diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix
index a7cac48d52d7..7c7f301552e7 100644
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@@ -110,7 +110,8 @@ stdenv.mkDerivation rec {
       "--disable-manual"
       # Disable default CA bundle, use NIX_SSL_CERT_FILE or fallback
       # to nss-cacert from the default profile.
-      "--without-ca-bundle"
+      # https://github.com/curl/curl/issues/8696 - fallback is not supported by HTTP3
+      (if http3Support then "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" else "--without-ca-bundle")
       "--without-ca-path"
       (lib.enableFeature c-aresSupport "ares")
       (lib.enableFeature ldapSupport "ldap")