### What needs to get done I filed a LP [bug](https://bugs.launchpad.net/snapcraft/+bug/2073910), but was told this would be a better place for tracking. If there is a transparent MITM proxy between the client machine and the Snapcraft servers, the snapcraft binary is unable to connect and complains of a certificate error: ``` [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007) ``` This is after the CA for the proxy is trusted by the system, and picked up by other system tools, eg. apt. Currently, there is no flag to instruct snapcraft to use the system's CA certificate store to connect through that transparent proxy. The workaround is to set an environment variable for python `requests` that forces the use of the system trusted certificate bundle. `export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` Snapcraft should have an option (or default) to pick up this CA bundle, without needing to use such a large hammer that can affect other software on the system as well. ``` $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 24.04 LTS Release: 24.04 Codename: noble $ snapcraft --version snapcraft 8.3.1 ``` Also seen on 7.5.5 ### Why it needs to get done Forcing this option in the `requests` library affects all other software on the system that also uses it. Snapcraft should have it's own option for this, or pick up the system default. The trusted certificate can be passed into build environments, but there's no way for something like `snapcraft whoami` to connect through such a proxy.