diff --git a/claudebox.sh b/claudebox.sh
index 0b578fb..a763072 100644
--- a/claudebox.sh
+++ b/claudebox.sh
@@ -264,11 +264,14 @@ AUDIT_SANDBOX_VALS[SHELL]="$SANDBOX_BASH"
 AUDIT_SANDBOX_VALS[TMPDIR]="/tmp"
 AUDIT_SANDBOX_VALS[XDG_RUNTIME_DIR]="/tmp"
 
-# SSL cert path: prefer host NIX_SSL_CERT_FILE (NixOS sets this to a nix store path);
-# fall back to /etc/ssl/certs/ca-certificates.crt for non-NixOS hosts.
+# SSL cert path: resolve to real nix store path so symlinks work inside the sandbox.
+# On NixOS, /etc/ssl/certs/ca-certificates.crt -> /etc/static/ssl/... -> /nix/store/...
+# The sandbox mounts /nix/store but not /etc/static, so we must resolve before entering.
 _SSL_CERT_DEFAULT="/etc/ssl/certs/ca-certificates.crt"
 _NIX_SSL_CERT="${NIX_SSL_CERT_FILE:-$_SSL_CERT_DEFAULT}"
+_NIX_SSL_CERT="$(readlink -f "$_NIX_SSL_CERT" 2>/dev/null || echo "$_NIX_SSL_CERT")"
 _SSL_CERT="${SSL_CERT_FILE:-$_NIX_SSL_CERT}"
+_SSL_CERT="$(readlink -f "$_SSL_CERT" 2>/dev/null || echo "$_SSL_CERT")"
 ENV_ARGS+=(
   --setenv NIX_SSL_CERT_FILE "$_NIX_SSL_CERT"
   --setenv SSL_CERT_FILE "$_SSL_CERT"