What's new

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

So far I noticed this is a new change
upload_2019-9-14_19-13-3.png

certificate time frame is changed from 10 years to 2 years, is this for compatibility reasons with certain devices or setups?

Also saw commits related to new apple changes.
 
Last edited:
That's not the correct approach, if you generate the correct Root CA and have it imported in the device you won't need to do any of this and iOS/macOS will automatically accept the certificate.

Force trusting the certificate is useless because you'll need to do that for every domain you have in your blocklist otherwise the handshake will fail.
I followed these two links from kvic.
https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

https://github.com/kvic-z/pixelserv...ixelserv-CA-to-issue-a-certificate-for-WebGUI

How do I correct this to generate, import, and use the "correct Root CA"?
 
Yes, it has been discussed now for days, start with the link below, and read to here to get updated as to the issue and attempts to address it.
https://www.snbforums.com/threads/p...server-for-adblock.26114/page-148#post-511516

Not sure but I guess the limit is between 2-3 years (no longer 10): https://support.apple.com/en-us/HT210176
Thanks for the link, after quite a bit of read, this is very significant.
Screenshot_20190914-213620377_1.jpg

This is the part that expresses it is needed to be for 2 years though it will allow for slightly longer it is best to use 2 years to be safe.
Screenshot_20190914-213425523_1.jpg


I wonder how soon this will trickle down to next diversion release.
 
How do I correct this to generate, import, and use the "correct Root CA"?
I'll be honest with you, if you are wanting to correct the problem as a matter of personal accomplishment or learning experience - those are the outdated instructions. You need to change the RSA from 1024 to 2048, change the 3650 days to something less than 825, and add the server auth EKU. Specifics are available earlier in this thread. If are wanting it just to work, my advice is to sit tight because @thelonelycoder , @Jack Yaz , @RMerlin and others have made/will make the changes that need to happen for everything to work right.
I wonder how soon this will trickle down to next diversion release.
Upcoming new releases of all your favorite router software will offer push button solutions to the problem.
 
I'll be honest with you, if you are wanting to correct the problem as a matter of personal accomplishment or learning experience - those are the outdated instructions. You need to change the RSA from 1024 to 2048, change the 3650 days to something less than 825, and add the server auth EKU. Specifics are available earlier in this thread. If are wanting it just to work, my advice is to sit tight because @thelonelycoder , @Jack Yaz , @RMerlin and others have made/will make the changes that need to happen for everything to work right.

Upcoming new releases of all your favorite router software will offer push button solutions to the problem.
Personal accomplishment and learning experience is why. I used this to generate the new cert.
Code:
cd /opt/var/cache/pixelserv
openssl genrsa -out ca.key 2048
openssl req -key ca.key -new -x509 -days 720 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
I then used this link from kvic to import the cert into the webgui of my AC86U.
https://github.com/kvic-z/pixelserv...ixelserv-CA-to-issue-a-certificate-for-WebGUI

My iPhone had the old cert, so I deleted it first and then did the import of the new cert. The iPad is only two months old and the MacBook Air just a month, new because I was displaced during and apartment renovation and traveling. Now I am home and time to update with new iOS and iPadOS releases coming next week. I followed this kvic link to import the certs into my devices.
https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

It appears I missed the "server auth EKU" in rereading much of this thread, in particular the old posts where we learned how to do this the first time with kvic's guidance.
 
I'll be honest with you, if you are wanting to correct the problem as a matter of personal accomplishment or learning experience - those are the outdated instructions. You need to change the RSA from 1024 to 2048, change the 3650 days to something less than 825, and add the server auth EKU. Specifics are available earlier in this thread. If are wanting it just to work, my advice is to sit tight because @thelonelycoder , @Jack Yaz , @RMerlin and others have made/will make the changes that need to happen for everything to work right.

Upcoming new releases of all your favorite router software will offer push button solutions to the problem.
yea so I followed the installation instructions for Jack-Yaz compiled patch, I have the new CA registered and everything, the only issue I am seeing is that the CA uses SHA-1 thumbprint I am under the impression from the read that the new iOS13 will need a SHA-2 thumbprint.
 
yea so I followed the installation instructions for Jack-Yaz compiled patch, I have the new CA registered and everything, the only issue I am seeing is that the CA uses SHA-1 thumbprint I am under the impression from the read that the new iOS13 will need a SHA-2 thumbprint.
That’s correct, but something must be amiss - all of the certificate generating sources I’ve seen have long included sha256.

How is your cert generation? Should be something like this
Code:
openssl req -new -x509 -key key.pem -sha256 -out cert.pem -days 730 -config /etc/openssl.config
 
That’s correct, but something must be amiss - all of the certificate generating sources I’ve seen have long included sha256.

How is your cert generation? Should be something like this
Code:
openssl req -new -x509 -key key.pem -sha256 -out cert.pem -days 730 -config /etc/openssl.config
yes I followed your suggested code method when generating mine.
 
How do I correct this to generate, import, and use the "correct Root CA"?

Here you go, I've cooked up these commands to make it easier for everyone to generate the appropriate CA directly from the terminal by just copy pasting this ( Big LOL ) one liner:

Code:
cat /etc/openssl.cnf > /jffs/openssl.cnf && sed -i "/\[ v3_ca \]/aextendedKeyUsage = serverAuth" /jffs/openssl.cnf && openssl genrsa -out ca.key 2048 && openssl req -key ca.key -new -x509 -days 825 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA" -config /jffs/openssl.cnf && rm /jffs/openssl.cnf

Flow Chart of the commands:
Step 1: It'll make a copy of /etc/openssl.cnf file to /jffs to make it writeable.
Step 2: It'll do the required changes in the copied file and add the EKU flag.
Step 3: It'll create the key.
Step 4: It'll generate the Root CA.
Step 5: It'll delete the openssl.cnf file copy from /jffs since it's no longer needed.

P.S I know there might be dozens of different ways to write these commands but since it's just a one time task I didn't really waste my time in finding the most efficient way.

P.S.S Also if your household don't have any Apple device you don't really need to do anything for now.
 
Here you go, I've cooked up these commands to make it easier for everyone to generate the appropriate CA directly from the terminal by just copy pasting this ( Big LOL ) one liner:

Code:
cat /etc/openssl.cnf > /jffs/openssl.cnf && sed -i "/\[ v3_ca \]/aextendedKeyUsage = serverAuth" /jffs/openssl.cnf && openssl genrsa -out ca.key 2048 && openssl req -key ca.key -new -x509 -days 825 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA" -config /jffs/openssl.cnf && rm /jffs/openssl.cnf

Flow Chart of the commands:
Step 1: It'll make a copy of /etc/openssl.cnf file to /jffs to make it writeable.
Step 2: It'll do the required changes in the copied file and add the EKU flag.
Step 3: It'll create the key.
Step 4: It'll generate the Root CA.
Step 5: It'll delete the openssl.cnf file copy from /jffs since it's no longer needed.

P.S I know there might be dozens of different ways to write these commands but since it's just a one time task I didn't really waste my time in finding the most efficient way.

P.S.S Also if your household don't have any Apple device you don't really need to do anything for now.
Have you tested this out? At a glance I'm not sure you're satisfying this:
Code:
TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
Asking. I know the merlin script does.
 
I followed the instructions a page back and also added what KVIC said, this line at the end:

chown -R nobody /opt/var/cache/pixelserv

Was I correct in added that after I installed picelserv?
 
Have you tested this out? At a glance I'm not sure you're satisfying this:
Code:
TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
Asking. I know the merlin script does.
I may be wrong, but it is not needed to state alternative names since pixelserv issues them when generating certificates.
 
Here you go, I've cooked up these commands to make it easier for everyone to generate the appropriate CA directly from the terminal by just copy pasting this ( Big LOL ) one liner:

Code:
cat /etc/openssl.cnf > /jffs/openssl.cnf && sed -i "/\[ v3_ca \]/aextendedKeyUsage = serverAuth" /jffs/openssl.cnf && openssl genrsa -out ca.key 2048 && openssl req -key ca.key -new -x509 -days 825 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA" -config /jffs/openssl.cnf && rm /jffs/openssl.cnf

Flow Chart of the commands:
Step 1: It'll make a copy of /etc/openssl.cnf file to /jffs to make it writeable.
Step 2: It'll do the required changes in the copied file and add the EKU flag.
Step 3: It'll create the key.
Step 4: It'll generate the Root CA.
Step 5: It'll delete the openssl.cnf file copy from /jffs since it's no longer needed.

P.S I know there might be dozens of different ways to write these commands but since it's just a one time task I didn't really waste my time in finding the most efficient way.

P.S.S Also if your household don't have any Apple device you don't really need to do anything for now.
Agreed about only needed for Apple devices. Apple must be trying to raise the bar again. Also, the new Apple release is still in beta so a lot of this still needs to be tested for completeness and longevity.
 
Yeah I’m overthinking again - pixelserv will be fine as is. I was thinking ahead to using the using the certificate for other uses like gui, etc.

You can do that as well, just create a certificate using pixelserv-tls for your WebUI. It'll be accepted without any issues.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top