When trying to use (web client) Guile module, one gets the following
error:

--8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs -- guile -c '((@ (web client) http-get) "https://gnu.org")'
Backtrace:
In ice-9/boot-9.scm:
  1752:10  7 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
           6 (apply-smob/0 #<thunk 7f625f6c1300>)
In ice-9/boot-9.scm:
    724:2  5 (call-with-prompt _ _ #<procedure default-prompt-handle?>)
In ice-9/eval.scm:
    619:8  4 (_ #(#(#<directory (guile-user) 7f625f6c4c80>)))
In ice-9/command-line.scm:
   185:19  3 (_ #<input: string 7f625f6be850>)
In unknown file:
           2 (eval ((@ (web client) http-get) "https://gnu.org") #<d?>)
In web/client.scm:
    576:0  1 (http-get "https://gnu.org" #:body _ # _ #:port _ # #<?> ?)
    286:6  0 (tls-wrap #<closed: file 7f6256da2c40> _ # _)

web/client.scm:286:6: In procedure tls-wrap:
X.509 certificate of 'gnu.org' could not be verified:
  signer-not-found invalid

--8<---------------cut here---------------end--------------->8---

It seems that guile-gnutls fails to find the certificates, which is
unexpected.  Adding `curl' into the list of packages works around the
problem:

--8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs curl -- guile -c '((@ (web client) http-get) "https://gnu.org")'
--8<---------------cut here---------------end--------------->8---

We can see the difference boils down to different search paths:

--8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs --search-paths
export PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/bin${PATH:+:}$PATH"
export GUILE_LOAD_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"
export GUILE_LOAD_COMPILED_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/lib/guile/3.0/site-ccache:/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"
--8<---------------cut here---------------end--------------->8---

and

--8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs curl --search-paths
export PATH="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/bin${PATH:+:}$PATH"
export SSL_CERT_DIR="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/etc/ssl/certs"
export SSL_CERT_FILE="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/etc/ssl/certs/ca-certificates.crt"
export CURL_CA_BUNDLE="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/etc/ssl/certs/ca-certificates.crt"
export GUILE_LOAD_PATH="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"
export GUILE_LOAD_COMPILED_PATH="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/lib/guile/3.0/site-ccache:/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"
--8<---------------cut here---------------end--------------->8---

I think guile-gnutls should also declare the SSL_* variables, since it
needs the certificates for vast majority of things one could want to do
with it..

Have a nice day,
Tomas

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.