My VPN inspects SSL packets so needs to be added to the system certificate store. This causes https requests to fail until the certificate is added to /etc/ssl/certs and then running update-ca-certificates.
First question is what is the best way to make that update apply to all snap apps. I can mount --bind /etc/ssl/certs on to /snap/core18/current/etc/ssl/certs, but not sure if this is the best option.
Second question is how to make python scripts in a snap package use that system certificate. It seems that certifi by default is using lib/python3.10/site-packages/certifi/cacert.pem rather than the system certificate store. I’ve tried setting REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-certificates.crt' and also tried adding python3-certifi to stage-packages: in snapcraft.yaml, and neither seems to have any effect.
I’ve also tried snap set system store-certs.cert1="$(cat vpn.crt)".
In short, how is a normal user supposed to handle the situation where an additional certificate needs to be trusted for standard SSL operations? Is there a simple fix here?