What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

Thank you Asad Ali.

Might the previously-generated pixelserv certs (for other domains) in /opt/var/cache/pixelserv/ be causing the issues people are seeing with dropped/rejected https requests, since they become invalid once you create a new CA?

They were giving me problems for other reasons so I went into Diversion and purged all the pixelserv certs before generating my new ones (it saves your existing CA and key if you already created new ones) and that helped me.
 
Thank you Asad Ali.

Might the previously-generated pixelserv certs (for other domains) in /opt/var/cache/pixelserv/ be causing the issues people are seeing with dropped/rejected https requests, since they become invalid once you create a new CA?

They were giving me problems for other reasons so I went into Diversion and purged all the pixelserv certs before generating my new ones (it saves your existing CA and key if you already created new ones) and that helped me.

That's the necessary step once you create a new Root CA, without that it's useless for any existing certificates and will cause issues.
 
I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...
 
I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...

I believe these conditions are only for self signed certificates/CA's. Public CAs won't need to do that since they already have to do so many other things to establish the trust chain in advance.
 
It occurs to me that 2 years will roll over pretty fast. Perhaps Diversion could keep a timer going and pop up or email a reminder when the certs need to be regenerated and the pixelserv certs purged, like the update popup.

Agreed, those 730 days will fly right by...but the Apple requirement is every 8oo-some. perhaps reminders at 90 remaining days, 60, 30, 15, 7 and red alerts at 3, 2, 1 would be helpful? I like email alerts too...or we can just set reminders in our phones. ;-)
 
It occurs to me that 2 years will roll over pretty fast. Perhaps Diversion could keep a timer going and pop up or email a reminder when the certs need to be regenerated and the pixelserv certs purged, like the update popup.
I'm checking the expiry date:
Code:
openssl x509 -text -noout -in /opt/var/cache/pixelserv/ca.crt | grep "Not After :" | sed 's/^.*: //'
Back to coding, see ya all when everything's ready and done.
 
I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...
That is how apple gets their money sooner.....
 
I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...
From my understanding, the verbiage “TLS server certificates and issuing CAs” is only used describing requirement for the 2048 bit rsa and sha-2 requirements. The other bullet points including the two year requirement are only for “TLS server certificates” so it seems those restrictions may not apply to CAs.
 
From my understanding, the verbiage “TLS server certificates and issuing CAs” is only used describing requirement for the 2048 bit rsa and sha-2 requirements. The other bullet points including the two year requirement are only for “TLS server certificates” so it seems those restrictions may not apply to CAs.
I'm still using the 3650 days for the CA, so this seems correct. Thanks for confirming and adding to the confusion :D
 
Alright guys good news, I've tested the Root CA WITH 10 years validity and WITHOUT any EKU flag and as long as your key is 2048 bits SHA-2 it'll work and accepted in new iOS 13 and Catalina standards, so that's a major relief since you no longer need to generate and reimport the certificate in all your devices every 2 years and we don't need any special commands/scripts to generate the Root CA as well.

The conditions of two years and EKU flag are still necessary for pixelserv-tls generated certificates so we do have to purge our generated certificates every two years but that's no hassle.
 
Alright guys good news, I've tested the Root CA WITH 10 years validity and WITHOUT any EKU flag and as long as your key is 2048 bits SHA-2 it'll work and accepted in new iOS 13 and Catalina standards, so that's a major relief since you no longer need to generate and reimport the certificate in all your devices every 2 years and we don't need any special commands/scripts to generate the Root CA as well.

The conditions of two years and EKU flag are still necessary for pixelserv-tls generated certificates so we do have to purge our generated certificates every two years but that's no hassle.
Good to know. The info on the upcoming Diversion update looks like this, with the differentiation of the CA cert and the generated certs.
Only the expiry date of the oldest domain cert is shown, giving you an idea when to purge the certs.

tZ1w1LU.png
 
Good to know. The info on the upcoming Diversion update looks like this, with the differentiation of the CA cert and the generated certs.
Only the expiry date of the oldest domain cert is shown, giving you an idea when to purge the certs.

tZ1w1LU.png

Seems good but just a suggestion if it's not too much work. Add an automated purge for expired generated certs ( or even complete folder because mostly we reach equilibrium within days of purging the old certificates )
 
Seems good but just a suggestion if it's not too much work. Add an automated purge for expired generated certs ( or even complete folder because mostly we reach equilibrium within days of purging the old certificates )
That's a worry for two years from now. Plenty of time to code that part.
 
@thelonelycoder: Would I be correct that selecting #2 to recreate the CA certificate would also do #1?
 
I'm ready with my Diversion update for the iOS 11 compatibility requirements.
But first, I need some pillow time. And then cross fingers that my employer won't be needing my services tomorrow morning when I push the update.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top