I had a similar problem when testing the example of creating a snap to the httpstat utility.
When testing the example with a URL where the certificate was signed by Go Daddy Secure Certificate Authority - G2.
On my workstation where I have gdig2.pem installed CURL didn’t complain. However when testing in the snap I always encountered the unsafe site error.
I have verified that in folder ‘/snap/core/current/etc/ssl/’ there is no CA for Go Daddy!
As this folder structure is read only I decided to do the following test:
sudo mount --bind /etc/ssl /snap/core/current/etc/ssl
I know this is an evil hack, but isn’t that on which The Internet is built…
So if you need a stable system that has the SSL environment extended, here’s a systemd generator that dynamically bindmounts /etc/ssl (and any other paths you’d like, for good measure):
#!/bin/bash
OUTPUT_DIR="$1"
UNITFILES="$( ls /etc/systemd/system/snap-core{,18}-*.mount )"
BINDS="/etc/ssl /etc/environment" # add more paths as needed
for BIND in ${BINDS}; do
for UNITFILE in ${UNITFILES}; do
if [[ $UNITFILE =~ snap-([-a-z0-9]+)-([0-9]+).mount$ ]]; then
UNIT="${BASH_REMATCH[0]}"
SNAP="${BASH_REMATCH[1]}"
REVISION="${BASH_REMATCH[2]}"
else
echo "Could not parse $UNIT…" 2>&1
exit 1
fi
BINDUNIT="snap-${SNAP}-${REVISION}${BIND//\//-}.service"
BINDTARGET="/snap/${SNAP}/${REVISION}${BIND}"
WANTSPATH="${OUTPUT_DIR}/${UNIT}.wants"
# Couldn't get heredoc to work here…
echo "# Automatically generated by $( basename $0 )
[Unit]
Description=${BIND} bindmount for ${SNAP}-${REVISION}
After=${UNIT}
Requires=${UNIT}
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/mount --bind ${BIND} ${BINDTARGET}
ExecStop=/bin/umount ${BINDTARGET}" > ${OUTPUT_DIR}/${BINDUNIT}
mkdir -p "${WANTSPATH}"
ln -s "../${BINDUNIT}" "${WANTSPATH}"
done
done
I couldn’t get it to work well with mount units, because those don’t support files being the targets of a mount. I’ll leave it as an exercise to the reader to make this work for paths that don’t exist on the target (NB: you need to touch the target if bindmounting a single file). (d’uh, it’s a snap, you can’t…).
Just adding my feedback that this is becoming a requirement for us as well. We have customers that do deep packet inspection so we need a way to add new trusted signing certificates to the system.
I read through that doc. Just not clear on the process mainly because I am a Linux noob. For example does the file have an extension? Which directory do i place it in because I dont see the same directory paths that are listed in the doc. I was really just trying to find a way to get a snap use the system certificates but I am not having any luck. I tried the command to bind mount the certificate from /etc/ssl/certs to /snap/etc/ssl/certs and it seems to work but the snap still doesnt seem to get it. Oh well, I will keep searching for an answer.
Im using Ubuntu 18.04 and I dont see a system-generators directory in any of those locations. I do have /run/systemd/generator directory. I tried copying the file there and made it executable. After a reboot the file is gone. I tried creating a system-generator director under /run/systemd and copying the file there but after a reboot the whole directory is gone. I am missing something…
Created directory /etc/systemd/sys-generators and dropped the file in it. Then made the file executable. After reboot I do not see the contents of /etc/ssl/certs in /snap/core/current/etc/ssl/certs
