Firefox Snap doesn't recognize root certificate

YamiYukiSenpai · November 28, 2023, 2:48pm

My Firefox and Brave snaps don’t recognize the root certificate I installed on my KDE Neon 22.04

I placed them on both /etc/pki/ca-trust/source/anchors/ & /etc/ssl/certs/ and ran update-ca-certificates. Any ideas what I’m missing?

goldstar611 · November 30, 2023, 12:09am

I don’t use Brave, but doesn’t FireFox provide a method to add new CAs? (Settings → Security → Certificates → View Certificates → Import)

YamiYukiSenpai · December 4, 2023, 1:24pm

tried that.

Didn’t add it right, it seems.

I’m trying to add the certificate to my OVIRT

A333 · December 6, 2023, 11:52am

I am not super surprised that a snap does not use certs from the system out of the box. I was googling if there is an interface/portal for such. Only found that the same issue exists in chromium. It seems the snaps use the certs provided by the base snap.

The most relevant comment over there:

The chromium snap's generated apparmor profile does include <abstractions/ssl_certs>, which allows read access to /etc/ssl/certs/ and /usr/local/share/ca-certificates/, among other paths¹.


So the problem is not confinement per se, but the fact that the core snap shadows these directories.

I wonder if using the system-files interface² would be a valid use case to expose these certificates in a read-only fashion.

¹ see /etc/apparmor.d/abstractions/ssl_certs for reference
² https://snapcraft.io/docs/system-files-interface

Maybe open an bug against firefox/brave?

edit: also related using-the-system-certificate-authorities

edit2: further down the rabbit hole there is a workaround

ogra · December 6, 2023, 12:47pm

that “workaround” (actually an extremely gross hack) you link to is for UbuntuCore systems (where the read-only core snap is actually your root filesystem, so /etc/ssl is not writable at all), not for normal desktops …

by default all snaps (on non UbuntuCore systems) have full access to /etc/ssl/certs … but you need to make sure your cert is not linked to somewhere outside that dir (that would indeed be blocked by confinement) … see the recent discussion at:

https://forum.snapcraft.io/t/using-system-certificates-in-snap-that-relies-on-python-urllib/38032/9

A333 · December 7, 2023, 2:58pm

Thanks for the clarification. I also confirmed that the firefox snap has access to the host’s /etc/ssl/certs/ca-certificates.crt which is the output of `update-ca-certificates. (tested on a desktop ubuntu 22.04 in a LXD managed VM).

YamiYukiSenpai · May 23, 2024, 3:41pm

Can we have this done for browsers in the snap store, like Firefox and Brave?

It doesn’t seem to be pulling it.

Even ~~Vivaldi (apt) doesn’t see it.~~ Fixed that with

sudo mv /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so.old && sudo ln -sf /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so

Strangely, Edge (Flatpak) sees the CRT files I stored in /usr/local/share/ca-certificates/, which are symlinked to /etc/ssl/certs. Placing the PEM files in /etc/ssl/certs don’t work, so I think it just looks for the ones in /usr. I know it’s Flatpak, but I feel like I should point out what I found out.

Think both Snaps and Flatpaks need to work together for some level of consistency IMHO