Comment 3 for bug 1826362

Let me add on this bug (and hopefully support a higher rating.

I tried to work-around sung:
https://forum.snapcraft.io/t/custom-ssl-certs-for-snapd-to-the-snap-store-communication/17446

however this does not wor either on Ubuntu 20.04.2 running a samba AD-DC where Nextcloud (meanwhile version 20.0.8snap1) shall lookup and authenticate users and groups via LDAPS.

Having the CA root certificates in the snap rather than the hoast system is a security risk.
As of today, two certificates have expired:

Reproduce: run in nextcloud snap shell:

find *.pem -exec openssl x509 -text -noout -in "{}" ";" |grep "After"|grep "2021"
            Not After : Dec 15 08:00:00 2021 GMT
            Not After : Sep 30 14:01:15 2021 GMT
            Not After : Dec 15 08:00:00 2021 GMT
            Not After : Mar 17 18:33:33 2021 GMT
            Not After : Apr 6 07:29:40 2021 GMT

The last two certificates are expired. Also, what if a root-CA certificate is compromised and needs to be replaced?

Please also add read-access to the host file /etc/ldap.conf via apparmor.