Firefox Snap doesn't recognize root certificate

My Firefox and Brave snaps don’t recognize the root certificate I installed on my KDE Neon 22.04

I placed them on both /etc/pki/ca-trust/source/anchors/ & /etc/ssl/certs/ and ran update-ca-certificates. Any ideas what I’m missing?

I don’t use Brave, but doesn’t FireFox provide a method to add new CAs? (Settings → Security → Certificates → View Certificates → Import)

tried that.

Didn’t add it right, it seems.

I’m trying to add the certificate to my OVIRT

I am not super surprised that a snap does not use certs from the system out of the box. I was googling if there is an interface/portal for such. Only found that the same issue exists in chromium. It seems the snaps use the certs provided by the base snap.

The most relevant comment over there:

The chromium snap's generated apparmor profile does include <abstractions/ssl_certs>, which allows read access to /etc/ssl/certs/ and /usr/local/share/ca-certificates/, among other paths¹.

So the problem is not confinement per se, but the fact that the core snap shadows these directories.

I wonder if using the system-files interface² would be a valid use case to expose these certificates in a read-only fashion.

¹ see /etc/apparmor.d/abstractions/ssl_certs for reference

Maybe open an bug against firefox/brave?

edit: also related using-the-system-certificate-authorities

edit2: further down the rabbit hole there is a workaround

that “workaround” (actually an extremely gross hack) you link to is for UbuntuCore systems (where the read-only core snap is actually your root filesystem, so /etc/ssl is not writable at all), not for normal desktops …

by default all snaps (on non UbuntuCore systems) have full access to /etc/ssl/certs … but you need to make sure your cert is not linked to somewhere outside that dir (that would indeed be blocked by confinement) … see the recent discussion at:

1 Like

Thanks for the clarification. I also confirmed that the firefox snap has access to the host’s /etc/ssl/certs/ca-certificates.crt which is the output of `update-ca-certificates. (tested on a desktop ubuntu 22.04 in a LXD managed VM).