NixOS: Certificate Verify Failed. Unable to Get Local Issuer Certificate

Why the same error shows up on NixOS

On "plain" NixOS the CA bundle is already on-disk ( /etc/ssl/certs/ca-bundle.crt , from pkgs.cacert) and nixos-rebuild writes two environment variables that most software respects:

If you run a Python that came from nixpkgs (e.g. pkgs.python3 or a withPackages environment) the OpenSSL in that interpreter is patched to look at $NIX_SSL_CERT_FILE, so downloads work out of the box (nix.conf - Nix Reference Manual - nix.dev).

This traceback comes from a binary CPython that uv downloaded into
~/.local/share/uv/python/….
That interpreter was built for a generic Linux distro, so:

• it does not inherit NixOS' env-vars, and
• its OpenSSL looks in the usual FHS paths (/etc/ssl/certs/ca-certificates.crt, etc.) which don't exist inside Nix' read-only store.

Hence: unable to get local issuer certificate.

Fix

{ config, pkgs, ... }:
{  environment.systemPackages = with pkgs; [    cacert          # make sure cacert is installed    uv              # or wrap it as shown above  ];
  # Expose the bundle to everything (user shells, systemd units, uv, etc.)  environment.variables = {    SSL_CERT_FILE     = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";    NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";  };}

In Home-Manager you'd do the same under home.sessionVariables, e.g.:

{  home.sessionVariables.SSL_CERT_FILE =    "/etc/ssl/certs/ca-bundle.crt";   # or the full store path}

This is exactly what many people end up doing when 3rd-party tools need the bundle (Nix CA Certificate Handling, scottwillmoore/cloudflare-workers-with-nix).