Diversion Diversion - do I really have to import ca.crt?

[_me_myself_and_i_]

I couldn't find this answered anywhere, so here goes...

The Diversion Standard installer advises me to import the pixelserv-tls CA cert on every client device. I do not want to do that. This Wiki article claims it's better than using Let's Encrypt, but I do not agree.

1. What happens if the CA is not installed on the client device? I assume they get a security exception in the browser?
2. What prevents me (if I can figure out how) from using a certificate signed by a CA already known to client devices? e.g. Let's Encypt?

Right now, I'm running the "lite" version of Diversion because I don't understand the implications of securing pixelserv-tls with a self-signed certificate. Clarification appreciated.

Thanks!

 

[dave14305]

What prevents me (if I can figure out how) from using a certificate signed by a CA already known to client devices? e.g. Let's Encypt?

You won’t have Let’s Encrypt‘s private key to generate domain certs for the ad-blocked domains.

 

[_me_myself_and_i_]

You won’t have Let’s Encrypt‘s private key to generate domain certs for the ad-blocked domains.

I'm not following. In /tmp/mnt/jffs/entware/var/cache/pixelserv I see ca.key and ca.crt. Can I not replace those, just like I would if configuring Apache, Nginx, etc.?

Edit: I think I understand. For every SSL protected ad site, pixelserv-tls is generating it's own self-signed cert for that domain... neat. I wish there was a more elegant way of trusting its CA on client devices, though. When I guest uses my network they're going to see security error messages all over the place.

I just upgraded to "standard" to try it out, and as suspected this is shown in place of ads:

 

[thelonelycoder]

I'm not following. In /tmp/mnt/jffs/entware/var/cache/pixelserv I see ca.key and ca.crt. Can I not replace those, just like I would if configuring Apache, Nginx, etc.?

Edit: I think I understand. For every SSL protected ad site, pixelserv-tls is generating it's own self-signed cert for that domain... neat. I wish there was a more elegant way of trusting its CA on client devices, though. When I guest uses my network they're going to see security error messages all over the place.

I just upgraded to "standard" to try it out, and as suspected this is shown in place of ads:

View attachment 26106

For pixelserv-tls to be able to answer https requests with authority on behalf of the real domain, a device or browser requires a manually added certificate exception.
Hence the important step of importing the ca.crt into devices. The result of failing to do so is now known to you.
There really is no way around it other than using Diversion Lite or disabling pixelserv-tls which essentially turns a Diversion Standard installation into a Lite Edition.

 

[elorimer]

It does seem the usefulness of this is declining. In the last week I've had 4.3 million requests, of which pixelserv replied to 25,000. The others were rejected for other reasons, presumably because the request was hard coded for a particular response. I imagine a speedy response that is rejected is faster though than timing out.