diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
index 61012f2ab..71fd6e6e4 100644
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -2620,17 +2620,12 @@ Strings EvalSettings::getDefaultNixPath()
 {
     Strings res;
     auto add = [&](const Path & p, const std::string & s = std::string()) {
-        try {
-            if (pathExists(p)) {
-                if (s.empty()) {
-                    res.push_back(p);
-                } else {
-                    res.push_back(s + "=" + p);
-                }
+        if (pathAccessible(p)) {
+            if (s.empty()) {
+                res.push_back(p);
+            } else {
+                res.push_back(s + "=" + p);
             }
-        } catch (SysError & e) {
-            // swallow EPERM
-            if (e.errNo != EPERM) throw;
         }
     };
 
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index a196c10e6..32e9a6ea9 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -57,8 +57,6 @@ Settings::Settings()
     auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
     if (sslOverride != "")
         caFile = sslOverride;
-    else if (caFile == "")
-        caFile = getDefaultSSLCertFile();
 
     /* Backwards compatibility. */
     auto s = getEnv("NIX_REMOTE_SYSTEMS");
@@ -185,7 +183,7 @@ bool Settings::isWSL1()
 Path Settings::getDefaultSSLCertFile()
 {
     for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
-        if (pathExists(fn)) return fn;
+        if (pathAccessible(fn)) return fn;
     return "";
 }
 
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 34b4f24a7..31dfe5b4e 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -842,7 +842,7 @@ public:
         )"};
 
     Setting<Path> caFile{
-        this, "", "ssl-cert-file",
+        this, getDefaultSSLCertFile(), "ssl-cert-file",
         R"(
           The path of a file containing CA certificates used to
           authenticate `https://` downloads. Nix by default will use
diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index 3a8309149..aa0a154fd 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -266,6 +266,17 @@ bool pathExists(const Path & path)
     return false;
 }
 
+bool pathAccessible(const Path & path)
+{
+    try {
+        return pathExists(path);
+    } catch (SysError & e) {
+        // swallow EPERM
+        if (e.errNo == EPERM) return false;
+        throw;
+    }
+}
+
 
 Path readLink(const Path & path)
 {
diff --git a/src/libutil/util.hh b/src/libutil/util.hh
index a7907cd14..00fcb9b79 100644
--- a/src/libutil/util.hh
+++ b/src/libutil/util.hh
@@ -120,6 +120,14 @@ struct stat lstat(const Path & path);
  */
 bool pathExists(const Path & path);
 
+/**
+ * A version of pathExists that returns false on a permission error.
+ * Useful for inferring default paths across directories that might not
+ * be readable.
+ * @return true iff the given path can be accessed and exists
+ */
+bool pathAccessible(const Path & path);
+
 /**
  * Read the contents (target) of a symbolic link.  The result is not
  * in any way canonicalised.