Certificate substitution and snaps

Like many other users I work in a corporate environment where we have our own CA root and PKI for internal applications. I attempted to use snap to install kurly (a curl substitute) but quickly found it didn’t work on any of our internal applications due to “x509: certificate signed by unknown authority”. I understand the goal of snap is to isolate applications, but I have no interest in re configuring every app I install to use a different set of trusted root CAs.

I was able to temporarily mount the existing root CA store on my Ubuntu system into the core package using:

sudo mount --bind --bind -o nodev,ro /etc/ssl/certs /snap/core/current/etc/ssl/certs/

This allows the kurly snap (and any others I install) to work until I restart the system.

As a stop gap until snap finds a way to manage root CA for all applications you can create a systemd mount file to run on startup:

$ cat <<-EOF | sudo tee /etc/systemd/system/snap-core-current-etc-ssl-certs.mount
[Unit]
Description=Mount unit to fix etc ssl certs in core package
After=snapd.service

[Mount]
What=/etc/ssl/certs
Where=/snap/core/current/etc/ssl/certs
Type=none
Options=bind,nodev,ro

[Install]
WantedBy=multi-user.target
EOF
$ systemctl enable snap-core-current-etc-ssl-certs.mount
1 Like