jrmwvu04
Very Senior Member
All set, many thanks.Done! Binaries will arrive soon.
All set, many thanks.Done! Binaries will arrive soon.
I want to do the opposite: re-use the self-signed certificates that I already created for the WebUI and already imported in Firefox.Hassle free WebUI over HTTPS
As long as they are valid, should work. Pixelserv doesn’t generate the original certificates it needs though. Just place the cert as ca.crt and the key as ca.key in /opt/var/cache/pixelservI want to do the opposite: re-use the self-signed certificates that I already created for the WebUI and already imported in Firefox.
Is it OK to copy them over the ones generated by pixelserv (after renaming) and restart pixelserv?
How did you generate your certificates?Firefox accepts them (green lock) for router.asus.com, but not for doubleclick.net.
I see. You're probably outside my ability to help but for what it's worth, I used the script built into the firmware (john's fork, I assume it's part of asuswrt-merlin) to generate mine, at /usr/sbin/gencert.sh. It pulls in some environment specific stuff for the SAN and the like, and worked better for me than previous methods. It outputs the certificates into /etc/ if I remember right.See this post on this forum.
The CA certificate & key generated by pixelserv itself do seem to work fine; both in Firefox on Windows and Mobile Safari on iOS.
Are their special requirements that I should take into account? (value of CN field?)
Since it looks like you have an EdgeRouter-X and have published a pixelserv-tls binary for it in the past, can I ask a question about running it on that here?
I'm running into what could be the "stuck" issue I've seen discussed, but it happens every couple of minutes for me, with v2.0.1, under nearly no traffic.
Since Entware-ng works fine on ER-X, I've installed the binary through opkg and simply set up an init script to run it out of /opt/bin. Is this part of my problem? Would it be much trouble for you to provide an updated binary linked against the ER-X userland libs instead of Entware-ng, so I could try that?
# sudo -i
# cd /tmp
# wget https://github.com/kvic-z/goodies-edgemax/raw/master/pixelserv-tls_2.0.1-1_mipsel.deb
# dpkg -i pixelserv-tls_2.0.1-1_mipsel.deb
./usr/bin/pixelserv-tls
./usr/share/man/man1/pixelserv-tls.1.gz
./usr/share/doc/pixelserv-tls/
./usr/share/doc/pixelserv-tls/changelog.gz
./usr/share/doc/pixelserv-tls/README.md
./usr/share/doc/pixelserv-tls/changelog.Debian.gz
./usr/share/doc/pixelserv-tls/copyright
./etc/default/pixelserv-tls
./etc/init.d/pixelserv-tls
In the end I decided to install the default Pixelserv certificate on all iOS devices.You may put an imaginary company/lab name that you like as CN or simply leave it as "Pixelserv CA." You may want to go through the Wiki on my Github and get better idea on how it works.
That's also how I do it, all routers use the same certs. I simply replace the newly generated ones in a new install and restart pixelserv. I have been doing this for a long time.@kvic I think AB-Solution created the certificate on one router. I then copied this certificate to all routers (of family members) and installed it on all our iOS devices.
@kvic I think AB-Solution created the certificate on one router.
It's the exact same command in AB-Solution.Yes, it shall be the same openssl command line as per my wiki. In your case, just that the ABS script runs the command line for you
Is safety a factor here? If I follow, all that is going on here is generating a valid https response to a blocked ad request. I mean, would there be any harm if pixelserv or ab-s itself supplied the same certificate to everyone?As long as ppl feel okay to share the same CA certificate in a big family, technically no duplicate generation of certificates to worry about.
I believe he meant it more as a tentative warning.Is safety a factor here? If I follow, all that is going on here is generating a valid https response to a blocked ad request. I mean, would there be any harm if pixelserv or ab-s itself supplied the same certificate to everyone?
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
C | Diversion Pixelserv replacement | Asuswrt-Merlin AddOns | 2 | |
L | Is Diversion better than NextDNS, PiHole or AdGuard Home? | Asuswrt-Merlin AddOns | 10 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!