SSL_CERT_FILE and connection issues in Nix shells

I keep running into issues with curl, cargo, git and other commands that fetch data over http(s) in Nix shells. It seems that the SSL settings for my system aren’t inherited, so the certs can’t be verified or aren’t found.

I’ve usually gotten around this by setting:

  SSL_CERT_FILE="/etc/ssl/certs/ca-bundle.crt";

in derivations, but this is a bit of a hassle, so I’d rather avoid that where I can.

After switching to Lorri a month or so ago, I stopped seeing this problem, but it suddenly appeared again now. Again, I checked the environment and found that SSL_CERT_FILE was set to /no-cert-file.crt. After changing it to /etc/ssl/certs/ca-certificates.crt, things started working again.

This feels very cumbersome, and it’s not how I expect the system to behave. How do you generally deal with this? Have I configured something wrong or is this how it’s supposed to be?

I think I’ve found the root of the issue here. Or at least why the error suddenly started appearing again, even with Lorri.

I’ve been using direnv for a good while, and have usually put use_nix in the .envrc file. When removing this from the .envrc file, everything started working as expected again. I’m not sure exactly what’s going on, but it seems that direnv unsets the SSL variables when it’s told to use_nix.

If anyone else has any input, I’d value that as well, but at least it seems I’ve found out about it for now.