declare -x NIX_SSL_CERT_FILE="/private/tmp/2412pn9wp2vk7abqp0glq967n4/etc/ssl/certs/ca-certificates.crt"
declare -x SSL_CERT_FILE="/no-cert-file.crt"

if [[ -z "${NIX_SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
  export NIX_SSL_CERT_FILE=/no-cert-file.crt
fi
# Another variant left for compatibility.
if [[ -z "${SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
  export SSL_CERT_FILE=/no-cert-file.crt
fi

https://docs.lix.systems/manual/lix/stable/release-notes/rl-2.94.html

Global certificate authorities are copied inside the builder's environment gh#12698 fj#885 cl/3765

❯ nix-build -A default --log-format multiline-with-logs
/nix/store/6qf2pfw2l2zda78gy5fg38nhwa5db2vp-fetched-content
❯ cat $result
^C⏎
❯ cat ./result
{"status":"ok","method":"GET"}

❯ nix-build -A default --log-format multiline-with-logs
/nix/store/6qf2pfw2l2zda78gy5fg38nhwa5db2vp-fetched-content
❯ cat ./result
{"status":"ok","method":"GET"}

{
  pkgs ? import <nixpkgs> { },
}:

let
  test-native = pkgs.rustPlatform.buildRustPackage {
    pname = "test-native";
    version = "0.1.0";

    src = pkgs.lib.fileset.toSource rec {
      root = ./.;
      fileset = pkgs.lib.fileset.unions (
        map (path: root + path) [
          "/Cargo.toml"
          "/Cargo.lock"
          "/src"
        ]
      );
    };

    cargoLock.lockFile = ./Cargo.lock;
  };

  fetchedContent = pkgs.stdenv.mkDerivation {
    name = "fetched-content";

    nativeBuildInputs = [ test-native ];

    outputHashMode = "flat";
    outputHashAlgo = "sha256";
    outputHash = "sha256-OmurRJs0zj+IxOTnQ2Cj4/HBzLQ2Zgs8lqi1S7J02Xo=";

    buildCommand = ''
      unset SSL_CERT_FILE
      test-native > $out
    '';

    env.RUST_BACKTRACE = 1;
  };

in
{
  inherit test-native fetchedContent;

  default = fetchedContent;
}

Yeah, without unset SSL_CERT_FILE it fails even without sandbox:

❯ nix-build -A default --log-format multiline-with-logs --option sandbox false
this derivation will be built:
  /nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv
building '/nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv'...
fetched-content> Error: reqwest::Error { kind: Request, url: "https://dummyjson.com/test", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) }
error: builder for '/nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv' failed with exit code 1;
       last 1 log lines:
       > Error: reqwest::Error { kind: Request, url: "https://dummyjson.com/test", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) }
       For full logs, run:
               nix-store -l /nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv

I don't understand the purpose of
https://github.com/NixOS/nixpkgs/blob/0157c02bf5c109b712e8373e21b516828ca3bed5/pkgs/stdenv/generic/setup.sh#L997-L1005

# Prevent SSL libraries from using certificates in /etc/ssl, unless set explicitly.
# Leave it in impure shells for convenience.
if [[ -z "${NIX_SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
  export NIX_SSL_CERT_FILE=/no-cert-file.crt
fi
# Another variant left for compatibility.
if [[ -z "${SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
  export SSL_CERT_FILE=/no-cert-file.crt
fi

We have sandbox to ensure that people use exactly what we provide to them, can these lines just be removed?

This seems to originate from here: https://github.com/NixOS/nixpkgs/commit/788da6894fac5b20d183ce5afbab3bacd7ddeaca

And was there before we actually had NIX_SSL_CERT_FILE