/etc/ssl/certs is different on each core version

Hello all,

I’m trying to run the openstackclients snap and get it to read the system certificates now that it has been updated to use the strict confinement.

I’ve found in other threads across the forum that if you just add the network plug it would be able to read the system certificates on /etc/ssl/certs.

I did 2 tests, 1) I added an extra custom cert (cacert.pem) in that folder just to see if the snap would be able to read it and 2) I verified the ca-certificates.crt file that I have and compared to what the snap reads. To test, I create a shell using:

snap run --shell openstackclients.openstack

then I navigate to /etc/ssl/certs in that shell and I don’t see my cacert.pem file there. Also, ca-certificates.crt is different than I have in my system /etc/ssl/certs.

Then, checking the content of /snap and find/grepping for my file and certificate, respectively, I find them in /snap/core/10908/etc/ssl/certs/.

In my /snap/core folder I have 2 folders: 10908 and 10958. The content in /etc/ssl/certs in both are different, where 10908 mirrors my system /etc/ssl/certs and 10958 doesn’t. I don’t know what 10958 mirrors. I suspect the openstackclients is using 10958.

When running “snap connections --all” I see:

Interface Plug Slot Notes
network openstackclients:network :network -

So I guess I should assume the openstackclients snap should be able to read my certs and files under /etc/ssl/certs.

Any ideas on how to make it read the certificates or load the core with the proper content like 10908? Is this a bug?

Thanks in advance

There are two answers to this question, one of which applies to snapd versions 2.50 and later on Ubuntu classic systems, and the other which applies to all snapd versions on non-Ubuntu classic systems and Ubuntu Core systems, or on Ubuntu classic systems with snapd 2.49 and below.

On systems with snapd 2.49 and below as well as non-Ubuntu classic systems with 2.50+, /etc/ssl inside the mount namespace of a strict snap is bind mounted from the base snap of the app snap being executed. This means that for a snap with base: core (or no base at all), then this directory comes from the core snap. You will see that different revisions of the core snap may have different versions of certificates here, since there was recently (last 6 months I think) a change to the ca-certificates package which included removal of an old untrusted certificate.

On Ubuntu classic systems with snapd 2.50 (which is in beta), a new feature has been added where /etc/ssl inside the mount namespace of a strict snap is bind mounted from the host system, not from the base snap. So if you install (or remove) additional certificates on your host in /etc/ssl, then those changes will show up inside the snap’s mount namespace for your snap to use.