[snap] CA Certificates from /usr/local/share/ca-certificates are not used

For a strictly confined snap such as chromium, /etc/ssl/certs is provided by the core snap, not by the host system, which explains why your local CA isn't being recognized.

As a workaround, and to understand better the problem, can you manually import the certificate from chrome://settings/certificates? Does this make your CA recognized?

I can manually import the certificates into the browser, but I do not want to do this. Especially not on a multi-user system.

The chromium snap's generated apparmor profile does include <abstractions/ssl_certs>, which allows read access to /etc/ssl/certs/ and /usr/local/share/ca-certificates/, among other paths¹.

So the problem is not confinement per se, but the fact that the core snap shadows these directories.

I wonder if using the system-files interface² would be a valid use case to expose these certificates in a read-only fashion.

¹ see /etc/apparmor.d/abstractions/ssl_certs for reference
² https://snapcraft.io/docs/system-files-interface

I mentioned this on the snapcraft forum, but /usr/share/local/ca-certificates for a strict snap will come from the read-only, static base snap of the chromium snap.

For classic ubuntu/debian systems running new enough snapd, we will actually mount /etc/ssl from the host into the strict snaps' mount namespace, so the correct thing to suggest folks to do is to put custom certificates into /etc/ssl instead of /usr/local/share/ca-certificates.

I am sorry, but this is not how this works.

We had /usr/local/share/ca-certificates an update-ca-certificates for years working just fine.

This attitude lead me to dump chromium and use a non-snapped browser now.

Ian, would it be possible to consider mounting /usr/local/share/ca-certificates in the snap's mount namespace, similar to what is done for /etc/ssl ? Or would this present security concerns?

Alternatively, would it work for chromium to use the system-files interface to expose /usr/local/share/ca-certificates from the host in a read-only fashion?

It is sad that snap developers have taken such intrusive decisions by creating yet another isolated certificate infrastructure. The Ubuntu system already has its own infrastructure in /etc/ssl/certs. So, now we have two (besides all the other built-in certificates in various tools and packages).

In all honesty, why do snap developers think that their own /snap/core/current/etc/ssl/certs is so much better than the system's /etc/ssl/certs? And not only that, all documented procedures to deal with certificates (like update-ca-certificates) become useless.

Note that when you put a certificate in `/usr/local/share/ca-certificates`, and you run `sudo update-ca-certificates`, the certificates will be converted and copied to `/etc/ssl/certs`.

As such, the "old" way of doing things should still work with snaps. If this is not the case, please explain the steps you take to install the certificate.

Hi Merlijn,

this is what is literally written by me in the first line of the bug report.

The bug report is not relevant for me any more as I migrated to a Debian Desktop this year.