Ubuntu
snapd package

Use system CA certificates

Bug #1826362 reported by Christophe Le Guern
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Triaged
Medium
Unassigned
snapd (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

1) Release: 18.04
2) snapd: Installed: 2.38+18.04
3) It would be nice that snapd use private certificates authorities configured in the system and managed by update-ca-certificates.
As a example, I have the following step blocker: a snap application is using an LDAP server using LDAPS signed by a private CA and it isn't working as the CA is not recognised.
4) Snapd ignores private CA certificates and use its own certs path.

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I've added the snapd project task to this bug report. I think it has several duplicates and we'll find and de-duplicate as we garden the bug tracker some more over the next few weeks.

Changed in snapd:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Christophe Le Guern (c35sys) wrote :

Thanks !

Michael Vogt (mvo)
Changed in snapd (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Mario (marioqxy) wrote :

Let me add on this bug (and hopefully support a higher rating.

I tried to work-around sung:
https://forum.snapcraft.io/t/custom-ssl-certs-for-snapd-to-the-snap-store-communication/17446

however this does not wor either on Ubuntu 20.04.2 running a samba AD-DC where Nextcloud (meanwhile version 20.0.8snap1) shall lookup and authenticate users and groups via LDAPS.

Having the CA root certificates in the snap rather than the hoast system is a security risk.
As of today, two certificates have expired:

Reproduce: run in nextcloud snap shell:

find *.pem -exec openssl x509 -text -noout -in "{}" ";" |grep "After"|grep "2021"
            Not After : Dec 15 08:00:00 2021 GMT
            Not After : Sep 30 14:01:15 2021 GMT
            Not After : Dec 15 08:00:00 2021 GMT
            Not After : Mar 17 18:33:33 2021 GMT
            Not After : Apr 6 07:29:40 2021 GMT

The last two certificates are expired. Also, what if a root-CA certificate is compromised and needs to be replaced?

Please also add read-access to the host file /etc/ldap.conf via apparmor.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.