diff --git a/docker/check-tool-versions.sh b/docker/check-tools.sh
similarity index 59%
rename from docker/check-tool-versions.sh
rename to docker/check-tools.sh
index db20be45e4..faa4586832 100755
--- a/docker/check-tool-versions.sh
+++ b/docker/check-tools.sh
@@ -10,11 +10,13 @@ cmake --version
 conan --version
 g++ --version
 gcc --version
+gcov --version
 gcovr --version
 git --version
 less --version
 make --version
 mold --version
+netstat --version
 ninja --version
 perl --version
 pkg-config --version
@@ -22,3 +24,9 @@ pre-commit --version
 python3 --version
 run-clang-tidy --help
 vim --version
+
+# A simple test to verify that git can clone a repository over HTTPS
+# (i.e. the CA bundle is wired up). Clone to a temp dir and clean up.
+tmp_clone="$(mktemp -d)"
+git clone --depth 1 https://github.com/XRPLF/actions.git "${tmp_clone}/actions"
+rm -rf "${tmp_clone}"
diff --git a/docker/nix.Dockerfile b/docker/nix.Dockerfile
index a0eab31769..6248708417 100644
--- a/docker/nix.Dockerfile
+++ b/docker/nix.Dockerfile
@@ -47,6 +47,12 @@ COPY --from=builder /tmp/build/result /nix/ci-env
 
 ENV PATH="/nix/ci-env/bin:${PATH}"
 
+# Point HTTPS clients (git, curl, conan, ...) at the CA bundle shipped in the
+# Nix CI environment, so TLS verification works without ca-certificates being
+# installed in the system.
+ENV SSL_CERT_FILE="/nix/ci-env/etc/ssl/certs/ca-bundle.crt"
+ENV GIT_SSL_CAINFO="/nix/ci-env/etc/ssl/certs/ca-bundle.crt"
+
 # Externally-built dynamically-linked ELF binaries hard-code the loader path
 # (e.g. /lib64/ld-linux-x86-64.so.2) in their PT_INTERP header. Install it
 # from the Nix store when the base image doesn't already provide one.
@@ -65,8 +71,8 @@ if [ ! -e "${target}" ]; then
 fi
 EOF
 
-COPY docker/check-tool-versions.sh /tmp/check-tool-versions.sh
-RUN /tmp/check-tool-versions.sh
+COPY docker/check-tools.sh /tmp/check-tools.sh
+RUN /tmp/check-tools.sh
 
 # Sanity-check that the g++/clang++ are able to build binaries, including sanitizer-instrumented ones.
 COPY docker/test_files/cpp_sources/ /tmp/cpp_sources/
diff --git a/nix/ci-env.nix b/nix/ci-env.nix
index 0d617913d9..0ef7410250 100644
--- a/nix/ci-env.nix
+++ b/nix/ci-env.nix
@@ -43,6 +43,15 @@ let
     bintools = customBinutils;
   };
 
+  # gcov ships in gcc's `cc` output, but the cc-wrapper doesn't expose it.
+  # Surface the gcov from our rebuilt gcc (linked against the custom glibc, so
+  # it runs under the loader installed in the image) and matching the exact
+  # compiler version, so gcovr can produce coverage reports in the CI env.
+  customGcov = pkgs.runCommand "gcov-custom-for-ci-env" { } ''
+    mkdir -p "$out/bin"
+    ln -s "${customGccCc}/bin/gcov" "$out/bin/gcov"
+  '';
+
   # stdenv built around the rebuilt gcc / custom glibc. Used to rebuild
   # compiler-rt below so its sanitizer runtimes see the custom glibc
   # headers.
@@ -105,11 +114,16 @@ in
     name = "xrpld-ci-env";
     paths = commonPackages ++ [
       customGcc
+      customGcov
       customClangForCiEnv
       customBinutils
+      # CA certificate bundle so HTTPS clients (git, curl, conan) can verify
+      # TLS connections without ca-certificates being installed in the system.
+      pkgs.cacert
     ];
     pathsToLink = [
       "/bin"
+      "/etc/ssl/certs"
       "/lib"
       "/include"
       "/share"
diff --git a/nix/packages.nix b/nix/packages.nix
index 3d92fedb4b..b608677aea 100644
--- a/nix/packages.nix
+++ b/nix/packages.nix
@@ -17,6 +17,7 @@ in
     llvmPackages_22.clang-tools
     less # needed for git diff
     mold
+    nettools # provides netstat, used to debug failures in CI
     ninja
     patchelf
     perl # needed for openssl