Installed ubuntu 20.04 from 0 - x509: certificate signed by unknown authority error on every app

Question

I recently installed Ubuntu 20.04. Considering the time that passed since its release I thought it would be stable. After installing it, I go to Snap Store (named Ubuntu Software) and I see that several new programs appear, but after a few moments, only the editor picks show, nothing else.

I try to install PyCharm through the command line with snap, sudo snap install pycharm-community --classic but it gives me this error: x509: certificate signed by unknown authority.

Afterwards, I decide to purge snap store and reinstall it, and after running these 2 commands: sudo apt-get update,sudo apt install snapd, I enter this one sudo snap install snap-store and gives me again, the same error with the certificates.

I got no idea whats going on. I installed it from 0

Edit 1:
Output of snap list:

No snaps are installed yet. Try 'snap install hello-world'.

Output of sudo snap install snap-store:

error: cannot install "snap-store": Post
       https://api.snapcraft.io/v2/snaps/refresh: x509: certificate signed by
       unknown authority

Answer 1

This may be due to a missing trusted CA certificate.

Verification of the cause

Test #1

openssl s_client -connect api.snapcraft.io:443

Example of a response that confirms a missing CA certificate. See line with verify error:

$ openssl s_client -connect api.snapcraft.io:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify error:num=20:unable to get local issuer certificate

Test #2

ls -l /etc/ssl/certs | grep -i digicert

DigiCert CA certificates should be displayed e.g. as follows

b1159c4c.0 -> DigiCert_Assured_ID_Root_CA.pem
dd8e9d41.0 -> DigiCert_Global_Root_G3.pem
244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem
3513523f.0 -> DigiCert_Global_Root_CA.pem
607986c7.0 -> DigiCert_Global_Root_G2.pem
7f3d5d1d.0 -> DigiCert_Assured_ID_Root_G3.pem
75d1b2ed.0 -> DigiCert_Trusted_Root_G4.pem
9d04f354.0 -> DigiCert_Assured_ID_Root_G2.pem

When they are not, they need to be added.

Solution

sudo dpkg-reconfigure ca-certificates
sudo systemctl restart snapd
sudo snap refresh

The first command allows you to add interactively new CA certificates. The source for adding certificates can usually be found in the directory /usr/share/ca-certificates/mozilla/

If certificates are missing there, they can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm

Answer 2

I encountered this issue within corporate network where there is installed zscaler firewall which does SSL inspection by injecting its own ROOT CA, in my case I extracted this custom root CA(you can use openssl or browser) in pem format:

zangetsu@CZ-6FXPQV3:~/zscaler-intermediate-chain$ cat /usr/local/share/ca-certificates/zscaler_root_ca.crt
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIJANu+mC2Jt3uTMA0GCSqGSIb3DQEBCwUAMIGhMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
FTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMMWnNjYWxlciBJbmMuMRgw
FgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRA
enNjYWxlci5jb20wHhcNMTQxMjE5MDAyNzU1WhcNNDIwNTA2MDAyNzU1WjCBoTEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBK
b3NlMRUwEwYDVQQKEwxac2NhbGVyIEluYy4xFTATBgNVBAsTDFpzY2FsZXIgSW5j
LjEYMBYGA1UEAxMPWnNjYWxlciBSb290IENBMSIwIAYJKoZIhvcNAQkBFhNzdXBw
b3J0QHpzY2FsZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qT7STSxZRTgEFFf6doHajSc1vk5jmzmM6BWuOo044EsaTc9eVEV/HjH/1DWzZtcr
fTj+ni205apMTlKBW3UYR+lyLHQ9FoZiDXYXK8poKSV5+Tm0Vls/5Kb8mkhVVqv7
LgYEmvEY7HPY+i1nEGZCa46ZXCOohJ0mBEtB9JVlpDIO+nN0hUMAYYdZ1KZWCMNf
5J/aTZiShsorN2A38iSOhdd+mcRM4iNL3gsLu99XhKnRqKoHeH83lVdfu1XBeoQz
z5V6gA3kbRvhDwoIlTBeMa5l4yRdJAfdpkbFzqiwSgNdhbxTHnYYorDzKfr2rEFM
dsMU0DHdeAZf711+1CunuQIDAQABo4IBCjCCAQYwHQYDVR0OBBYEFLm33UrNww4M
hp1d3+wcBGnFTpjfMIHWBgNVHSMEgc4wgcuAFLm33UrNww4Mhp1d3+wcBGnFTpjf
oYGnpIGkMIGhMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMM
WnNjYWxlciBJbmMuMRgwFgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG
9w0BCQEWE3N1cHBvcnRAenNjYWxlci5jb22CCQDbvpgtibd7kzAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAw0NdJh8w3NsJu4KHuVZUrmZgIohnTm0j+
RTmYQ9IKA/pvxAcA6K1i/LO+Bt+tCX+C0yxqB8qzuo+4vAzoY5JEBhyhBhf1uK+P
/WVWFZN/+hTgpSbZgzUEnWQG2gOVd24msex+0Sr7hyr9vn6OueH+jj+vCMiAm5+u
kd7lLvJsBu3AO3jGWVLyPkS3i6Gf+rwAp1OsRrv3WnbkYcFf9xjuaf4z0hRCrLN2
xFNjavxrHmsH8jPHVvgc1VD0Opja0l/BRVauTrUaoW6tE+wFG5rEcPGS80jjHK4S
pB5iDj2mUZH1T8lzYtuZy0ZPirxmtsk3135+CKNa2OCAhhFjE0xd
-----END CERTIFICATE-----

Now I had to put the file into /usr/local/share/ca-certificates/ folder and run sudo update-ca-certificates

Now the another problem is with snap, that its using mount/copy of the local store where this certificate is not, so I had to run:

sudo mount --bind --bind -o nodev,ro /etc/ssl/certs /snap/core22/current/etc/ssl/certs/

As a stop gap until snap finds a way to manage root CA for all applications you can create a systemd mount file to run on startup:

$ cat <<-EOF | sudo tee /etc/systemd/system/snap-core-current-etc-ssl-certs.mount
[Unit]
Description=Mount unit to fix etc ssl certs in core package
After=snapd.service
[Mount]
What=/etc/ssl/certs
Where=/snap/core/current/etc/ssl/certs
Type=none
Options=bind,nodev,ro
[Install]
WantedBy=multi-user.target
EOF
$ systemctl enable snap-core-current-etc-ssl-certs.mount