Snap does not use private/self-signed CAs from the system
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
simplestreams |
In Progress
|
Undecided
|
Trent Lloyd |
Bug Description
You are unable to connect to a mirror source which uses a private/self-signed CA which is installed into the system SSL certificate store (/usr/local/
= Reproducer =
To test this, setup nginx on Ubuntu and modify /etc/nginx/
Inside the server {} section, add the following to the existing contents (you can keep the port 80 listeners)
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/ssl/
ssl_certificate_key /etc/ssl/
location /images.maas.io/ {
proxy_pass https:/
proxy_buffering on;
proxy_cache STATIC;
proxy_cache_valid 200 1d;
proxy_
}
Add this below outside the server {} section:
proxy_cache_path /srv/nginx/cache levels=1:2 keys_zone=
Create a self-signed certificate as follows:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/
You must enter a resolvable hostname to this machine for the "Common Name (e.g. server FQDN or YOUR name)" (an IP might work, though I didn't try it).
Then run:
sudo cp /etc/ssl/
sudo update-
systemctl restart nginx
Then a simple test before/after using:
simplestreams.
Error:
requests.
Related branches
- Server Team CI bot: Approve (continuous-integration)
- simplestreams-dev: Pending requested
-
Diff: 14 lines (+3/-0)1 file modifiedsnap/snapcraft.yaml (+3/-0)
Changed in simplestreams: | |
status: | New → In Progress |
assignee: | nobody → Trent Lloyd (lathiat) |