Cache.nixos.org SSL error on 199.232.53.91

TomB · April 20, 2026, 5:24pm

By default my DNS result for cache.nixos.org is this:

 dig cache.nixos.org

; <<>> DiG 9.20.21 <<>> cache.nixos.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2472
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bf6cb62484ab09fa0100000069e65ff737804f1f5adc4c90 (good)
;; QUESTION SECTION:
;cache.nixos.org.               IN      A

;; ANSWER SECTION:
cache.nixos.org.        3250    IN      CNAME   dualstack.n.sni.global.fastly.net.
dualstack.n.sni.global.fastly.net. 25 IN A      199.232.53.91

;; Query time: 1 msec
;; SERVER: 192.168.2.1#53(192.168.2.1) (UDP)
;; WHEN: Mon Apr 20 18:18:47 BST 2026
;; MSG SIZE  rcvd: 135

With cache.nixos.org pointing to 199.232.53.91 without fail, for months, it will eventually cause a rebuild to fail with:

warning: error: unable to download 'https://cache.nixos.org/nar/1xd0sjji986b8c9y8py3ssl4fhymk0bhd6yphlsjdfa58dfyxxwz.nar.xz': HTTP error 200 (curl error: Failure when receiving data from the peer); retrying from offset 160890880 in 295 ms
warning: error: unable to download 'https://cache.nixos.org/nar/0xbnvlrjgrky8mykhw3sldqq92a6ag3cijs2ypamr4sb3033bjc5.nar.xz': HTTP error 200 (curl error: Failure when receiving data from the peer); retrying from offset 57688064 in 351 ms
warning: error: unable to download 'https://cache.nixos.org/nar/0ylvdcdqqk14wlzs4p97mwxgnqa86xhkssrrsnimm3fx1lj6l2rc.nar.xz': HTTP error 200 (curl error: Failure when receiving data from the peer); retrying from offset 45088768 in 333 ms
warning: error: unable to download 'https://cache.nixos.org/nar/1xd0sjji986b8c9y8py3ssl4fhymk0bhd6yphlsjdfa58dfyxxwz.nar.xz': HTTP error 206 (curl error: Failure when receiving data from the peer); retrying from offset 257110561 in 509 ms
warning: error: unable to download 'https://cache.nixos.org/nar/0xbnvlrjgrky8mykhw3sldqq92a6ag3cijs2ypamr4sb3033bjc5.nar.xz': HTTP error 206 (curl error: Failure when receiving data from the peer); retrying from offset 112214016 in 558 ms
warning: error: unable to download 'https://cache.nixos.org/nar/04fg4kd1vasgx5mxbzr3c0mwzq95sj56w13lqfhg5jl19l3117hl.nar.xz': HTTP error 200 (curl error: Failure when receiving data from the peer); retrying from offset 46873495 in 337 ms
warning: error: unable to download 'https://cache.nixos.org/nar/1m6sa97nfrlly1faz18189gf71imxhxxxsa0snl9d5vyqfbwb7fl.nar.xz': HTTP error 200 (curl error: Failure when receiving data from the peer); retrying from offset 51723244 in 333 ms
warning: error: unable to download 'https://cache.nixos.org/nar/1xd0sjji986b8c9y8py3ssl4fhymk0bhd6yphlsjdfa58dfyxxwz.nar.xz': HTTP error 206 (curl error: Failure when receiving data from the peer); retrying from offset 368787456 in 1286 ms
warning: error: unable to download 'https://cache.nixos.org/nar/1m6sa97nfrlly1faz18189gf71imxhxxxsa0snl9d5vyqfbwb7fl.nar.xz': HTTP error 206 (curl error: Failure when receiving data from the peer); retrying from offset 91159869 in 535 ms
warning: error: unable to download 'https://cache.nixos.org/nar/1xd0sjji986b8c9y8py3ssl4fhymk0bhd6yphlsjdfa58dfyxxwz.nar.xz': HTTP error 206 (curl error: Failure when receiving data from the peer); retrying from offset 501596160 in 2232 ms
error: unable to download 'https://cache.nixos.org/nar/1xd0sjji986b8c9y8py3ssl4fhymk0bhd6yphlsjdfa58dfyxxwz.nar.xz': HTTP error 206 (curl error: Failure when receiving data from the peer)
error: some substitutes for the outputs of derivation '/nix/store/him8f7ybagfz3r0kfw2lan6rc1v8c0cx-linux-firmware-20260410-zstd.drv' failed (usually happens due to networking issues); try '--fallback' to build derivation from source
error: Cannot build '/nix/store/9l0wi98yn4gxbsv9j907kxv290jyl7kc-firmware.drv'.
       Reason: 1 dependency failed.
       Output paths:
         /nix/store/47nd34ff1z71ykw0cv62q7gayyab6mhq-firmware
error: Cannot build '/nix/store/ldpb304kms267h8058sczm1jw5hjnz4j-nixos-system-deck16-25.11.20260417.c7f4703.drv'.
       Reason: 1 dependency failed.
       Output paths:
         /nix/store/pb5ajszac0p1ciwa6j51hdakpsqb0d71-nixos-system-deck16-25.11.20260417.c7f4703
Command 'nix --extra-experimental-features 'nix-command flakes' build --print-out-paths 'path:.#nixosConfigurations."deck16".config.system.build.toplevel' --no-link --option http2 false' returned non-zero exit status 1.
⏎

It seems to get rate limited or some kind of other issue, but it does happen if the total download size is over 1gb.

However, this can be 100% worked around by changing my DNS server to 1.1.1.1:

dig  @1.1.1.1 cache.nixos.org

; <<>> DiG 9.20.21 <<>> @1.1.1.1 cache.nixos.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30425
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cache.nixos.org.               IN      A

;; ANSWER SECTION:
cache.nixos.org.        2946    IN      CNAME   dualstack.n.sni.global.fastly.net.
dualstack.n.sni.global.fastly.net. 59 IN A      151.101.1.91
dualstack.n.sni.global.fastly.net. 59 IN A      151.101.65.91
dualstack.n.sni.global.fastly.net. 59 IN A      151.101.193.91
dualstack.n.sni.global.fastly.net. 59 IN A      151.101.129.91

;; Query time: 24 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon Apr 20 18:21:26 BST 2026
;; MSG SIZE  rcvd: 155

This gives a different result and the SSL error never happens during a rebuild

There is an issue with the 199.232.53.91 mirror which causes the SSL error and I suspect bug reports like "SSL peer certificate or SSH remote key was not OK" error on fresh Nix install on macOS and SSL certificate problem with channels.nixos.org .

Checking https://www.whatsmydns.net/#A/cache.nixos.org it seems that you’re using bind views or similar and only a small percentage of the world will see that 199.232.53.91 mirror so most people are unaffected.

Please either fix the 199.232.53.91 mirror so it doesn’t rate limit or whatever it is doing, or point everyone at the 151.101.*.91 mirrors

NobbZ · April 20, 2026, 6:28pm

How your DNS resolves cache.nixos.org is not under the control of anyone in the community.

The cache is behind a fastly CDN. So any issues with their POPs are issues with their POPs.

It is a known and recurring issues that some POPs (especially those around russia, india and china) have problems, and also the US does regularly report very slow downloads on cold caches.

TomB · April 20, 2026, 6:51pm

Regardless of who owns the problem if DNS resolves to 199.232.53.91 there is a consistently reproducible issue affecting nixos users which does not happen with the other servers.

Does the nixos community really have zero control over which servers their content is distributed through? Can you not disable specific endpoints? There is a difference between the 199.232.53.91 mirror and the others and it should be fixed.

I have, as a workaround, overridden the DNS on my local network set up a forwarder for cache.nixos.org to go via 1.1.1.1. This works but is not a good solution and beyond the technical ability for most normal users.

NobbZ · April 20, 2026, 6:55pm

You might have luck contacting the fastly support.

mightyiam · April 21, 2026, 9:08am

My dns config, in case it helps:

{
  flake.modules.nixos.base = {
    services.resolved = {
      enable = true;
      settings.Resolve = {
        DNSOverTls = "opportunistic";
        DNS = [
          # https://developers.cloudflare.com/1.1.1.1
          "1.1.1.1"
          "1.0.0.1"
          "2606:4700:4700::1111"
          "2606:4700:4700::1001"

          # https://developers.google.com/speed/public-dns/docs/using
          "8.8.8.8"
          "8.8.4.4"
          "2001:4860:4860::8888"
          "2001:4860:4860::8844"
        ];
      };
    };
  };
}

arianvp · April 21, 2026, 9:28am

It would be interesting if you could show the SSL error you’re getting. E.g with openssl s_client or bump the verbosity level of nix.