninstalled without uninstalling `nix-darwin` first, users may experience errors similar to this:
+
+```bash
+$ nix shell nixpkgs#curl
+error: unable to download 'https://cache.nixos.org/g8bqlgmpa4yg601w561qy2n576i6g0vh.narinfo': Problem with the SSL CA cert (path? access rights?) (77)
+```
+
+This occurs because `nix-darwin` provisions an `org.nixos.activate-system` service which remains after Nix is uninstalled.
+The `org.nixos.activate-system` service in this state interacts with the newly installed Nix and changes the SSL certificates it uses to be a broken symlink.
+
+```bash
+$ ls -lah /etc/ssl/certs
+total 0
+drwxr-xr-x  3 root  wheel    96B Oct 17 08:26 .
+drwxr-xr-x  6 root  wheel   192B Sep 16 06:28 ..
+lrwxr-xr-x  1 root  wheel    41B Oct 17 08:26 ca-certificates.crt -> /etc/static/ssl/certs/ca-certificates.crt
+```
+
+The problem is compounded by the matter that the [`nix-darwin` uninstaller](https://github.com/LnL7/nix-darwin#uninstalling) will not work after uninstalling Nix, since it uses Nix and requires network connectivity.
+
+It's possible to resolve this situation by removing the `org.nixos.activate-system` service and the `ca-certificates`:
+
+```bash
+$ sudo rm /Library/LaunchDaemons/org.nixos.activate-system.plist
+$ sudo launchctl bootout system/org.nixos.activate-system
+$ /nix/nix-installer uninstall
+$ sudo rm /etc/ssl/certs/ca-certificates.crt
+```
+
+Then run the `nix-installer` again, and it should work.
+
+Up-to-date versions of the `nix-installer` will refuse to uninstall until `nix-darwin` is uninstalled first, helping mitigate this problem.
+
 ## Building a binary
 
 Since you'll be using `nix-installer` to install Nix on systems without Nix, the default build is a static binary.