x509: certificate signed by unknown authority

Bug #1620755 reported by Eldar Khayrullin
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Snappy
Undecided
Unassigned

Bug Description

$snap install ubuntu-core
>> error: cannot install "ubuntu-core": Get https://search.apps.ubuntu.com/api/v1/snaps/details/ubuntu-core?confinement=strict: x509: certificate signed by unknown authority

snap 2.13+ppa207-1
snapd 2.13+ppa207-1
series 16
ubuntu 16.04

System uses proxy.

Revision history for this message
Eldar Khayrullin (eldar) wrote :

I have used instructions from https://bugs.launchpad.net/snappy/+bug/1533899/comments/1. Not helped.

description: updated
Revision history for this message
Kurono (vini-cr) wrote :
Revision history for this message
Kurono (vini-cr) wrote :

Well just found out that i might be because firewall does "ssl inspection" (replaces certificates)

Revision history for this message
Pablo Hörtner (redtux2000) wrote :

Hi, I am having the same problem here. Yes, it is related to SSL inspection, but nevertheless there might be a bug somewhere, as I have two nodes with identical configuration, and it is working on one node and not working on the other node... :-)

On both nodes I put my root CA in /etc/ssl/certs/ and did run "update-ca-certificates --fresh". On node 1 "snap install conjure-up --classic" worked fine, while it gave me an error on node 2. Networking and firewall settings are the same for both. Any hints? The error is the same here:

error: cannot perform the following tasks:
- Download snap "core" (2898) from channel "stable" (Get https://068ed04f23.site.internapcdn.net/download-snap/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_2898.snap?t=2017-09-20T13:00:00Z&h=bc464e1d58822c9f460432ea3c0d8b2695c3833d: x509: certificate signed by unknown authority)

Eldar Khayrullin (eldar)
Changed in snappy:
status: New → Confirmed
tags: added: proxy
Revision history for this message
Vadym Stupakov (red-eyed) wrote :

Any updates?

I tried to set env variable with my own SSL certificate: export SSL_CERT_FILE=/path/to/cert/XXX.cer

I did it via /lib/systemd/system/snapd.service file.

Then I restarted snapd service, and found that snapd process contains variable that I set (sudo cat /proc/$(pidof snapd)/environ), but the same error (x509: certificate signed by unknown authority)

Revision history for this message
Phil Clifford (philip-clifford) wrote :

Same problem here with firewall doing DPI: snap fails to install or search, but wget to the same ssl host is fine because the relevant signing certificates have been added to /usr/share/ca-certificates/extra/ and
/etc/ssl/certs and we've run both "update-ca-certificates --fresh" and "dpkg-reconfigure ca-certificates"

Revision history for this message
John Lenton (chipaca) wrote :

Don't try to man-in-the-middle snapd.

If you need a caching proxy, use the snap enterprise proxy.

Changed in snappy:
status: Confirmed → Won't Fix
Revision history for this message
John Lenton (chipaca) wrote :
Revision history for this message
David A. Desrosiers (setuid) wrote :

This is an intractable chicken-and-egg problem.

How does one install snap-store-proxy using snap as described here:

   https://docs.ubuntu.com/snap-enterprise-proxy/en/install

...if one can't use snap from behind the proxy, because snapd doesn't have the ability to read the system certificate chain, where the enterprise certificates have been installed and configured for use by all other apps?

$ sudo snap install snap-store-proxy
2019/09/05 15:50:26.123559 error.go:102:
DEBUG: error: cannot install "snap-store-proxy":
Post https://api.snapcraft.io/v2/snaps/refresh: x509: certificate signed by unknown authority
error: cannot install "snap-store-proxy":
Post https://api.snapcraft.io/v2/snaps/refresh: x509:
       certificate signed by unknown authority

snapd is wrong here, and must permit the ability to use an enterprise-signed SSL certificate, as managed in the system certificate chain in /etc/ssl/certs, just as every other app that needs certificate validation does (wget, curl, python, pip, ansible, etc.)

What's the real solution here?

Revision history for this message
Maciej Borzecki (maciek-borzecki) wrote :

AFAIK, certificates are loaded by Go runtime.

The runtime reads the following bundle files (stops after the first one found):

var certFiles = []string{
 "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
 "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
 "/etc/ssl/ca-bundle.pem", // OpenSUSE
 "/etc/pki/tls/cacert.pem", // OpenELEC
 "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
 "/etc/ssl/cert.pem", // Alpine Linux
}

and loads files from the following directories:

var certDirectories = []string{
 "/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139
 "/system/etc/security/cacerts", // Android
 "/usr/local/share/certs", // FreeBSD
 "/etc/pki/tls/certs", // Fedora/RHEL
 "/etc/openssl/certs", // NetBSD
 "/var/ssl/certs", // AIX
}

Make sure thet either the bundle has been regenerated or the enterprise certificates are inside the right directory.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

My understanding is that one can also use `snap download` on a regular internet connection and then ack the assertions and install the snaps on an "offline" / airgapped host as well.

Revision history for this message
Oliver Grawert (ogra) wrote :

the main issue here is that the proxy snap runs on top of the core/core18 snap, so it can not see the hosts /etc/ssl but only the one inside core ...

https://forum.snapcraft.io/t/extending-system-certificates/114 is a discussion about this specific topic and has a (rather evil) hack in the last post to temporary overcome the missing cert case.

Revision history for this message
David Costa (davidcosta914) wrote :

Is there a fix here or better instructions? Same issue with SSL decryption on PA.

tags: added: sts
Revision history for this message
Scott Reynolds (scottreynolds) wrote :

"Don't try to man-in-the-middle snapd" oversimplifies the nature of the problem. This also affects user-facing applications such as Chromium, which is now only distributed as a snap.

To recap, ignoring the system-provided trusted CA certificate store causes certificate validation failures in at least these scenarios:

- For user-facing applications, access to enterprise CA-signed resources
- For all applications, access to resources through a transparent proxy using
  enterprise CA certificates

I'm sure everyone understands the importance of maintaining the integrity of the system. However, we also need to accept that increasing numbers of government and enterprise organizations must maintain controls, such as those related to data loss prevention, that require the use of additional trusted CA certificates.

Revision history for this message
Michael Vogt (mvo) wrote :

Thanks for this update Scott. First let me apologize that some things are misrepresented in this bugreport. We (the snapd team) understand the importance of adding custom certificates.

We implemented support for adding customs certificates to "snapd" itself in snapd 2.45, see https://forum.snapcraft.io/t/custom-ssl-certs-for-snapd-to-the-snap-store-communication/17446 for details how to enable this. I think the original bugreport here was about this feature.

There is the wider topic about supporting the host /etc/ssl certificates inside all snaps is discussed in https://forum.snapcraft.io/t/extending-system-certificates/114 - we want to fix this but a general fix is quite a bit of work. We are currently discussing a first step to support passing the /etc/ssl on Ubuntu systems to snaps.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers