Ah you’re using nix on Ubuntu, got it. nix will use its own version of SSL/curl/etc.
Even the native curl refuses to connect to let’s encrypt hosts, probably because it brings its own ssl and it has some hidden certificate folders that I was not able to find.
Have you tried passing the --insecure option with curl? That’ll disable the SSL check.
I read about this option but have no idea how to pass it to nix.