snapcraft cannot connect through a transparent SSL proxy
rudratrived1 opened this issue · 2 comments
What needs to get done
I filed a LP bug, but was told this would be a better place for tracking.
If there is a transparent MITM proxy between the client machine and the Snapcraft servers, the snapcraft binary is unable to connect and complains of a certificate error:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)
This is after the CA for the proxy is trusted by the system, and picked up by other system tools, eg. apt.
Currently, there is no flag to instruct snapcraft to use the system's CA certificate store to connect through that transparent proxy.
The workaround is to set an environment variable for python requests that forces the use of the system trusted certificate bundle.
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
Snapcraft should have an option (or default) to pick up this CA bundle, without needing to use such a large hammer that can affect other software on the system as well.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04 LTS
Release: 24.04
Codename: noble
$ snapcraft --version
snapcraft 8.3.1
Also seen on 7.5.5
Why it needs to get done
Forcing this option in the requests library affects all other software on the system that also uses it.
Snapcraft should have it's own option for this, or pick up the system default. The trusted certificate can be passed into build environments, but there's no way for something like snapcraft whoami to connect through such a proxy.
Thanks for the report!
How are you passing the trusted certificate into the build containers? Is this something that's done per-snap or do you set it globally?
I haven't needed to do this, but I'm assuming that's what the --add-ca-certificates <path> option does (which has it's own bug).