NixOS: Certificate Verify Failed. Unable to Get Local Issuer Certificate
Why the same error shows up on NixOS
On "plain" NixOS the CA bundle is already on-disk ( /etc/ssl/certs/ca-bundle.crt , from pkgs.cacert) and nixos-rebuild writes two environment variables that most software respects:
| variable | who sets it | example value |
|---|---|---|
NIX_SSL_CERT_FILE | /etc/profile & systemd units | /run/current-system/sw/etc/ssl/certs/ca-bundle.crt |
SSL_CERT_FILE | cacert setup-hook inside nix-shell/devShells | same path |
If you run a Python that came from nixpkgs (e.g. pkgs.python3 or a withPackages environment) the OpenSSL in that interpreter is patched to look at $NIX_SSL_CERT_FILE, so downloads work out of the box (nix.conf - Nix Reference Manual - nix.dev).
This traceback comes from a binary CPython that uv downloaded into
~/.local/share/uv/python/….
That interpreter was built for a generic Linux distro, so:
- it does not inherit NixOS' env-vars, and
- its OpenSSL looks in the usual FHS paths (
/etc/ssl/certs/ca-certificates.crt, etc.) which don't exist inside Nix' read-only store.
Hence: unable to get local issuer certificate.
Fix
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
cacert # make sure cacert is installed
uv # or wrap it as shown above
];
# Expose the bundle to everything (user shells, systemd units, uv, etc.)
environment.variables = {
SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
}
In Home-Manager you'd do the same under home.sessionVariables, e.g.:
{
home.sessionVariables.SSL_CERT_FILE =
"/etc/ssl/certs/ca-bundle.crt"; # or the full store path
}
This is exactly what many people end up doing when 3rd-party tools need the bundle (Nix CA Certificate Handling, scottwillmoore/cloudflare-workers-with-nix).