Firefox Snap doesn't recognize root certificate

My Firefox and Brave snaps don’t recognize the root certificate I installed on my KDE Neon 22.04

I placed them on both /etc/pki/ca-trust/source/anchors/ & /etc/ssl/certs/ and ran update-ca-certificates. Any ideas what I’m missing?

I don’t use Brave, but doesn’t FireFox provide a method to add new CAs? (Settings → Security → Certificates → View Certificates → Import)

tried that.

Didn’t add it right, it seems.

I’m trying to add the certificate to my OVIRT

I am not super surprised that a snap does not use certs from the system out of the box. I was googling if there is an interface/portal for such. Only found that the same issue exists in chromium. It seems the snaps use the certs provided by the base snap.

The most relevant comment over there:

The chromium snap's generated apparmor profile does include <abstractions/ssl_certs>, which allows read access to /etc/ssl/certs/ and /usr/local/share/ca-certificates/, among other paths¹.

So the problem is not confinement per se, but the fact that the core snap shadows these directories.

I wonder if using the system-files interface² would be a valid use case to expose these certificates in a read-only fashion.

¹ see /etc/apparmor.d/abstractions/ssl_certs for reference

Maybe open an bug against firefox/brave?

edit: also related using-the-system-certificate-authorities

edit2: further down the rabbit hole there is a workaround

that “workaround” (actually an extremely gross hack) you link to is for UbuntuCore systems (where the read-only core snap is actually your root filesystem, so /etc/ssl is not writable at all), not for normal desktops …

by default all snaps (on non UbuntuCore systems) have full access to /etc/ssl/certs … but you need to make sure your cert is not linked to somewhere outside that dir (that would indeed be blocked by confinement) … see the recent discussion at:

1 Like

Thanks for the clarification. I also confirmed that the firefox snap has access to the host’s /etc/ssl/certs/ca-certificates.crt which is the output of `update-ca-certificates. (tested on a desktop ubuntu 22.04 in a LXD managed VM).

Can we have this done for browsers in the snap store, like Firefox and Brave?

It doesn’t seem to be pulling it.

Even Vivaldi (apt) doesn’t see it. Fixed that with

sudo mv /usr/lib/x86_64-linux-gnu/nss/ /usr/lib/x86_64-linux-gnu/nss/ && sudo ln -sf /usr/lib/x86_64-linux-gnu/pkcs11/ /usr/lib/x86_64-linux-gnu/nss/

Strangely, Edge (Flatpak) sees the CRT files I stored in /usr/local/share/ca-certificates/, which are symlinked to /etc/ssl/certs. Placing the PEM files in /etc/ssl/certs don’t work, so I think it just looks for the ones in /usr. I know it’s Flatpak, but I feel like I should point out what I found out.

Think both Snaps and Flatpaks need to work together for some level of consistency IMHO