SELF_SIGNED_CERT_IN_CHAIN when making call for outgoing Webhook (corporate CA cert)


#1

We have Rocket.Chat installed as a snap app in Ubuntu and have tried to set up an outgoing webhook but in the server log, we get entries with SELF_SIGNED_CERT_IN_CHAIN when the server is trying to contact the external site for the webhook.

We are behind a corporate firewall, and need to add the corporate certificate to the certificate store of the npm installation bundled with the Rocket Chat snap.

This is potentially more of a snap + npm question, but how does one do this?


#2

Well, I think I have found the answer I need, but I just need to test it out.

As the snap components (node and mongodb) run under root, I have executed the following as root to point to my custom CA file:

/snap/rocketchat-server/current/bin# ./npm config set cafile /root/mycafile.pem

I assume that for it to take effect, I need to restart the Rocket.Chat server, but I will have to wait until after hours so as not to disrupt users.


#3

OK, so that didn’t work. I also set the NODE_EXTRA_CA_CERTS environment variable in the root user’s .profile and .bashrc files, but this seems to have had no effect.

What is the correct way to add the CA cert for Node in a snap installation?


#4

After doing some more research on snaps, it seems they are not dependent on the user under which the snap executes.

So, even though I am setting environment variables in root’s .profile and .bashrc, I suspect they are ignored because snap rewrites the HOME environment variable (as explained here https://docs.snapcraft.io/reference/env).

However, I don’t want to add something in the snap’s HOME directory, because it points to the current snap version of the app, which will change the next time the snap updates, and then I lose my change.

How can I, for the rocketchat-server snapp app, set the environment variable to point to my extra CA certificate, or is there another way to do this altogether?


#5

I found a thread on the snapcraft forum that comes close to addressing this, so I posed my questions as a reply on one of the answers there: https://forum.snapcraft.io/t/declaratively-defining-environment-variables/175/25

I have also filed a bug on the Rocket.Chat github page. It seems there are several potential layers at which a solution could be devised. The most logical seems to me to be able to amend the snap environment, but I cannot see an obvious solution to that, and perhaps that option is not supported.


#6

On that snapcraft forum post I linked to, I got what seems to be a workaround, which I have yet to try.

However, the moderator on that side suggested that perhaps it’s possible to use configuration to make this kind of thing work, so that options like this can be provided with snap set.

@aaron.ogle Would you mind please taking a look at https://forum.snapcraft.io/t/declaratively-defining-environment-variables/175/27? Do you think that making settings like environment variables for adding a root CA would work with snap configuration?


#7

If anyone is interested, I have documented my progress in trying to resolve this on the following GitHub issue:


Unfortunately, I don’t have a solution to this problem yet.