Trying to use snaps on Ubuntu Xenial in an environment where HTTPS traffic is going through an outbound proxy that does certificate substitution. The ca-certificates file on Ubntu is updated, and apt install is working.
snapd re-execs itself into the core snap as execution environment … the core snap is a readonly squashfs, while it has the default ca-certificates pre-installed, there is no actual way of dynamically adding additional certificates to it …
I work in a facility that does deep packet inspection of all https traffic. This network security tool set is becoming more and more prevalent in corporate and government institutions. All traffic is decoded/inspected/recoded at the perimeter. On our workstations, we add the signing cert into our ca-certificates chain.
Since snaps bypasses the local CA chain, I’d like to know if we can add our local signing cert into the snaps ca chain. (I’ll ask this in the other thread, too.)
Like many other users I work in a corporate environment where we have our own CA root and PKI for internal applications. I attempted to use snap to install kurly (a curl substitute) but quickly found it didn’t work on any of our internal applications due to “x509: certificate signed by unknown authority”. I understand the goal of snap is to isolate applications, but I have no interest in re configuring every app I install to use a different set of trusted root CAs.
I was able to temporarily mount the existing root CA store on my Ubuntu system into the core package using:
sudo mount --bind --bind -o nodev,ro /etc/ssl/certs /snap/core/current/etc/ssl/certs/
This allows the kurly snap (and any others I install) to work until I restart the system.
As a stop gap until snap finds a way to manage root CA for all applications you can create a systemd mount file to run on startup:
$ cat <<-EOF | sudo tee /etc/systemd/system/snap-core-current-etc-ssl-certs.mount
[Unit]
Description=Mount unit to fix etc ssl certs in core package
After=snapd.service
[Mount]
What=/etc/ssl/certs
Where=/snap/core/current/etc/ssl/certs
Type=none
Options=bind,nodev,ro
[Install]
WantedBy=multi-user.target
EOF
$ systemctl enable snap-core-current-etc-ssl-certs.mount
A related bug x509: certificate signed by unknown authority was closed as “won’t fix” with the comment: “Don’t try to man-in-the-middle snapd.” I’d say that it is not prioritized to alleviate this restriction upstream.
I would just like to echo comments made by others. Proper certificate management within snaps is a must. Applications deployed as snaps must be able to trust user/admin/system provided CAs. Many enterprises have their own CAs; use case - OpenStack behind TLS (which is a typical environment these days), signed with company-wide CA. One can’t use k8s on that OpenStack because there is no way to push trusted CA into k8’s snaps.