My Firefox and Brave snaps don’t recognize the root certificate I installed on my KDE Neon 22.04
I placed them on both /etc/pki/ca-trust/source/anchors/ & /etc/ssl/certs/ and ran update-ca-certificates. Any ideas what I’m missing?
I don’t use Brave, but doesn’t FireFox provide a method to add new CAs? (Settings → Security → Certificates → View Certificates → Import)
tried that.
Didn’t add it right, it seems.
I’m trying to add the certificate to my OVIRT
I am not super surprised that a snap does not use certs from the system out of the box. I was googling if there is an interface/portal for such. Only found that the same issue exists in chromium. It seems the snaps use the certs provided by the base snap.
The most relevant comment over there:
The chromium snap's generated apparmor profile does include <abstractions/ssl_certs>, which allows read access to /etc/ssl/certs/ and /usr/local/share/ca-certificates/, among other paths¹.
So the problem is not confinement per se, but the fact that the core snap shadows these directories.
I wonder if using the system-files interface² would be a valid use case to expose these certificates in a read-only fashion.
¹ see /etc/apparmor.d/abstractions/ssl_certs for reference
² https://snapcraft.io/docs/system-files-interface
Maybe open an bug against firefox/brave?
edit: also related using-the-system-certificate-authorities
edit2: further down the rabbit hole there is a workaround
that “workaround” (actually an extremely gross hack) you link to is for UbuntuCore systems (where the read-only core snap is actually your root filesystem, so /etc/ssl is not writable at all), not for normal desktops …
by default all snaps (on non UbuntuCore systems) have full access to /etc/ssl/certs … but you need to make sure your cert is not linked to somewhere outside that dir (that would indeed be blocked by confinement) … see the recent discussion at:
https://forum.snapcraft.io/t/using-system-certificates-in-snap-that-relies-on-python-urllib/38032/9
1 Like
Thanks for the clarification. I also confirmed that the firefox snap has access to the host’s /etc/ssl/certs/ca-certificates.crt which is the output of `update-ca-certificates. (tested on a desktop ubuntu 22.04 in a LXD managed VM).