x509: certificate signed by unknown authority

I have used instructions from https://bugs.launchpad.net/snappy/+bug/1533899/comments/1. Not helped.

Same problem here

error: cannot perform the following tasks:
- Download snap "ubuntu-core" from channel "stable" (Get https://search.apps.ubuntu.com/api/v1/search?fields=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha512%2Csummary%2Cdescription%2Cbinary_filesize%2Cdownload_url%2Cicon_url%2Clast_updated%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Csnap_id%2Csupport_url%2Ctitle%2Ccontent%2Cversion%2Corigin%2Cprivate%2Cconfinement&q=package_name%3A%22ubuntu-core%22: x509: certificate signed by unknown authority)

Well just found out that i might be because firewall does "ssl inspection" (replaces certificates)

Hi, I am having the same problem here. Yes, it is related to SSL inspection, but nevertheless there might be a bug somewhere, as I have two nodes with identical configuration, and it is working on one node and not working on the other node... :-)

On both nodes I put my root CA in /etc/ssl/certs/ and did run "update-ca-certificates --fresh". On node 1 "snap install conjure-up --classic" worked fine, while it gave me an error on node 2. Networking and firewall settings are the same for both. Any hints? The error is the same here:

error: cannot perform the following tasks:
- Download snap "core" (2898) from channel "stable" (Get https://068ed04f23.site.internapcdn.net/download-snap/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_2898.snap?t=2017-09-20T13:00:00Z&h=bc464e1d58822c9f460432ea3c0d8b2695c3833d: x509: certificate signed by unknown authority)

Any updates?

I tried to set env variable with my own SSL certificate: export SSL_CERT_FILE=/path/to/cert/XXX.cer

I did it via /lib/systemd/system/snapd.service file.

Then I restarted snapd service, and found that snapd process contains variable that I set (sudo cat /proc/$(pidof snapd)/environ), but the same error (x509: certificate signed by unknown authority)

Same problem here with firewall doing DPI: snap fails to install or search, but wget to the same ssl host is fine because the relevant signing certificates have been added to /usr/share/ca-certificates/extra/ and
/etc/ssl/certs and we've run both "update-ca-certificates --fresh" and "dpkg-reconfigure ca-certificates"

Don't try to man-in-the-middle snapd.

If you need a caching proxy, use the snap enterprise proxy.

For reference, https://docs.ubuntu.com/snap-enterprise-proxy/en/install

This is an intractable chicken-and-egg problem.

How does one install snap-store-proxy using snap as described here:

   https://docs.ubuntu.com/snap-enterprise-proxy/en/install

...if one can't use snap from behind the proxy, because snapd doesn't have the ability to read the system certificate chain, where the enterprise certificates have been installed and configured for use by all other apps?

$ sudo snap install snap-store-proxy
2019/09/05 15:50:26.123559 error.go:102:
DEBUG: error: cannot install "snap-store-proxy":
Post https://api.snapcraft.io/v2/snaps/refresh: x509: certificate signed by unknown authority
error: cannot install "snap-store-proxy":
Post https://api.snapcraft.io/v2/snaps/refresh: x509:
       certificate signed by unknown authority

snapd is wrong here, and must permit the ability to use an enterprise-signed SSL certificate, as managed in the system certificate chain in /etc/ssl/certs, just as every other app that needs certificate validation does (wget, curl, python, pip, ansible, etc.)

What's the real solution here?

AFAIK, certificates are loaded by Go runtime.

The runtime reads the following bundle files (stops after the first one found):

var certFiles = []string{
 "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
 "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
 "/etc/ssl/ca-bundle.pem", // OpenSUSE
 "/etc/pki/tls/cacert.pem", // OpenELEC
 "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
 "/etc/ssl/cert.pem", // Alpine Linux
}

and loads files from the following directories:

var certDirectories = []string{
 "/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139
 "/system/etc/security/cacerts", // Android
 "/usr/local/share/certs", // FreeBSD
 "/etc/pki/tls/certs", // Fedora/RHEL
 "/etc/openssl/certs", // NetBSD
 "/var/ssl/certs", // AIX
}

Make sure thet either the bundle has been regenerated or the enterprise certificates are inside the right directory.

My understanding is that one can also use `snap download` on a regular internet connection and then ack the assertions and install the snaps on an "offline" / airgapped host as well.

the main issue here is that the proxy snap runs on top of the core/core18 snap, so it can not see the hosts /etc/ssl but only the one inside core ...

https://forum.snapcraft.io/t/extending-system-certificates/114 is a discussion about this specific topic and has a (rather evil) hack in the last post to temporary overcome the missing cert case.

Is there a fix here or better instructions? Same issue with SSL decryption on PA.

"Don't try to man-in-the-middle snapd" oversimplifies the nature of the problem. This also affects user-facing applications such as Chromium, which is now only distributed as a snap.

To recap, ignoring the system-provided trusted CA certificate store causes certificate validation failures in at least these scenarios:

- For user-facing applications, access to enterprise CA-signed resources
- For all applications, access to resources through a transparent proxy using
  enterprise CA certificates

I'm sure everyone understands the importance of maintaining the integrity of the system. However, we also need to accept that increasing numbers of government and enterprise organizations must maintain controls, such as those related to data loss prevention, that require the use of additional trusted CA certificates.

Thanks for this update Scott. First let me apologize that some things are misrepresented in this bugreport. We (the snapd team) understand the importance of adding custom certificates.

We implemented support for adding customs certificates to "snapd" itself in snapd 2.45, see https://forum.snapcraft.io/t/custom-ssl-certs-for-snapd-to-the-snap-store-communication/17446 for details how to enable this. I think the original bugreport here was about this feature.

There is the wider topic about supporting the host /etc/ssl certificates inside all snaps is discussed in https://forum.snapcraft.io/t/extending-system-certificates/114 - we want to fix this but a general fix is quite a bit of work. We are currently discussing a first step to support passing the /etc/ssl on Ubuntu systems to snaps.