I'm having cert issues connecting to cache.nixos.org.. am I missing something?

azazel75 · November 16, 2025, 10:06pm

Since yesterday evening, when doing a nix develop I’m getting this:

warning: error: unable to download 'https://cache.nixos.org/dc2fivkjahwx47zhjs9jx19ybd9wwcdr.narinfo': SSL peer certificate or SSH remote key was not OK (60) SSL: no alternative certificate subject name matches target hostname 'cache.nixos.org'; retrying in 270 ms
warning: error: unable to download 'https://cache.nixos.org/dc2fivkjahwx47zhjs9jx19ybd9wwcdr.narinfo': SSL peer certificate or SSH remote key was not OK (60) SSL: no alternative certificate subject name matches target hostname 'cache.nixos.org'; retrying in 666 ms

If I request info about the certificate for cache.nixos.org I get:

$ openssl s_client -showcerts -connect cache.nixos.org:443
Connecting to 151.101.242.217
CONNECTED(00000003)
depth=2 OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
verify return:1
depth=1 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q3
verify return:1
depth=0 CN=e.sni-729-default.ssl.fastly.net
verify return:1
...

but If I connect to one of my servers I get a different server and a different cert…:

# openssl s_client -showcerts -connect cache.nixos.org:443
Connecting to 2a04:4e42:8e::347
CONNECTED(00000005)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R13
verify return:1
depth=0 CN=cache.nixos.org
verify return:1

maybe is just some DNS update issue?

waffle8946 · November 16, 2025, 10:36pm

Those are completely different IPs as you see, and everything is routed through fastly’s CDN, so you won’t hit the same server necessarily.

Though I’m not sure how that factors into your original issue (which I have also encountered daily for the last 2 months).

azazel75 · November 17, 2025, 2:57pm

I had a setting of cache.nixos.org in /etc/hosts and I forgot about it… problem solved!