pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[jrmwvu04]

Done! Binaries will arrive soon.

All set, many thanks.

 

[XIII]

Hassle free WebUI over HTTPS

I want to do the opposite: re-use the self-signed certificates that I already created for the WebUI and already imported in Firefox.

Is it OK to copy them over the ones generated by pixelserv (after renaming) and restart pixelserv?

EDIT: probably not, as I get Error code: SEC_ERROR_UNKNOWN_ISSUER when surfing to https://doubleclick.net/servstats

 

[jrmwvu04]

I want to do the opposite: re-use the self-signed certificates that I already created for the WebUI and already imported in Firefox.

Is it OK to copy them over the ones generated by pixelserv (after renaming) and restart pixelserv?

As long as they are valid, should work. Pixelserv doesn’t generate the original certificates it needs though. Just place the cert as ca.crt and the key as ca.key in /opt/var/cache/pixelserv

Also, if there are any generated ones there (_.blahblah) you will need to remove them. Actually just nuke the entire contents of that directory before you start if there’s anything there.

 

[XIII]

Firefox accepts them (green lock) for router.asus.com, but not for doubleclick.net.

 

[jrmwvu04]

Firefox accepts them (green lock) for router.asus.com, but not for doubleclick.net.

How did you generate your certificates?

 

[XIII]

How did you generate your certificates?

See this post on this forum.

 

[jrmwvu04]

See this post on this forum.

I see. You're probably outside my ability to help but for what it's worth, I used the script built into the firmware (john's fork, I assume it's part of asuswrt-merlin) to generate mine, at /usr/sbin/gencert.sh. It pulls in some environment specific stuff for the SAN and the like, and worked better for me than previous methods. It outputs the certificates into /etc/ if I remember right.

It's also worth noting that I don't use Firefox, so it's possible the behaviors are different for that browser than I'm used to.

 

[XIII]

The CA certificate & key generated by pixelserv itself do seem to work fine; both in Firefox on Windows and Mobile Safari on iOS.

Are their special requirements that I should take into account? (value of CN field?)

 

[TerminX]

Since it looks like you have an EdgeRouter-X and have published a pixelserv-tls binary for it in the past, can I ask a question about running it on that here?

I'm running into what could be the "stuck" issue I've seen discussed, but it happens every couple of minutes for me, with v2.0.1, under nearly no traffic.

Since Entware-ng works fine on ER-X, I've installed the binary through opkg and simply set up an init script to run it out of /opt/bin. Is this part of my problem? Would it be much trouble for you to provide an updated binary linked against the ER-X userland libs instead of Entware-ng, so I could try that?

 

[kvic]

The CA certificate & key generated by pixelserv itself do seem to work fine; both in Firefox on Windows and Mobile Safari on iOS.

Are their special requirements that I should take into account? (value of CN field?)

You may put an imaginary company/lab name that you like as CN or simply leave it as "Pixelserv CA." You may want to go through the Wiki on my Github and get better idea on how it works.

 

[kvic]

Since it looks like you have an EdgeRouter-X and have published a pixelserv-tls binary for it in the past, can I ask a question about running it on that here?

I'm running into what could be the "stuck" issue I've seen discussed, but it happens every couple of minutes for me, with v2.0.1, under nearly no traffic.

Since Entware-ng works fine on ER-X, I've installed the binary through opkg and simply set up an init script to run it out of /opt/bin. Is this part of my problem? Would it be much trouble for you to provide an updated binary linked against the ER-X userland libs instead of Entware-ng, so I could try that?

The old binary was broken but I managed to build a fully functional binary for ER-X (aka Debian Wheezy on mipsel). Took one step further and created a Debian package. Here is how to install:

# sudo -i
# cd /tmp
# wget https://github.com/kvic-z/goodies-edgemax/raw/master/pixelserv-tls_2.0.1-1_mipsel.deb
# dpkg -i pixelserv-tls_2.0.1-1_mipsel.deb

Init script etc will be automatically setup. Read the instruction carefully at the end. Once done, you may remove the deb file. The contents of the deb are:

./usr/bin/pixelserv-tls
./usr/share/man/man1/pixelserv-tls.1.gz
./usr/share/doc/pixelserv-tls/
./usr/share/doc/pixelserv-tls/changelog.gz
./usr/share/doc/pixelserv-tls/README.md
./usr/share/doc/pixelserv-tls/changelog.Debian.gz
./usr/share/doc/pixelserv-tls/copyright
./etc/default/pixelserv-tls
./etc/init.d/pixelserv-tls

Once I re-establish connection to my blog, I'll make more detailed post.

Meanwhile, another user "liljaylj" (a big thanks) created a package for Arch Linux here. It'll work on Arch and any of its derivative distributions.

In case ppl continue to run Entware on ER-X, I think Entware-3.x shall have better compatibility.

 

[XIII]

You may put an imaginary company/lab name that you like as CN or simply leave it as "Pixelserv CA." You may want to go through the Wiki on my Github and get better idea on how it works.

In the end I decided to install the default Pixelserv certificate on all iOS devices.

Seems to work fine!

 

[elorimer]

This reminds me. I have routers in two locations with pixelserv running. Instead of installing a second certificate on the devices that go back and forth, I copied the cert from the first router to the second. Worked fine.

I wonder now, would the default certificate generated on the second router be the same? Or, if not, would I need to change the CN for the second router so as not to overwrite the imported certificates for the first router?

 

[kvic]

@XIII's comment "...install the default Pixelserv certificate.." shall be read as: use the de facto command line as per this wiki to generate the CA certificate and install this CA on all iOS devices.

Every run of the command line will generate a unique CA certificate (and unique private key). So no worries about duplicates from the generating process.

Two instances of pixelserv-tls sharing the same CA certificate is perfectly safe and save yourself some hassle importing multiple CA certificates.

Under the above situation, if both instances of pixelserv-tls each generate a certificate for, say, double-click.com, the two generated certificates are unique though issued to the same domain. The two generated certificates will be interchangeable to both instances too. The generated certificates are only binding to the CA cert.

 

[XIII]

@kvic I think AB-Solution created the certificate on one router. I then copied this certificate to all routers (of family members) and installed it on all our iOS devices.

 

[thelonelycoder]

@kvic I think AB-Solution created the certificate on one router. I then copied this certificate to all routers (of family members) and installed it on all our iOS devices.

That's also how I do it, all routers use the same certs. I simply replace the newly generated ones in a new install and restart pixelserv. I have been doing this for a long time.
The certs I use are more than 2 years old.

 

[kvic]

@kvic I think AB-Solution created the certificate on one router.

Yes, it shall be the same openssl command line as per my wiki. In your case, just that the ABS script runs the command line for you.

So my previous post still holds and the essence of it was trying to answer elorimer's questions in his post about re-using CA certificate on two routers.

As long as ppl feel okay to share the same CA certificate in a big family, technically no duplicate generation of certificates to worry about.

 

[thelonelycoder]

Yes, it shall be the same openssl command line as per my wiki. In your case, just that the ABS script runs the command line for you

It's the exact same command in AB-Solution.

 

[elorimer]

As long as ppl feel okay to share the same CA certificate in a big family, technically no duplicate generation of certificates to worry about.

Is safety a factor here? If I follow, all that is going on here is generating a valid https response to a blocked ad request. I mean, would there be any harm if pixelserv or ab-s itself supplied the same certificate to everyone?

 

[thelonelycoder]

Is safety a factor here? If I follow, all that is going on here is generating a valid https response to a blocked ad request. I mean, would there be any harm if pixelserv or ab-s itself supplied the same certificate to everyone?

I believe he meant it more as a tentative warning.
Assuming you only use the same certificate on your own routers and not copy it to other routers you set up for friends and family members in locations other than yours.
For those, I set them up with the new generated cert during install, and enjoy the free beer or meal or...