Where are the certificates on the host system? The network interface allows various access to /etc/ssl via the abstractions/ssl_certs apparmor abstraction.
You later said that “In my case, the CAs are user-provided at run-time. Does that leave me with any options?”. This is getting into the area of: Extending system certificates for which there is no current support right now. You should be able to make something work by:
- using stage-packages ‘ca-certificates’ in your snapcraft.yaml
- use @lucyllewy’s layout technique to use ‘bind’ instead of ‘bind-file’ like so:
layout: /etc/ssl/certs: bind: $SNAP_COMMON/certs - on install copy $SNAP/etc/ssl/certs to $SNAP_COMMON/certs
- update $SNAP_COMMON/certs as desired
This is untested and there might be other ways you want to do it.