Extending system certificates


#21

Hi!

I had a similar problem when testing the example of creating a snap to the httpstat utility.
When testing the example with a URL where the certificate was signed by Go Daddy Secure Certificate Authority - G2.

On my workstation where I have gdig2.pem installed CURL didn’t complain. However when testing in the snap I always encountered the unsafe site error.

I have verified that in folder ‘/snap/core/current/etc/ssl/’ there is no CA for Go Daddy!

As this folder structure is read only I decided to do the following test:

sudo mount --bind /etc/ssl /snap/core/current/etc/ssl

After that the httpstat snap example worked!

I believe this is not a fancy solution but I have not found a better way to add a CA.

Thanks,
Marcelo Módolo


#22

I know this is an evil hack, but isn’t that on which The Internet is built…

So if you need a stable system that has the SSL environment extended, here’s a systemd generator that dynamically bindmounts /etc/ssl (and any other paths you’d like, for good measure):

#!/bin/bash

OUTPUT_DIR="$1"
UNITFILES="$( ls /etc/systemd/system/snap-core{,18}-*.mount )"
BINDS="/etc/ssl /etc/environment" # add more paths as needed

for BIND in ${BINDS}; do
  for UNITFILE in ${UNITFILES}; do
    if [[ $UNITFILE =~ snap-([-a-z0-9]+)-([0-9]+).mount$ ]]; then
      UNIT="${BASH_REMATCH[0]}"
      SNAP="${BASH_REMATCH[1]}"
      REVISION="${BASH_REMATCH[2]}"
    else
      echo "Could not parse $UNIT…" 2>&1
      exit 1
    fi

    BINDUNIT="snap-${SNAP}-${REVISION}${BIND//\//-}.service"
    BINDTARGET="/snap/${SNAP}/${REVISION}${BIND}"
    WANTSPATH="${OUTPUT_DIR}/${UNIT}.wants"

    # Couldn't get heredoc to work here…
    echo "# Automatically generated by $( basename $0 )

[Unit]
Description=${BIND} bindmount for ${SNAP}-${REVISION}
After=${UNIT}
Requires=${UNIT}

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/mount --bind ${BIND} ${BINDTARGET}
ExecStop=/bin/umount ${BINDTARGET}" > ${OUTPUT_DIR}/${BINDUNIT}

    mkdir -p "${WANTSPATH}"
    ln -s "../${BINDUNIT}" "${WANTSPATH}"
  done
done

I couldn’t get it to work well with mount units, because those don’t support files being the targets of a mount. I’ll leave it as an exercise to the reader to make this work for paths that don’t exist on the target (NB: you need to touch the target if bindmounting a single file). (d’uh, it’s a snap, you can’t…).


#23

Just adding my feedback that this is becoming a requirement for us as well. We have customers that do deep packet inspection so we need a way to add new trusted signing certificates to the system.