[snap] CA Certificates from /usr/local/share/ca-certificates are not used

Bug #1901586 reported by Robert Sander
This bug affects 8 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)

Bug Description

We have a company internal CA and placed its root CA certificate in /usr/local/share/ca-certificates and ran update-ca-certificates. This always worked for chromium based browsers.

With chromium-browser as snap in Ubuntu 20.04 this seems to not work any more. Chromium reports invalid certificates as it cannot validate the chain any more.

PLease make the snap version of Chromium use the certificates from the system (out of /etc/ssl/certs etc).

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: chromium-browser (not installed)
ProcVersionSignature: Ubuntu 5.4.0-52.57-generic 5.4.65
Uname: Linux 5.4.0-52-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.10
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: XFCE
Date: Mon Oct 26 18:51:29 2020
InstallationDate: Installed on 2020-09-26 (30 days ago)
InstallationMedia: Xubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
SourcePackage: chromium-browser
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Robert Sander (gurubert) wrote :
Olivier Tilloy (osomon)
tags: added: snap
Revision history for this message
Olivier Tilloy (osomon) wrote :

For a strictly confined snap such as chromium, /etc/ssl/certs is provided by the core snap, not by the host system, which explains why your local CA isn't being recognized.

As a workaround, and to understand better the problem, can you manually import the certificate from chrome://settings/certificates? Does this make your CA recognized?

Revision history for this message
Robert Sander (gurubert) wrote :

I can manually import the certificates into the browser, but I do not want to do this. Especially not on a multi-user system.

Revision history for this message
Olivier Tilloy (osomon) wrote :

The chromium snap's generated apparmor profile does include <abstractions/ssl_certs>, which allows read access to /etc/ssl/certs/ and /usr/local/share/ca-certificates/, among other paths¹.

So the problem is not confinement per se, but the fact that the core snap shadows these directories.

I wonder if using the system-files interface² would be a valid use case to expose these certificates in a read-only fashion.

¹ see /etc/apparmor.d/abstractions/ssl_certs for reference
² https://snapcraft.io/docs/system-files-interface

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Ian Johnson (anonymouse67) wrote :

I mentioned this on the snapcraft forum, but /usr/share/local/ca-certificates for a strict snap will come from the read-only, static base snap of the chromium snap.

For classic ubuntu/debian systems running new enough snapd, we will actually mount /etc/ssl from the host into the strict snaps' mount namespace, so the correct thing to suggest folks to do is to put custom certificates into /etc/ssl instead of /usr/local/share/ca-certificates.

Revision history for this message
Robert Sander (gurubert) wrote :

I am sorry, but this is not how this works.

We had /usr/local/share/ca-certificates an update-ca-certificates for years working just fine.

This attitude lead me to dump chromium and use a non-snapped browser now.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Ian, would it be possible to consider mounting /usr/local/share/ca-certificates in the snap's mount namespace, similar to what is done for /etc/ssl ? Or would this present security concerns?

Alternatively, would it work for chromium to use the system-files interface to expose /usr/local/share/ca-certificates from the host in a read-only fashion?

Revision history for this message
Kees Bakker (keestux) wrote :

It is sad that snap developers have taken such intrusive decisions by creating yet another isolated certificate infrastructure. The Ubuntu system already has its own infrastructure in /etc/ssl/certs. So, now we have two (besides all the other built-in certificates in various tools and packages).

In all honesty, why do snap developers think that their own /snap/core/current/etc/ssl/certs is so much better than the system's /etc/ssl/certs? And not only that, all documented procedures to deal with certificates (like update-ca-certificates) become useless.

Revision history for this message
Merlijn Sebrechts (merlijn-sebrechts) wrote :

Note that when you put a certificate in `/usr/local/share/ca-certificates`, and you run `sudo update-ca-certificates`, the certificates will be converted and copied to `/etc/ssl/certs`.

As such, the "old" way of doing things should still work with snaps. If this is not the case, please explain the steps you take to install the certificate.

Revision history for this message
Robert Sander (gurubert) wrote :

Hi Merlijn,

this is what is literally written by me in the first line of the bug report.

The bug report is not relevant for me any more as I migrated to a Debian Desktop this year.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.