SSL certificate problem with channels.nixos.org

When I do any nixos-rebuild command I get:

warning: error: unable to download 'https://channels.nixos.org/nixos-25.05': SSL peer certificate or SSH remote key was not OK (60) SSL certificate problem: unable to get local issuer certificate; retrying in 261 ms
warning: error: unable to download 'https://channels.nixos.org/nixos-25.05': SSL peer certificate or SSH remote key was not OK (60) SSL certificate problem: unable to get local issuer certificate; retrying in 516 ms
warning: error: unable to download 'https://channels.nixos.org/nixos-25.05': SSL peer certificate or SSH remote key was not OK (60) SSL certificate problem: unable to get local issuer certificate; retrying in 1121 ms
warning: error: unable to download 'https://channels.nixos.org/nixos-25.05': SSL peer certificate or SSH remote key was not OK (60) SSL certificate problem: unable to get local issuer certificate; retrying in 2421 ms
warning: error: unable to download 'https://channels.nixos.org/nixos-25.05': SSL peer certificate or SSH remote key was not OK (60) SSL certificate problem: unable to get local issuer certificate; using cached version
unpacking 1 channels...

Firefox also gives me a warning when I try to go to channels.nixos.org and curl says the same thing.

I thought it might just be a simple wait and see issue but its been going on for at least two weeks now and I really have no idea what is going on. I can visit other https sites just fine so I’m stuck.

Just another user. I don’t see that behavior on my NixOS machine or other devices. Sounds like a certificate problem that is most likely to be local to your machine. Have you tried accessing channels.nixos.org on a different device you own (like a phone if nothing else), and see if you are getting the same issue?

If you try to boot into an older generation, do you see the same errors with nixos-rebuild?

That is very weird, to the point that it sounds like your connection is being MITM’d. Do you get the same certificate if you try this:

openssl s_client -showcerts -connect channels.nixos.org:443 | openssl x509 -fingerprint -noout -in /dev/stdin
Connecting to 151.101.66.217
depth=2 OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
verify return:1
depth=1 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q3
verify return:1
depth=0 CN=channels.nixos.org
verify return:1
SHA1 Fingerprint=1A:E3:77:8A:EE:40:4E:FD:4F:DF:BD:FA:50:4E:DF:7D:AC:9D:40:FB

And does the hostname resolve to the same IP?

Firefox will also list the fingerprint in its “show certificate” menu, which you can get by clicking the lock to the left of the URL.

That command gets stuck:

[nix-shell:~]$ openssl s_client -showcerts -connect channels.nixos.org:443 | openssl x509 -fingerprint -noout -in /dev/stdin
depth=0 CN = channels.nixos.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = channels.nixos.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = channels.nixos.org
verify return:1
SHA1 Fingerprint=99:76:C3:DE:58:26:DA:0D:71:6C:AA:14:32:00:64:E2:5F:FF:6D:72

I tried on other devices and I believe I found the issue, thanks.

My home wifi network provider blocks the site. When I try to go to channels.nixos.org on my mobile devices I get a warning from the network provider but if I use my phone’s internet (which is from a different network) it works fine.

Hence the wrong fingerprint from the openssl that’s done its job and is waiting for more input and might therefore seem “stuck”

Most likely this is a MITM attack (from your provider for semi-legitimate reasons) abusing DNS being unencrypted. You can try using e.g. https://quad9.net/ 's DoH (https://dns.quad9.net/dns-query) as your DNS server instead of what your wifi gives you via DHCP.

The wiki apparently has instructions for this.