Set CURL_CA_BUNDLE and SSL_CERT_FILE in all shell environments

curl does NOT check SSL_CERT_FILE — it only checks CURL_CA_BUNDLE and
its built-in CA bundle path. The nixpkgs-built curl has /no-cert-file.crt
as its built-in path (a sentinel when cacert is absent at build time).

The cacert setup-hook (from PR #232) sets SSL_CERT_FILE but not
CURL_CA_BUNDLE, so curl still fails in containers with:
  curl: (77) error adding trust anchors from file: /no-cert-file.crt

Set both CURL_CA_BUNDLE (for curl) and SSL_CERT_FILE (for OpenSSL-based
tools) directly in mkShell to ensure CA certificates are found regardless
of whether the cacert setup-hook has run.

Author: angerman

cross-js.nix

@@ -48,6 +48,12 @@ let tool-version-map = (import ./tool-map.nix) self;
     quirks = (import ./quirks.nix { inherit pkgs; });
 in
 pkgs.mkShell ({
+    # curl's built-in CA bundle path is /no-cert-file.crt (a sentinel from
+    # nixpkgs when cacert is absent at build time). curl does NOT check
+    # SSL_CERT_FILE — only CURL_CA_BUNDLE and its built-in path. Set both
+    # so curl and OpenSSL-based tools find the CA bundle in containers.
+    CURL_CA_BUNDLE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+    SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
     # Note [cabal override]:
     #
     # We need to override the `cabal` command and pass --ghc-options for the

cross-windows.nix

@@ -143,6 +143,12 @@ let tool-version-map = (import ./tool-map.nix) self;
     quirks = (import ./quirks.nix { inherit pkgs; });
 in
 pkgs.pkgsBuildBuild.mkShell ({
+    # curl's built-in CA bundle path is /no-cert-file.crt (a sentinel from
+    # nixpkgs when cacert is absent at build time). curl does NOT check
+    # SSL_CERT_FILE — only CURL_CA_BUNDLE and its built-in path. Set both
+    # so curl and OpenSSL-based tools find the CA bundle in containers.
+    CURL_CA_BUNDLE = "${pkgs.pkgsBuildBuild.cacert}/etc/ssl/certs/ca-bundle.crt";
+    SSL_CERT_FILE = "${pkgs.pkgsBuildBuild.cacert}/etc/ssl/certs/ca-bundle.crt";
     # Note [cabal override]:
     #
     # We need to override the `cabal` command and pass --ghc-options for the

dynamic.nix

@@ -61,6 +61,12 @@ let tool-version-map = (import ./tool-map.nix) self;
     quirks = (import ./quirks.nix { inherit pkgs; });
 in
 pkgs.mkShell {
+    # curl's built-in CA bundle path is /no-cert-file.crt (a sentinel from
+    # nixpkgs when cacert is absent at build time). curl does NOT check
+    # SSL_CERT_FILE — only CURL_CA_BUNDLE and its built-in path. Set both
+    # so curl and OpenSSL-based tools find the CA bundle in containers.
+    CURL_CA_BUNDLE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+    SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
     # The `cabal` overrride in this shell-hook doesn't do much yet. But
     # we may need to massage cabal a bit, so we'll leave it in here for
     # consistency with the one in static.nix.

static.nix

@@ -64,6 +64,12 @@ let tool-version-map = (import ./tool-map.nix) self;
     quirks = (import ./quirks.nix { inherit pkgs; static = true; });
 in
 pkgs.mkShell (rec {
+    # curl's built-in CA bundle path is /no-cert-file.crt (a sentinel from
+    # nixpkgs when cacert is absent at build time). curl does NOT check
+    # SSL_CERT_FILE — only CURL_CA_BUNDLE and its built-in path. Set both
+    # so curl and OpenSSL-based tools find the CA bundle in containers.
+    CURL_CA_BUNDLE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+    SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
     # Note [cabal override]:
     #
     # We need to override the `cabal` command and pass --ghc-options for the