Hi Wiktór and Simon, thanks for shedding some light on this strange behavior. After some more exploration, the fundamental issue seems to be that many packages use certificates but only a very small number declare a dependence on nss-certs. In fact, nss-certs has only three direct dependents (icedtea, ldns, and pypy) and 115 additional indirect dependents. That includes r-reqon from Simon's example, which depends on icedtea via r-rjava and openjdk.
A radical fix would be to make openssl dependent on nss-certs. But openssl really depends on the availability of some collection of certificates, not on any specific one. Nor do icedtea, ldns, or pypy. Some packages (e.g. openssl or curl) have a `native-search-paths` declaration that also seems to have the desired effect. The following environment contains SSL_CERT_DIR as well: guix environment --pure --ad-hoc python nss-certs openssl Python actually lists openssl as a dependency, but that is apparently not sufficient to propagate the environment variables. Anyway, this looks like the best workaround for me for now: adding openssl to my environment. It adds no software package to my environment, only environment variables and an executable on $PATH. Thanks again, Konrad
