jrmwvu04
Very Senior Member
All set, many thanks.
pixelserv pixelserv - A Better One-pixel Webserver for Adblock
- Thread starter kvic
- Start date
XIII
Very Senior Member
I want to do the opposite: re-use the self-signed certificates that I already created for the WebUI and already imported in Firefox.
Is it OK to copy them over the ones generated by pixelserv (after renaming) and restart pixelserv?
EDIT: probably not, as I get Error code: SEC_ERROR_UNKNOWN_ISSUER when surfing to https://doubleclick.net/servstats
Last edited:
jrmwvu04
Very Senior Member
As long as they are valid, should work. Pixelserv doesn’t generate the original certificates it needs though. Just place the cert as ca.crt and the key as ca.key in /opt/var/cache/pixelserv
Also, if there are any generated ones there (_.blahblah) you will need to remove them. Actually just nuke the entire contents of that directory before you start if there’s anything there.
jrmwvu04
Very Senior Member
How did you generate your certificates?
jrmwvu04
Very Senior Member
I see. You're probably outside my ability to help but for what it's worth, I used the script built into the firmware (john's fork, I assume it's part of asuswrt-merlin) to generate mine, at /usr/sbin/gencert.sh. It pulls in some environment specific stuff for the SAN and the like, and worked better for me than previous methods. It outputs the certificates into /etc/ if I remember right.
It's also worth noting that I don't use Firefox, so it's possible the behaviors are different for that browser than I'm used to.
Since it looks like you have an EdgeRouter-X and have published a pixelserv-tls binary for it in the past, can I ask a question about running it on that here?
I'm running into what could be the "stuck" issue I've seen discussed, but it happens every couple of minutes for me, with v2.0.1, under nearly no traffic.
Since Entware-ng works fine on ER-X, I've installed the binary through opkg and simply set up an init script to run it out of /opt/bin. Is this part of my problem? Would it be much trouble for you to provide an updated binary linked against the ER-X userland libs instead of Entware-ng, so I could try that?
I'm running into what could be the "stuck" issue I've seen discussed, but it happens every couple of minutes for me, with v2.0.1, under nearly no traffic.
Since Entware-ng works fine on ER-X, I've installed the binary through opkg and simply set up an init script to run it out of /opt/bin. Is this part of my problem? Would it be much trouble for you to provide an updated binary linked against the ER-X userland libs instead of Entware-ng, so I could try that?
You may put an imaginary company/lab name that you like as CN or simply leave it as "Pixelserv CA." You may want to go through the Wiki on my Github and get better idea on how it works.
The old binary was broken but I managed to build a fully functional binary for ER-X (aka Debian Wheezy on mipsel). Took one step further and created a Debian package. Here is how to install:
Code:
# sudo -i
# cd /tmp
# wget https://github.com/kvic-z/goodies-edgemax/raw/master/pixelserv-tls_2.0.1-1_mipsel.deb
# dpkg -i pixelserv-tls_2.0.1-1_mipsel.debInit script etc will be automatically setup. Read the instruction carefully at the end. Once done, you may remove the deb file. The contents of the deb are:
Code:
./usr/bin/pixelserv-tls
./usr/share/man/man1/pixelserv-tls.1.gz
./usr/share/doc/pixelserv-tls/
./usr/share/doc/pixelserv-tls/changelog.gz
./usr/share/doc/pixelserv-tls/README.md
./usr/share/doc/pixelserv-tls/changelog.Debian.gz
./usr/share/doc/pixelserv-tls/copyright
./etc/default/pixelserv-tls
./etc/init.d/pixelserv-tlsOnce I re-establish connection to my blog, I'll make more detailed post.
Meanwhile, another user "liljaylj" (a big thanks) created a package for Arch Linux here. It'll work on Arch and any of its derivative distributions.
In case ppl continue to run Entware on ER-X, I think Entware-3.x shall have better compatibility.
XIII
Very Senior Member
In the end I decided to install the default Pixelserv certificate on all iOS devices.
Seems to work fine!
This reminds me. I have routers in two locations with pixelserv running. Instead of installing a second certificate on the devices that go back and forth, I copied the cert from the first router to the second. Worked fine.
I wonder now, would the default certificate generated on the second router be the same? Or, if not, would I need to change the CN for the second router so as not to overwrite the imported certificates for the first router?
I wonder now, would the default certificate generated on the second router be the same? Or, if not, would I need to change the CN for the second router so as not to overwrite the imported certificates for the first router?
@XIII's comment "...install the default Pixelserv certificate.." shall be read as: use the de facto command line as per this wiki to generate the CA certificate and install this CA on all iOS devices.
Every run of the command line will generate a unique CA certificate (and unique private key). So no worries about duplicates from the generating process.
Two instances of pixelserv-tls sharing the same CA certificate is perfectly safe and save yourself some hassle importing multiple CA certificates.
Under the above situation, if both instances of pixelserv-tls each generate a certificate for, say, double-click.com, the two generated certificates are unique though issued to the same domain. The two generated certificates will be interchangeable to both instances too. The generated certificates are only binding to the CA cert.
Every run of the command line will generate a unique CA certificate (and unique private key). So no worries about duplicates from the generating process.
Two instances of pixelserv-tls sharing the same CA certificate is perfectly safe and save yourself some hassle importing multiple CA certificates.
Under the above situation, if both instances of pixelserv-tls each generate a certificate for, say, double-click.com, the two generated certificates are unique though issued to the same domain. The two generated certificates will be interchangeable to both instances too. The generated certificates are only binding to the CA cert.
thelonelycoder
Part of the Furniture
That's also how I do it, all routers use the same certs. I simply replace the newly generated ones in a new install and restart pixelserv. I have been doing this for a long time.
The certs I use are more than 2 years old.
Yes, it shall be the same openssl command line as per my wiki. In your case, just that the ABS script runs the command line for you.
So my previous post still holds and the essence of it was trying to answer elorimer's questions in his post about re-using CA certificate on two routers.
As long as ppl feel okay to share the same CA certificate in a big family, technically no duplicate generation of certificates to worry about.
thelonelycoder
Part of the Furniture
It's the exact same command in AB-Solution.
Is safety a factor here? If I follow, all that is going on here is generating a valid https response to a blocked ad request. I mean, would there be any harm if pixelserv or ab-s itself supplied the same certificate to everyone?
thelonelycoder
Part of the Furniture
I believe he meant it more as a tentative warning.
Assuming you only use the same certificate on your own routers and not copy it to other routers you set up for friends and family members in locations other than yours.
For those, I set them up with the new generated cert during install, and enjoy the free beer or meal or...
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
| C | Diversion Pixelserv replacement | Asuswrt-Merlin AddOns | 2 | |
| L | Is Diversion better than NextDNS, PiHole or AdGuard Home? | Asuswrt-Merlin AddOns | 10 |
Similar threads
-
-
Is Diversion better than NextDNS, PiHole or AdGuard Home?
- Started by Logi
- Replies: 10