Ubuntu-Core OpenSSL certificate authority creation

Im following this tutorial https://help.ubuntu.com/lts/serverguide/certificates-and-security.html#creating-a-self-signed-certificate this works fine in ubuntu 18 but not in ubuntu-core 18.

Im trying to create a CA to sign certs for etcd cluster but receive error cannot create directory read only file system.

user@core-1:~$ sudo mkdir /etc/ssl/CA
mkdir: cannot create directory ‘/etc/ssl/CA’: Read-only file system

Question: Where should the CA be created or how should it be created ?

this is discussed in

so its not possible ?

it is possible on application level … i.e. you can ship your own libssl and certificates inside app snaps (or even have a content snap that shares libssl and the certs to all your apps) … but to my knowledge it is still not possible on a system level …

It is still not possible on a system level, but we discussed possibly fixing this issue and related ones next cycle (i.e. 20.04 or 20.10 timeframe)

@ogra @ijohnson thank you for reply

Hi @ijohnson
I am currently looking at options for running IoT devices in a corporate environment. Because of our proxy setup we need to add to the system-wide ca-certificate store. I am assuming that when you mention 20.04, 20.10 you are referring to Ubuntu Core version? If so is there any rough idea when this would be e.g. 1 month, 6 month, 2 year?
Thanks

you could use the snap-store-proxy, the devices would talk to the proxy internally, the proxy itself would use the certificates to talk to the outside world through your company proxy.

https://docs.ubuntu.com/snap-store-proxy/en/

2 Likes

Hi @bowenm,

The 20.04 cycle refers to work that is done in preparation for the Ubuntu 20.04 release in April 2020, and 20.10 cycle refers to work that is done in preparation for the Ubuntu 20.10 release in October 2020.

As @ogra points out, if you need something that works sooner, you could look at using the snap-store-proxy.

1 Like