Chiseled ca-certificates is incompatible with OpenSSL

[weiiwang01]

The chiseled version of ca-certificates, ca-certificates_data, retains only the single file, the CA certificate bundle at /etc/ssl/certs/ca-certificates.crt. However, this file is not default loaded by OpenSSL and applications that use OpenSSL, such as Python.

OpenSSL typically reads CA certificates from two default system locations:

1. A single file, which in Ubuntu is located at /usr/lib/ssl/cert.pem. This location can be overridden by setting the SSL_CERT_FILE environment variable.
2. A directory, located in Ubuntu at /usr/lib/ssl/certs/, which contains CA certificates named using the format <hash>.<idx> (e.g., 9d66eef0.0, 9d66eef0.1).

The file /usr/lib/ssl/certs/ca-certificates.crt kept by the chiseled ca-certificates_data does not correspond to these locations. As a result, applications using OpenSSL, including Python’s standard libraries, encounter SSL verification failures.

There are two potential solutions to this issue. One option is to create a symbolic link from /usr/lib/ssl/cert.pem pointed to /etc/ssl/certs/ca-certificates.crt. Alternatively, the entire content of the /usr/lib/ssl/certs/ directory could be kept, rather than just the ca-certificates.crt file.

Below is an example rockcraft file to demonstrate the issue:

name: test
description: test
summary: test
version: 1.1.1
base: [email protected]
platforms:
  amd64:
license: Apache-2.0
parts:
  ca-certificates:
    plugin: nil
    stage-packages:
      - ca-certificates_data
  openssl:
    plugin: nil
    stage-packages:
      - openssl

The following command can be used to observe the certificate verification failure:

openssl s_client -connect example.com:443 -servername example.com -showcerts
# ...
#     Verify return code: 20 (unable to get local issuer certificate)
# ...

[cjdcordeiro]

Thank you for reporting this @weiiwang01 .

We are aware of this and are tracking it internally. The bottom line is that those certificates are put in the right place by the deb's maintainer scripts, for which we do not yet have the corresponding mutation script in the slice definition.

We'll keep this issue open until those mutation scripts are added to the SDF.

[weiiwang01]

Thank you for reporting this @weiiwang01 .

We are aware of this and are tracking it internally. The bottom line is that those certificates are put in the right place by the deb's maintainer scripts, for which we do not yet have the corresponding mutation script in the slice definition.

We'll keep this issue open until those mutation scripts are added to the SDF.

Hi @cjdcordeiro, thank you for following up on this issue. Is it possible to just link the ca-certificates.crt to /usr/lib/ssl/cert.pem for now, as the openssl package does on 24.04? I think this will benefit many projects since ca-certificates is quite ubiquitous.

[cjdcordeiro]

@weiiwang01 we have some PRs up, from @zhijie-yang , addressing this. you might want to give them a try and if they fix your problem, feel free to leave a 👍

[weiiwang01]

@weiiwang01 we have some PRs up, from @zhijie-yang , addressing this. you might want to give them a try and if they fix your problem, feel free to leave a 👍

I have tested with the latest openssl_data slice and indeed, adding the openssl_data slice alongside the ca-certificates_data slice fixes this issue. I have approved the two pull requests, but I don't have any permissions on the GitHub repository, so it's probably useless. Thanks again to @zhijie-yang for fixing this issue.