diff --git a/pkgs/build-support/fetchgit/default.nix b/pkgs/build-support/fetchgit/default.nix
index 714740ee1bfe..e94e4185936b 100644
--- a/pkgs/build-support/fetchgit/default.nix
+++ b/pkgs/build-support/fetchgit/default.nix
@@ -1,4 +1,4 @@
-{stdenv, git}:
+{stdenv, git, cacert}:
 {url, rev ? "HEAD", md5 ? "", sha256 ? "", leaveDotGit ? false }:
 
 /* NOTE:
@@ -35,6 +35,8 @@ stdenv.mkDerivation {
 
   inherit url rev leaveDotGit;
 
+  GIT_SSL_CAINFO = "${cacert}/etc/ca-bundle.crt";
+
   impureEnvVars = [
     # We borrow these environment variables from the caller to allow
     # easy proxy configuration.  This is impure, but a fixed-output
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 374193b131bf..c94da50125d5 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -261,7 +261,7 @@ let
   };
 
   fetchgit = import ../build-support/fetchgit {
-    inherit stdenv git;
+    inherit stdenv git cacert;
   };
 
   fetchgitrevision = import ../build-support/fetchgitrevision runCommand git;