diff --git a/nixos/tests/kanidm-provisioning.nix b/nixos/tests/kanidm-provisioning.nix
index c96e9647b411..3bfdce6c912c 100644
--- a/nixos/tests/kanidm-provisioning.nix
+++ b/nixos/tests/kanidm-provisioning.nix
@@ -4,6 +4,13 @@ import ./make-test-python.nix (
     certs = import ./common/acme/server/snakeoil-certs.nix;
     serverDomain = certs.domain;
 
+    # copy certs to store to work around mount namespacing
+    certsPath = pkgs.runCommandNoCC "snakeoil-certs" { } ''
+      mkdir $out
+      cp ${certs."${serverDomain}".cert} $out/snakeoil.crt
+      cp ${certs."${serverDomain}".key} $out/snakeoil.key
+    '';
+
     provisionAdminPassword = "very-strong-password-for-admin";
     provisionIdmAdminPassword = "very-strong-password-for-idm-admin";
     provisionIdmAdminPassword2 = "very-strong-alternative-password-for-idm-admin";
@@ -23,8 +30,8 @@ import ./make-test-python.nix (
             domain = serverDomain;
             bindaddress = "[::]:443";
             ldapbindaddress = "[::1]:636";
-            tls_chain = certs."${serverDomain}".cert;
-            tls_key = certs."${serverDomain}".key;
+            tls_chain = "${certsPath}/snakeoil.crt";
+            tls_key = "${certsPath}/snakeoil.key";
           };
           # So we can check whether provisioning did what we wanted
           enableClient = true;
diff --git a/nixos/tests/kanidm.nix b/nixos/tests/kanidm.nix
index a2f4b98a728c..7e2fce20857a 100644
--- a/nixos/tests/kanidm.nix
+++ b/nixos/tests/kanidm.nix
@@ -6,6 +6,13 @@ import ./make-test-python.nix ({ pkgs, ... }:
     testCredentials = {
       password = "Password1_cZPEwpCWvrReripJmAZdmVIZd8HHoHcl";
     };
+
+    # copy certs to store to work around mount namespacing
+    certsPath = pkgs.runCommandNoCC "snakeoil-certs" { } ''
+      mkdir $out
+      cp ${certs."${serverDomain}".cert} $out/snakeoil.crt
+      cp ${certs."${serverDomain}".key} $out/snakeoil.key
+    '';
   in
   {
     name = "kanidm";
@@ -19,8 +26,8 @@ import ./make-test-python.nix ({ pkgs, ... }:
           domain = serverDomain;
           bindaddress = "[::]:443";
           ldapbindaddress = "[::1]:636";
-          tls_chain = certs."${serverDomain}".cert;
-          tls_key = certs."${serverDomain}".key;
+          tls_chain = "${certsPath}/snakeoil.crt";
+          tls_key = "${certsPath}/snakeoil.key";
         };
       };
 
diff --git a/pkgs/by-name/ka/kanidm/package.nix b/pkgs/by-name/ka/kanidm/package.nix
index dc032583ae07..840b21b04d35 100644
--- a/pkgs/by-name/ka/kanidm/package.nix
+++ b/pkgs/by-name/ka/kanidm/package.nix
@@ -28,16 +28,16 @@ let
 in
 rustPlatform.buildRustPackage rec {
   pname = "kanidm";
-  version = "1.3.2";
+  version = "1.3.3";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-YFmWZlDcsSk+7EGkoK0SkAhNsrIQa55IRIVqisX3zqE=";
+    hash = "sha256-W5G7osV4du6w/BfyY9YrDzorcLNizRsoz70RMfO2AbY=";
   };
 
-  cargoHash = "sha256-8ZENe576gqm+FkQPCgz6mScqdacHilARFWmfe+kDL2A=";
+  cargoHash = "sha256-gJrzOK6vPPBgsQFkKrbMql00XSfKGjgpZhYJLTURxoI=";
 
   KANIDM_BUILD_PROFILE = "release_nixos_${arch}";
 
@@ -110,7 +110,14 @@ rustPlatform.buildRustPackage rec {
       inherit (nixosTests) kanidm kanidm-provisioning;
     };
 
-    updateScript = nix-update-script { };
+    updateScript = nix-update-script {
+      # avoid spurious releases and tags such as "debs"
+      extraArgs = [
+        "-vr"
+        "v(.*)"
+      ];
+    };
+
     inherit enableSecretProvisioning;
     withSecretProvisioning = kanidm.override { enableSecretProvisioning = true; };
   };