Skip to content

List of URLs to exempt from corporate SSL inspection #322

New issue
New issue
Open
Open
List of URLs to exempt from corporate SSL inspection#322
@rsniezek

Description

@rsniezek
rsniezek
opened on Jan 22, 2026

Does anyone have a reliable / reasonably complete list of domains that should be exempted from SSL inspection by corporate proxies (e.g. Zscaler) for Nix (determinate Nix / nixpkgs) to work reliably?

In my environment, HTTPS traffic is MITM’d by a corporate SSL inspection solution. Nix’s fetchers (curl / OpenSSL) do not trust the enterprise root CA by default, which causes builds to fail with errors like:

SSL peer certificate or SSH remote key was not OK (60)
SSL certificate problem: unable to get local issuer certificate

The only workable solution I’ve found so far is to ask IT to exempt specific domains from SSL inspection. They already exempted cache.nixos.org, which now works, but I missed at least api.github.com, so builds are still failing.

I’d really like to avoid the back-and-forth of discovering missing domains one by one.
Is there a known list of URLs / domains that should be exempted so Nix works reliably on a typical Linux system (Ubuntu in my case)?

Any pointers, documentation, or real-world lists would be greatly appreciated. Thanks!

Here is the RC of the issue:

[nix-shell:~]$ openssl version                                                       
OpenSSL 3.6.0 1 Oct 2025 (Library: OpenSSL 3.6.0 1 Oct 2025)
 
[nix-shell:~]$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt   /etc/ssl/certs/ZscalerRoot0.pem
C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com
error 18 at 0 depth lookup: self-signed certificate
error /etc/ssl/certs/ZscalerRoot0.pem: verification failed
 
[nix-shell:~]$ openssl verify   -trusted /etc/ssl/certs/ca-certificates.crt   /etc/ssl/certs/ZscalerRoot0.pem
/etc/ssl/certs/ZscalerRoot0.pem: OK

while the system's openssl

❯ openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
 
❯ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt   /etc/ssl/certs/ZscalerRoot0.pem
/etc/ssl/certs/ZscalerRoot0.pem: OK
 
❯ openssl verify -trusted /etc/ssl/certs/ca-certificates.crt   /etc/ssl/certs/ZscalerRoot0.pem
/etc/ssl/certs/ZscalerRoot0.pem: OK

Or maybe is there a way to configure nix' openssl to behave like the system one?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions