Custom SSL certs for snapd to the snap store communication

Support for adding custom SSL certificates to the snapd daemon has landed in the 2.45 release. These certs will then be added to the trusted certificates pool of snapd for the store communication.

Custom certs can be added via the snapd configuration system under system and store-certs.<name>=<value>.

E.g. add via:

# snap set system store-certs.cert1="$(cat /path/to/mycert)"

Remove via:

# snap unset system store-certs.cert1
1 Like

I’ve added this to our system options reference page: System options

1 Like

Hi devs!

I have been struggling connecting nectcloud with samba ad-dc via LDAPS and finally found here what I thought is the solution.
My system is Ubuntu Server 20.04.2, Nextcloud 20.0.7 with snap v2.49.
I have my own CA and certificates work so far for https & tls.

In Nextcloud I always have to turn of certificate-checking: turnOffCertCheck = 1

In debugging this issue I wanted to add my root-certificate to the nextcloud snap.
I did so by:
snap set system store-certs.cert1="$(cat /etc/ssl/certs/my-root-ca.pem)"
and
snap set nextcloud store-certs.cert1="$(cat /etc/ssl/certs/my-root-ca.pem)"

Both commands show the correct root-certificate:
snap get nextcloud store-certs
snap get system store-certs

When I check certificate in snap-shell:
snap run --shell nextcloud.php.fpm
openssl s_client -connect my-host:636

The log shows: unable to get local issuer certfificate

Looking through the directories from “openssl version -d” will reveal, that my-root-pem-certificate is not present.

Can you help me what I made wrong?

1 Like

This option is not for individual snaps, this option is only meant to add certificates to the pool that snapd uses when connecting to the store, it does not add certificates to application snaps like NextCloud.

However, we did add a feature which will inherit in snap environments the /etc/ssl directory of the host when run on specifically Ubuntu classic systems automatically. So if you have installed the certificate you need NextCloud to use into /etc/ssl and you are on Ubuntu classic (server or desktop, but not Core), and you switch to snapd beta channel and reboot, then NextCloud should be able to use the certificates from /etc/ssl in order to connect to upstream servers. I’m not sure where NextCloud is configured to search for certificates, but it is possible that NextCloud in addition is also not searching /etc/ssl for certificates. This specific feature about using /etc/ssl will be available in snapd 2.50, which is currently in beta and should move to stable by the end of April 2021.

@ijohnson,

thanks for your answer. It indeed solves my issue, though not fully.
While further drilling this down and based on responses I’ve added on bug-reports at places where I hoped to have the correct forum . As I don’t want to spread a single issue over several places, I think it is good to make a reference for you here:


What remains is access-rules in the Apparmor-profile for:
/etc/ldap/ldap.conf r,
/usr/local/share/ca-certificates/* r,

Anyway, I’m a big step forward with 2.50, many thanks!

As explained in the bug by Olivier, this is actually provided by the abstractions/ssl_certs apparmor abstraction so I’m a bit surprised you can’t read this.

Actually I think the issue might be more that if your custom certificates are located on your host system’s /usr/local/share/ca-certificates, then inside the snap’s mount namespace that directory is not populated with that of the host, it is the content of the base snap. Can you just put your custom certificates from the host into /etc/ssl ?

I’m not sure what interface we should provide this for, can you start a new topic for this specific access ?

It works for me :slight_smile: Thanks,