Extending system certificates


I had a similar problem when testing the example of creating a snap to the httpstat utility.
When testing the example with a URL where the certificate was signed by Go Daddy Secure Certificate Authority - G2.

On my workstation where I have gdig2.pem installed CURL didn’t complain. However when testing in the snap I always encountered the unsafe site error.

I have verified that in folder ‘/snap/core/current/etc/ssl/’ there is no CA for Go Daddy!

As this folder structure is read only I decided to do the following test:

sudo mount --bind /etc/ssl /snap/core/current/etc/ssl

After that the httpstat snap example worked!

I believe this is not a fancy solution but I have not found a better way to add a CA.

Marcelo Módolo

I know this is an evil hack, but isn’t that on which The Internet is built…

So if you need a stable system that has the SSL environment extended, here’s a systemd generator that dynamically bindmounts /etc/ssl (and any other paths you’d like, for good measure):


UNITFILES="$( ls /etc/systemd/system/snap-core{,18}-*.mount )"
BINDS="/etc/ssl /etc/environment" # add more paths as needed

for BIND in ${BINDS}; do
  for UNITFILE in ${UNITFILES}; do
    if [[ $UNITFILE =~ snap-([-a-z0-9]+)-([0-9]+).mount$ ]]; then
      echo "Could not parse $UNIT…" 2>&1
      exit 1


    # Couldn't get heredoc to work here…
    echo "# Automatically generated by $( basename $0 )

Description=${BIND} bindmount for ${SNAP}-${REVISION}

ExecStart=/bin/mount --bind ${BIND} ${BINDTARGET}
ExecStop=/bin/umount ${BINDTARGET}" > ${OUTPUT_DIR}/${BINDUNIT}

    mkdir -p "${WANTSPATH}"
    ln -s "../${BINDUNIT}" "${WANTSPATH}"

I couldn’t get it to work well with mount units, because those don’t support files being the targets of a mount. I’ll leave it as an exercise to the reader to make this work for paths that don’t exist on the target (NB: you need to touch the target if bindmounting a single file). (d’uh, it’s a snap, you can’t…).

Just adding my feedback that this is becoming a requirement for us as well. We have customers that do deep packet inspection so we need a way to add new trusted signing certificates to the system.

Please explain how I could add this generator to ubuntu.

The systemd.generator man page I linked above has all the info you need.

I read through that doc. Just not clear on the process mainly because I am a Linux noob. For example does the file have an extension? Which directory do i place it in because I dont see the same directory paths that are listed in the doc. I was really just trying to find a way to get a snap use the system certificates but I am not having any luck. I tried the command to bind mount the certificate from /etc/ssl/certs to /snap/etc/ssl/certs and it seems to work but the snap still doesnt seem to get it. Oh well, I will keep searching for an answer.


Generators are small executables that live in /usr/lib/systemd/system-generators/ and other directories listed above.

Just place the file in any of the above paths and make it executable.

Im using Ubuntu 18.04 and I dont see a system-generators directory in any of those locations. I do have /run/systemd/generator directory. I tried copying the file there and made it executable. After a reboot the file is gone. I tried creating a system-generator director under /run/systemd and copying the file there but after a reboot the whole directory is gone. I am missing something…

@64bitfury just create one of those dirs :slight_smile: /run is temporary, that’s why your file created there is gone.

Created directory /etc/systemd/sys-generators and dropped the file in it. Then made the file executable. After reboot I do not see the contents of /etc/ssl/certs in /snap/core/current/etc/ssl/certs

You don’t need to reboot, systemctl daemon-reload is enough to trigger them.

Try running the generator yourself with a path to some custom directory and check its contents.

$ ./gen.sh $PWD/foo
$ tree foo 
├── snap-core18-1650-etc-environment.service
├── snap-core18-1650-etc-ssl.service
├── snap-core18-1650.mount.wants
│   ├── snap-core18-1650-etc-environment.service -> ../snap-core18-1650-etc-environment.service
│   └── snap-core18-1650-etc-ssl.service -> ../snap-core18-1650-etc-ssl.service
├── snap-core18-1668-etc-environment.service
├── snap-core18-1668-etc-ssl.service
├── snap-core18-1668.mount.wants
│   ├── snap-core18-1668-etc-environment.service -> ../snap-core18-1668-etc-environment.service
│   └── snap-core18-1668-etc-ssl.service -> ../snap-core18-1668-etc-ssl.service
├── snap-core-8886-etc-environment.service
├── snap-core-8886-etc-ssl.service
├── snap-core-8886.mount.wants
│   ├── snap-core-8886-etc-environment.service -> ../snap-core-8886-etc-environment.service
│   └── snap-core-8886-etc-ssl.service -> ../snap-core-8886-etc-ssl.service
├── snap-core-8890-etc-environment.service
├── snap-core-8890-etc-ssl.service
└── snap-core-8890.mount.wants
    ├── snap-core-8890-etc-environment.service -> ../snap-core-8890-etc-environment.service
    └── snap-core-8890-etc-ssl.service -> ../snap-core-8890-etc-ssl.service

I can’t help you more, sorry, I’m not using this myself, it was just a proof of concept for a workaround.

Thank you for your assistance. Got your script working.

But how? Please share your knowledge.

Ok. systemctl daemon-reload is not enough for Ubuntu 18. Full restart helped.