Posted by: @astrid

"Web filtering (HTTPS) failure".

Where do you get this? (Screenshot?)

What issues (besides the message) are you experiencing?

Please also state exact eOS version. „Newest“ is not clear as there is a „new“ beta version and a up-to-date stable version.

In general: it‘s more helpful to state exact version numbers for everything. A reader in a month ahead will have other „newest“ versions - and perfect confusion starts... 🤪 

Random: Where do you get this? (Screenshot?)

Astrid: HTTPS Support is shown as working properly on all my devices. All devices produce the same sreenshot as shown in my example.

Random: What issues (besides the message) are you experiencing?

Astrid: The eBlocker sympol appears only in http pages, not in https pages. So https pages seemes to be not controlled.

eBlocker version is 2.4.5 (2020-05-21-06-00-04 and before). It's the Standard version, not a beta version. I began working with eBlocker in April 2020. Since this time I have the problem I explained.

Posted by: @astrid

The eBlocker sympol appears only in http pages, not in https pages.

Could you please use PC and Firefox (or your browser of preference) to have a controlled environment. Make sure HTTPS is showing green in dashboard.

Then please visit a site with https, say https://eblocker.org with that browser. Click on the lock or similar that indicates encrypted traffic. There is usually a detail view of the certificate. Please post screenshot of certificate issuer.

Please also double check that HTTPS is activated for the particular device (under settings>devices>Choose device and select HTTPS tab) and Contolbar is set to be shown in browser (next tab).

See attached 3 files. HTTPS is showing green in dashboard.

@astrid

Click on „Zertifikat anzeigen“ - thats the interesting part. Look for „Aussteller/Herausgeber/Issuer“ - that‘s what we are after...

It‘s there, sorry (reads Sectico on heise.de). Appears that eBlocker is not decrypting HTTPS traffic. Strange. 

No idea - but to reset. Try to deactivate https. Reboot. Activate https. Renew eBlocker‘s certificate (<24month period). Add cert to browser and OS. Retry...

@astrid Yep. This shows eBlocker is not touching the Htts traffic. See my post above...

@astrid

Hi,

your eBlocker has full acces to the internet? Do you use a Fritzbox?

Look at the Videos on VIMEO:

https://vimeo.com/305836636

https://vimeo.com/305837227

https://vimeo.com/305852201

https://vimeo.com/305899742

Do you have imorted the eBlocker Zertificate?

When you go to an website with https then the eBlocker Certifikate will be shown?

Look at the attached file...

regards

PIO78

Puuh! I've done a lot of work as recommended from RANDOM:

I deactivate https in my eBlocker. Than reboot. Than I activated https again. I renew eBlocker‘s certificate (<24month period). I add cert to browser and OS.

I'm sorry (and sad) the result is exactly the same. On my devices HTTPS Support is shown as working well (HTTPS support of the device and eBlocker certificate are hooked green). But "eBlocker function test" shows "Web filtering (HTTPS) failure". The problem appears in Windows 10 and IOS. Both OS have different methods to install the certificat. That means that the installation of the certificats must be correct.  

To Pio78: "When you go to an website with https then the eBlocker Certifikate will be shown?" See my files above "InfoVerschlüsselung1.jpg" and "InfoVerschlüsselung2.jpg".

@astrid

Hi,

I have testet on my WIN10 PC this symptom, I can comprehend, when the certifikate is not imported.

Look at file ...

But you have it imported ... strange 🤔 

I have done several installation in version 2.4.5 and 2.5.0 to test and using Windows, Linux and IOS

but no such error happend.

i will think about it 🙄 

regards

pio

Here is an additional information. Maybe it's helpfull.

Some HTTPS pages show the eBlocker ControlBar icon (f. e. eblocker.org), some HTTPS pages not (f. e. heise.de). This is independent from WINDOWs or IOS devices and every day ond on every device exactly the same.

My connection to the internet is done by a FritzBox cable (FRITZ!OS 07.12) with an DS-Lite-Tunnel (IPv6). That means WAN IPv6, LAN IPv4. No filters etc. are set. Speed 400Mbit/sec.

@astrid

Hi,

would you do a test without IPv6 support. See the image.

eBlocker supports only IPv4 in your internal Network at this time.

Just another question, which "network mode" of your eBlocker are you using?

-"Automatic Mode"

-"Individual Settings"

Try and let me know 🤔 

regards

pio

Hi Pio78,

my internal Network is allways IPv4. In my Fritzbox there is no possibility to switch the internal network between IPv6 and IPv4. See attached file.

The "network mode" of my eBlocker is "Automatic Mode". See attached file. In this file you can see that my internal network is IPv4.

Best regards,

Astrid

@astrid

ok, switch Fritzbox to "Eweiterte Ansicht" in the upper right corner.

pio

I still showed you "Erweiterte Ansicht". See attached file.

@astrid

now it gets tricky 😬 

Which internetprovider do you have?

Could you deactivate IPv6 on you Windows 10 PC?

😭

regards

pio

My Internet provider is Unitymedia (now Vodafone). Internet is arriving by cable. It is not possible to deactivate from my Windows 10 PC or any other device the IPv6 world outside my house.

The connection to the internet is done with an DS-Lite-Tunnel (IPv6). That means Internet comes from the street (WAN) as IPv6. In my Fritzbox it is changed to IPv4. Inside my house (LAN) I have allways IPv4. This method is absolutely standard in the cabel world!

@astrid

I mean to deactivate the IPv6 (protocoll) on the network-interface from your Windows PC 🤨 

I have also Unitymedia, and can switch it in my Fritzbox.

On the WAN I have an IPv4.

🤔

regards

pio

Dear Pio78,

"On the WAN I have an IPv4."

In former times adresses were given as IPv4 adresses from WAN. You obviously own such a IPv4 adress. Now the IPv4 adresses become rare and so IPv6 adresses are given today in combination with a DS-Lite-Tunnel as standard. If you are using your provider since years you are in the good situation that you still have your IPv4 adress. The second way to get a IPv4 adress (still sometimes used from some companies) is to order and pay the IPv4 connection as long as providers have enough IPv4 adresses. In future IPv4 adresses will disappear because all are used. So eBlocker must handle IPv6 WAN side, if this is the problem. 

BR, Astrid

@Astrid

Don´t worry about IP6.

I have checked a IP4 Setting only (WAN and LAN). Nothing changed.

The controller icon does not show on every website.

It is simply not stable or reliable.

On the other hand it drives me nuts that ads are only blocked partially when using the pattern blocker, e.g. welt.de shows a to of ads.

I am waiting for a refined version an go with a combination of Adguard Home and Adguard Desktop for now.

@astrid Can you please post the certificate issuer (see above) of a https connection where the eBlocker icon is shown. 

It seems that only some traffic is passed thru eBlocker and some is going directly to the router (as seen above with heise.de).

This can happen if client and router communicate via IPv6

I‘d try to disable IPv6 on the win client to make sure it’s all IPv4 in the LAN (the WAN side is irelevant): https://www.tenforums.com/tutorials/90033-enable-disable-ipv6-windows.html

If that doen‘t work, try re-flash the eBlocker image and start anew.

Posted by: @ulmisch

Don´t worry about IP6.

I have checked a IP4 Setting only (WAN and LAN). Nothing changed.

The controller icon does not show on every website.

It is simply not stable or reliable.

Probably my Enghlish is not good enough but I did‘t get your message at all. Could you please be more verbous what you tried to do and what you mean by i.e. „not stable or reliable“.

Regarding Welt and Ads: appearantly the difference between BLOCKING ads and trackers to improve privacy and HIDING ads (which does not improve privacy) is not clear to you.

Check this post https://eblocker.org/community/feature-priorities/feature-request-hide-all-ads-even-those-that-are-not-blocked/#post-247

Remember: Today eBlocker is NOT a generic ad-blocker but a solution to improve your online privacy. It was never positioned as ad-blocker/hider. But of course we can MAKE it an „ad hider“ as well (fairly easily I guess) to hide first party ads on Welt.

@random

i have missed a autocorrect fault.
I meant that the controlbar icon does definitely not show on every website. Sometimes it appears only after a forced reload, sometime the counter does not match the real blocked items etc. etc. 

I am aware that eBlocker was not primarily made as an adblocker.

Nevertheless, when i read benne´s comment on e.g. Otto ( https://datenschutz-zwecklos.de/blog/2020/02/wie-otto-gegen-die-dsgvo-verstoesst-und-behoerde-tatenlos-zusieht/ ) i don't like to see a lot of ads from Otto on different sites 😉

I really like the idea of eBlocker and a lot of features. Therefore i made a donation, but it does not fulfil my personal needs an expectations in its actual state. 

Posted by: @ulmisch

Sometimes it appears only after a forced reload, sometime the counter does not match the real blocked items etc. etc. 

Can you please name an reproducible example as this is not normal and maybe a bug. I‘m using eBlocker for years and never got issues like you described.

BTW: How do you come to the conclusion the counter is not matching blocked items?

Posted by: @ulmisch

Nevertheless, when i read benne´s comment on e.g. Otto ( https://datenschutz-zwecklos.de/blog/2020/02/wie-otto-gegen-die-dsgvo-verstoesst-und-behoerde-tatenlos-zusieht/ ) i don't like to see a lot of ads from Otto on different sites 😉

I don‘t understand what you want to say. What do sou mean by „ads from otto“? Sorry, I‘m lost...

Posted by: @ulmisch

but it does not fulfil my personal needs an expectations in its actual state. 

What exactly do you expect? We can turn eBlocker into anything but we need to know where to turn to... 😉

@random

of course i can 😉 

I had just to reactivate my eBlocker.

Take a look at the attached pdf, i made two examples for you.

cu

@ulmisch I always get the icon on all the domains. hm. Can you reproduce this (i.e. does it always not show on the first visit) or is it randomly disappearing? Do you have other tools in place that might block the icon (blocker plugins, anti-malware/virus etc.)?

The differences between the block counter and the device domain stats are easy to explain:

1. The counter in the icon counts all blocked REQUESTS (not domains!!) of a particular website you visit. So if a tracking script to domain XYZ is called 10 times the icon indicates 10 even if it was just one domain.

2. Statistics show all DOMAINS that got blocked on a particular device. (So there might be domains you have not visited with a browser but some other app or the OS tried to contact and got blocked on the devices you are using.)

It's simply two different metrics that might drive confusion here. If you try to compare it's comparing apples and pears...

The reason that two different requests to the same website show different block numbers is also simple:

Website ads are not static anymore nowadays. They load thru scripts and are usually depending on parameters of your previous visit, your device, the time of the day and millions of other things. So with ad driven businesses you will see the numbers changing all the time from visit to visit. But if you visit a classic b2b website with static trackers the number of blocks will always be the same.

Posted by: @random

@ulmisch I always get the icon on all the domains. hm. Can you reproduce this (i.e. does it always not show on the first visit) or is it randomly disappearing? Do you have other tools in place that might block the icon (blocker plugins, anti-malware/virus etc.)?

@Random it is kind of randomly. I am not able to find a rule. Sometimes the icon appears, sometimes not. On some Sites it is always there, on some sites it is not reliable, but there are many site where the icon is always missing e.g. apple.com, amazon.de, 9gag.com ...

I do not use any other plugin, except password manager.

The differences between the block counter and the device domain stats are easy to explain:

1. The counter in the icon counts all blocked REQUESTS (not domains!!) of a particular website you visit. So if a tracking script to domain XYZ is called 10 times the icon indicates 10 even if it was just one domain.

2. Statistics show all DOMAINS that got blocked on a particular device. (So there might be domains you have not visited with a browser but some other app or the OS tried to contact and got blocked on the devices you are using.)

It's simply two different metrics that might drive confusion here. If you try to compare it's comparing apples and pears...

The reason that two different requests to the same website show different block numbers is also simple:

Website ads are not static anymore nowadays. They load thru scripts and are usually depending on parameters of your previous visit, your device, the time of the day and millions of other things. So with ad driven businesses you will see the numbers changing all the time from visit to visit. But if you visit a classic b2b website with static trackers the number of blocks will always be the same.

Thanks for your clarification, but... 

i have tested i a "clear" environment.

1. No other program with web access was active.

2. cleared the statistics

3. went to faz.net

4. checked statistics.

5 repeat step 2, 3 and 4.

I got (nearly) the same results.

Therefore the listed entries came from faz.net, that means 1 website was requested (counter) but 13 domains in background (statistics). Correct? 

cu

@astrid

Hi,

ipv6 is wan port provider thing this is handled by your modem our fritzbox.
In the internal network, eBlocker support only ipv4 at this time. There is a feature request for ipv6.
If you use in your internal network ipv4 and ipv4, eBlocker can only control ipv4.

Thats real life  🤨 

I have done about 8 eBlocker installations, and sorry no such problems.
But give me time, I will install a small test network with eBlocker 2.4.5 and a FritzBox 7390
 😎 

Real privacy is tricky and technically complex, eBlocker is a project to make it accessible to everyone.
 🤗 

regards
PIO

Posted by: @ulmisch

Therefore the listed entries came from faz.net, that means 1 website was requested (counter) but 13 domains in background (statistics). Correct?

Very interesting. Will try to repeat and open a bug report. The good news: if eBlocker see‘s it‘s a tracker - it blocks it - nevertheless what the counter may show. Will get back asap.

Regarding the disapearing icon: are you using „automatic network mode“? If so, try setting eBlocker to individual mode. You’ll be guided to set eBlocker as your gateway either by your or eBlocker‘s DHCP server. This will eliminate network timing issues that may occur under certain circumstances and will result that eBlocker doesn‘t catch all packets. This could result in a disapearing icon - in rare and random cases. 

Posted by: @random

 

Regarding the disapearing icon: are you using „automatic network mode“? If so, try setting eBlocker to individual mode. You’ll be guided to set eBlocker as your gateway either by your or eBlocker‘s DHCP server. This will eliminate network timing issues that may occur under certain circumstances and will result that eBlocker doesn‘t catch all packets. This could result in a disapearing icon - in rare and random cases. 

@Random

Good morning.

It is the same result with automatic or individual mode and different Browsers (Safari and Firefox).

cu

@ulmisch No idea what that might cause? We checked IPv6 right?

Anyone else experiencing randomly disappearing controlbar icons?  

In terms of differences of blocker requests & stats display I‘ve opened a bug report. https://eblocker.org/community/bugs-features/eos-2-5-x-beta-test-bugs-issues-only/#post-1168

THX for this finding!

Dear all,

I startet the topic "eBlocker function test: Web filtering (HTTPS) failure" because of my problem as dicribed:

On all my devices I receive by doing eBlocker function test: "Web filtering (HTTPS) failure".

HTTPS Support is shown as working well at all devices (HTTPS support of this device and eBlocker certificate are hooked green). My devices are 2 Windows-PC, Apple iPhone and Apple iPad. See attached file.

Do someone has the same problem? Do you have any ideas to solve the problem?

Thank you so much for help!

Best regards,

Astrid

@Astrid

pleas click on the exclamation mark and let us know which explanation is provided.

Normally this is caused by cached DNS, as far as i know this is nothing critical.

@astrid

Hi,

I told you that I wil cponfigure some test equipment; Fritzbox 7390, Eblocker 2.4.5 (PI 2), PC Windows 10.

Your problem with HTTPS function test, has its reason in your certifikates.

I tested it with Windows 10, Edge, Internetexplorer an Firefox.

Firefox has its own certifikate-store.

Edge and Internetexplorer use the certifikate-store from Windows (certmgr).

The eBlocker Certifikate must imported in the certificate-store "Vertrauenswürdige Stammzertifizierungsstellen". 🤩 

If you find it in "Zwischenzertifizierungsstellen" it doesn't work. 👎 

You ca move it...

It is not a problem of eBlocker, sometimes the automatic certifikate-import takes the wrong store.

 🧐 See the PDF.

I hope this solves your problem, let me know 🙂 

Look at this videos:

Windows: https://vimeo.com/305852201

IOS: https://vimeo.com/305899742

regards

PIO

Thanks to Pio78 and the other colleagues for the hard work to solve the problem.

The cerificat is correct installed in my Windows devices and in my IOS devices. The way for the installation in Windows and IOS is completly different (and easy to me). But the results are exactly the same. As I told you before on some HTTPS pages eBlocker is working properly in controlling HTTPS without a failure. And in some not.

So I'm shure there must by another effect.

See my attaches files.

Best regards,

Astrid

2 examples of HTTPS pages with correct eBlocker function: 

@astrid Httpsgood2 is no good and probably shows the culprit: bitdefender. Try to disable bitdefender SSL interception (s. https://eblocker.github.io/help/en-us/360002344653.html )and cross check...

Belive me Random, it's definitly not Bitdefender! Because:

1. The problem is on my iPad and iPhone (Apple IOS) exactly the same. And there is no Bitdefender or any other virus scanner.

2. I deactivated in my Windows devices Bitdefender. That affected the problem definitly not.

Posted by: @astrid

Belive me Random, it's definitly not Bitdefender!

Believe me, if the cert is not showing a signature from your eBlocker but a signature from bitdefender, then bitdefender is definitely intercepting the communication. That's a technical fact and shown in your screenshot.

And if bitdefender is intercepting the communication eBlocker can't work properly. That's a fact too. No "believing" necessary - I'm an engineer not a priest 😉 ...

PLS take the same screenshots as with httpgood2 after bitdefender has been disabled. Maybe repeat for others as well. Would be interesting to see the results. AND BTW: Try to reboot after disabling bitdefenders SSL.

The Bitdefender certificat is shown by the page eblocker.org. At this page eblocker is working with HTTPS properly.

To follow your recommandation I stopped Bitdefender (see attached files) and did a reboot. But the certificat ist still installed. It's not possible to inactivate it temporarely. The consequence is that the cerificat is stll be shown. See file httpgood2.jpg above.

What do you think? Why is the HTTPS failure shown on my IOS devices? All Windows devices in my network are switched off. There is no Bitdefender/AntiVirus installed in my IOS devices.

PS: I'm an engineer too with a long term experience in developement. 

Posted by: @astrid

The consequence is that the cerificat is stll be shown. See file httpgood2.jpg above.

If you are an engineer than you probably know how SSL certificate chains work. Then, what's your judgment how bitdefender can sign our website's certificate if it's fully disabled? I guess it's impossible but I'm eager to learn...

And: iOS might be a different issue. Let's focus on one system, get that straight and move forward from there. BTW: in iOS there is a switch under General that needs to grant eBlocker's certificate CA status, which is often forgotten. But again: let's focus on windows first.

Hello,

Letters displayed ( űáéúőóüöű ) do not work. When eBlocker is active I cannot send real messages via Messenger. What can I do?

Thanks for your help.
Translated with DeepL

Posted by: @cybermil

 

Letters displayed ( űáéúőóüöű ) do not work.

This is off topic. Would you please open a new topic with a descriptive title and describe more in detail where the characters are not accepted.

Check under settings>https>trusted apps if your messenger is shown and enable. 

@astrid

Hello,

tested with Windows 10 and F-Secure Antivirus.

NOW I have the same symptom 🤪 

I lokked at the eBlocker Log, there the Time and Date was wrong, on the FritzBox I set no restrictions for the eBlocker to the Internet, do a Reboot and Time and Date are OK. Now it is working for me.

Look that all Systems have the correct Time and Date

I will do a test with Bitdefender Internet Security 2020, but I need more time 🧐 

 🤬 Fucking Bitdefender 👎 👎 👎 , new download started, installed, user-account created and now trial-period ended --> no test possible 🤬

regards

PIO

@PIO78

Hello Pio78,

thank you so much again for your hard work to solve the Web filtering (HTTPS) failure which is shown in my eBlocker function test. Especially thank you for your allways polite way of debating.

Intermidiate I have removed Bitdefender from my Windows System - Reboot - Bitdefender Removal tool - Reboot again. I installed no other virus scanner. Additionally I controlled the different watches in my network. They are mostly synchronised by the PTB Timeserver. All watches are showing exactly the same time and date. 

I'm really sorry eBlocker function test gives without any virus scanner exactly the same "Web filtering (HTTPS) failure" as before.

I add two sreenshots:

HTTPSgood3.jpg shows now and as expectet the eBlocker certificat (and not the Bitfdefender certificat as before).

HTTPS-failuredWithoutBitdefender.jpg shows the old and new failure. As mentioned before the failure is exactly the same on my iPad (no Antivurus). The switch in Zertifikatsvertauenseinstellungen is of course set...

Best regards,

Astrid

Now after bitdefender is out of the way and your eBlocker appearantly is signing the cert: do you see the eBlocker Icon on eBlocker.org or other https sites (stern is a good example)? (pls empty all caches or better reboot EVERYTHING before judging... 😉 )

As I wrote the effect is exactly the same as before!

The eBlocker symbol is to be seen on some HTTPS pages and on some pages not.

Examples:

https://eBlocker.org -> yes

https://stern.de -> yes

https://heise.de -> no

https://amazon.de -> no

Caches and so on are logically cleared. All behaviors are exactly the same in iOS...

Posted by: @astrid

As I wrote the effect is exactly the same as before!

Well, maybe from the non-tech user‘s perspective but technically we‘ve eliminate a clear source of error (if bitdefender signs cert, eBlocker can‘t work as man in the middle). 

Now, PLS take screenshots of all the cert publishers (you mentioned in your post) and let‘s see what else is intercepting your traffic. 

BTW: are you using any other blocking/anti-virus/traffic-analysis tools? If so, switch them off temporarily.

Ipv6 ist turned off client-side (to eliminate another source of error)? If not, please do so and repeat. 

Regarding amazon: PLS double check that amazon is not whitelisted (in trusted apps or otherwise) - same with heise. I‘d bet eBlocker already works fine (after you disabled bitdefender) and you just visited whitelisted sites for your test, where eBlocker is disabled (due to whitlisting)

Hello to all,

I talk to our networkteam this afternoon in my office at work. We discussed internetaccess via cable-modem and ipv6 DS-Lite-Tunnel.

So I remember the information from @Astrid :

"The connection to the internet is done with an DS-Lite-Tunnel (IPv6). That means Internet comes from the street (WAN) as IPv6. In my Fritzbox it is changed to IPv4. Inside my house (LAN) I have allways IPv4. This method is absolutely standard in the cabel world!"

But now  to the facts, we had problem with such internetconnection, the problem was the provider.

Some internet-sites where available sometimes, some not. After changing from DS-Lite-Tunnel to Dual-Stack (providers task) no such problems!

So my question to the software-engineers, which internet-site is eBlocker connecting to test HTTPS (SSL) connection?

Is this thesis possible? 🤔 How can we solve your task ? 🤨 

regards

PIO

@pio78 I have DS-lite via Kabeldeutschland/vodafone - and no issues at all.

I rather guess it already works as bitdefender was the culprit here - but testing scenarios were pretty „limited“... 

Maybe there is something else intercepting the traffic too - but from my perspective we should wait untill @astrid answers with some cert publishers screenshots to scientifically drill it down to the cause. We get it fixed - for sure 😉 😎 

I had / have the same problem as well.

"All of a sudden" (which means I did not do anything specific meanwhile) I got a few SSL certificate errors, e.g. 

"Dieser Server konnte nicht beweisen, dass er www.preisjaeger.at ist Sein Sicherheitszertifikat stamm von snl.cloudfaressl.com"

On the eblocker Dashboard everything is / was green, a test of the functionality shows an error on HTTPS filtering.

Even worse, i tried to open this forum and got this:

I had to pause / disable eblocker.

Is there something wrong with the certificate? Should I replace all of them, just to be sure?

I got this on android, windows and mac devices.

Latest stable version.

Best regards,
w.

So do I get you right: eBlocker worked properly? For how long, which platform/HW? Then  „off a sudden“ you get these messages in edge (and that surely worked before?)? Is this happening on all https sites?

Did you renew eBlocker‘s root cert by chance? Or install other security tools that might interfere here? 

I‘d verify the eBlocker‘s active cert is properly added to say win (as „vertrauenswürdige Stammzertifizierungsstelle...“)

If still doesn‘t work pls post screenshot of the certificate issuer (usually by clicking on the lock in browser bar). 

@random Thx for the reply.

I installed eblocker stable two weeks ago on a Pi 3b. One week ago I tried the beta (and created a new certificate). I switched back to the stable one with the old certificate.

I checked on my Mac and the old one is there and active, same on android, same on win. 

As soon as I enable https filtering, I get these errors on almost all sites (I guess some are working due to caches).  

I will checked the issuer on my Mac.

Dashboard: exclamation mark on https - in the section https everything green.

The browser itself state that the certificate is not valid although it is trusted in the settings. It seems something went south... 

Hm. Sounds due to the change of beta/stable something got mixed up.

Try removing all eBlocker certs on one platform completely (browser & OS). Reboot. Start anew with stable eBlocker device in place. Add cert to platform and re-check.

My personal advice if you don‘t love breaking things: never touch a working system 😉 

OK, i removed all certificates from my mac (and firefox) and rebooted. I created a new certificate, valid 24 months, valid from today.

I added it to "Schlüsselbundverwaltung", tested it via dashboard and checked the status - still the same error. I am definitely running out of ideas.

P.S: when I tried to post this reply, I got the same error on eblocker.org again. I have to disable eblocker, otherwise I cannot access the forum 🙁 maybe I will start from square one (new installation). 

Der eBlocker konnte keine HTTPS-Verbindung herstellen mit https://eblocker.org/

Aufgetretener FehlerSSL Certificate expired on: Jan 8 23:59:59 2021 GMT

Sie können die Domäne jetzt zur HTTPS-Ausnahmeliste hinzufügen und das Laden der Seite fortsetzen.

Posted by: @webwude

Aufgetretener FehlerSSL Certificate expired on: Jan 8 23:59:59 2021 GMT

Sounds as if the PC/Mac is set to a date in future. Otherwise I don‘t know how to interpret this. Time/year settings might be a good hint to double check - also on eBlocker.

Are you running an ntp server that might deliver „funny“ responses? (most fritzbox run an ntp service btw. so check time settings on router too)

Just tried it with a windows laptop. Removed all certificates, rebooted both laptop and eblocker, created again a new certificate.

Still the same error. Status shows exclamation mark, error message when trying to access eblocker.org

As I have the same effect on three different devices (MacBook, Android Phone and Windows 10 laptop), I assume it is the eblocker installation.

Last try: new installation with flashing SD card without any restoration of old settings.

Did you check the system time on the platform you‘ve received the message above?

I‘m interested to drill down the cause and help. But please let‘s stick to one platform (preferibly win) not to get mixed up.  

@random system date seems to be correct. I will re-do all steps and will add some screenshots. Agreed, let's stick with windows. 

I will update this posting in the next minutes.

1. Installed certificate and test in assistant.

2. Status test on dashboard.

3. Try to open eblocker.org in Chrome.

Dies ist keine sichere Verbindung

Hacker könnten versuchen, Ihre Daten von www.kicker.de zu stehlen, zum Beispiel Passwörter, Nachrichten oder Kreditkartendaten. Weitere Informationen

NET::ERR_CERT_COMMON_NAME_INVALID

Subject: www.kicker.de

Issuer: eBlocker - eblocker - 2020/06/01

Expires on: 01.06.2022

Current date: 01.06.2020

PEM encoded chain:

@webwude Bug might be our website server (HSTS was just introduced). Hm.

Do you get this message on other (which) websites too?

Pls try eBlocker.org with Firefox on same device. Firefox needs to add cert again as it has it‘s own storage.

Tried the same with firefox. Strangely enough I get these errors:

 

@random

Have similar problems on my iPhone, iPad and my iMac. Could even not visit eblocker.org while eBlocker was paused. Removed certificates everywhere and reinstalled new ones in accordance with instructions from Boris (24 months valid). Strange behavior remained.

Rebooted eBlocker and all devices; no change. Dashboard/Status/Web filtering HTTPS still gives exclamation.

Does this help?? (see picture)

Rob

@random:

exactly the same here.

eBlocker ist the commerical one bought in 2017. I was never one a alpha/beta-version, I have installed the 2.5.4 . Problems began last week, I use on one computer Win10, but the problems also on iPhone or iPad. I have already clear all caches, rebooted router, eBlocker and all "infected" devices, also tried to renew the certificates on the Win10-computer and the iPad, iPhone and tried with Safari on iPad/iPhone and Edge/Firefox on the Win10-computer  - with no success.

I have to deactivate https, than the devices are working. Otherwise it is exactly the same issue like on the last posts from Rob Franssen and webwude described.

I have still no more idea...

snappy_gambler

Hi,

From today on, I have also the same problems with HTTPS filtering.

first of all:
There was no change in IT infrastruture
No update on FritzBox7590
No new devices

...
See picture 1:

No one of my devices works (Apple and also Windows Laptop). Each of o has same problem. So it seems as a eblocker problem.

several steps were done:
- reboot (via web) eblocker multiple times
- hard cut of power supply
- generating of new certificate (valid only 24 month)
- installed on IPAD, MacBook and PC (incl. consulting the help)

certificate seems correctly installed see picture - but nothing worked.

I am very frustratet and need help.

Curently HTTPS is off. Otherwise internet is not usable.

Tom

Posted by: @robfranssen-fr

Does this help?? (see picture)

Rob

No. It does not. The certificate is installed correctly, test via https assistant is successful.

Issue remains. 

@all believing being affected by the issue: please post certificate of websites showing the issue. We need at least the certificate issuer to see clearer. Please also post platform and browser. „nothing is working on all devices“ is not helpful. PLS stick to one device and post more infos as requested if you feel like helping.

Or even better: send us a diagnostics report to support (at) eBlocker.org

THX!

No problem.

Device: Windows 10 Laptop.

Browser: Firefox 76.0.1

Website: www.kicker.de

Eblocker error message: SSL Certificate expired on: May 5 23:59:59 2021 GMT

Attached the certificate shown in FF after disabling eblocker.

@webwude

@random

The picture was meant for random 🙂 The date shown Aug 3, 2018 in a message i only received today is - to say the least - remarkable. (IMHO)

Rob

@webwude Now with that website (kicker.de), what's exactly the issue you experience? (BTW: This kicker.de traffic never got touched by eBlocker, so I doubt you saw an error message as the certificate is the original and not issued by your eBlocker).

Sorry for not making this clear: We need to see the issuer (and better even the full cert of the issuer, which is the next tab in FF) when you experience the error. Please restart browser after making changes in eBlocker (i.e. stop pause) as the cert will be cached otherwise.

@all, @robfranssen-fr : I believe your eBlocker's clock is off for some reason causing all these problems. This would explain why you, Rob see error messages from 2018. Because eBlocker's clock is at 2018...

PLS @all with this issues: double check eBlocker's time (reboot device and check time in System>Events - time of reboot must be current).

Once time is correct: Renew certificate to make sure current date is used for root certificate. We had eBlocker time setting issues discussed in other forum threads if you need hints why your time is off...

THX!

@all

Look at the time and date in the eBlocker Log!

Eblocker needs the correct time !!!! Give eBlocker full access to the internet.

If you have a FritzBox set no filterlist on eBlocker.

🧐

regards

PIO

Posted by: @random

@webwude Now with that website (kicker.de), what's exactly the issue you experience? (BTW: This kicker.de traffic never got touched by eBlocker, so I doubt you saw an error message as the certificate is the original and not issued by your eBlocker).

Sorry for not making this clear: We need to see the issuer (and better even the full cert of the issuer, which is the next tab in FF) when you experience the error. Please restart browser after making changes in eBlocker (i.e. stop pause) as the cert will be cached otherwise.

With https enabled I get an eblocker site notification -

Der eBlocker konnte keine HTTPS-Verbindung herstellen mit https://www.kicker.de/
Aufgetretener Fehler SSL Certificate expired on: May 5 23:59:59 2021 GMT

Sie können die Domäne jetzt zur HTTPS-Ausnahmeliste hinzufügen und das Laden der Seite fortsetzen.

What exactly do you need - see screenshot attached.

P.S. Clock is set correctly.

1. Juni 2020

17:53:14

Der eBlocker Hauptprozess wurde gestartet.

 

1. Juni 2020

17:51:22

Der eBlocker fährt herunter und startet neu.

 

1. Juni 2020

16:26:43

Der eBlocker Hauptprozess wurde gestartet.

 

1. Juni 2020

12:51:25

Der eBlocker fährt herunter.

 

1. Juni 2020

9:05:45

Der eBlocker Hauptprozess wurde gestartet.

 

1. Juni 2020

9:03:48

Der eBlocker fährt herunter und startet neu.

@webwude The posted eBlocker cert is set for 36 month validity but needs to be set to 24month if you want to use it in macOS/iOS. But this shouldn‘t affect your PC and FF - but explains other issues...

Could you please post full error message you are getting - and the cert of the kicker.de website when eBlocker is enabled. THX!

Posted by: @random

@webwude The posted eBlocker cert is set for 36 month validity but needs to be set to 24month if you want to use it in macOS/iOS. But this shouldn‘t affect your PC and FF - but explains other issues...

Could you please post full error message you are getting - and the cert of the kicker.de website when eBlocker is enabled. THX!

I created a new certificate with default values just to be sure. 

Full message see Screenshot. 

What do you mean by "cert of the kicker website when eblocker is enabled"? I will be redirected to the eblocker site and that's it. Should I grant an exception? 

@pio78

@random

“eBlocker needs the correct time !!!! Give eBlocker full access to the internet.“

I know how to set the TimeZone (Amsterdam, of course 🙂 ; after that i’m lost.

How do i tell eBlocker that he/she/it lives in 2020?

Recently, https false reports have been appearing on websites that were previously always accessible without problems.
Since recently also eblocker.org. See below.
Everything is OK even if it is included in the exception list.
My hardware: Raspberry PI 3B, AMD PC Windows10Pro64, Fritzbox7560.
Bug in both Firefox and Microsoft Edge.
eBlocker Pro, Aktiviert am 29. Apr. 2018, Lifetime, eBlockerOS Version 2.4.5, eBlocker Blockierlisten Version 2020-05-30-06-00-03

---------------------------------------------------------------------
HTTPS-Fehler auf aktueller Website
Der eBlocker konnte keine HTTPS-Verbindung herstellen mit https://eblocker.org/
Aufgetretener Fehler SSL Certificate expired on: Jan 8 23:59:59 2021 GMT

Sie können die Domäne jetzt zur HTTPS-Ausnahmeliste hinzufügen und das Laden der Seite fortsetzen.
---------------------------------------------------------------------

@robfranssen-fr

Hi,

eBlocker take the time from a time-server in the internet (ntp).

EBlocker has full access to the internet?

My test in other posts show this problem when the time is incorrect.

Often there wa sno full internet-access by eblocker.

regards

PIO78

@webwude eBlocker time?

Posted by: @random

@webwude eBlocker time?

I already posted that the time is correct. 

@webwude Well you said cert is 24month were it was 36month... Fiction and past facts and „new normal“ get mixed up after a while 😋 😉 

I just kindly asked you to re-verify eBlocker‘s time. As the error shows that eBlocker thinks cert it‘s expired. PLS DO SO.

It that the same error with other sites (pls screenshot).

@pio78

How do i check whether or not eBlocker has access to the internet?

Is a recent update enough evidence?

@random just did a reboot twice. Looks fine for me.

I can't attach files, I don't know why...but here sill the same.

Another site which doesen't work is www.startpage.com

I also reboot my eBlocker, the time is correct, I renew the certificate (24 months), I get also get eBlocker updates, so I have internet access, the eBlocker is the DHCP-Server. I can 100% confirm the screenshots from webwude.

When it's possible to me to attach file, I will also upload the screenshots of my system (PC, Win10, Firefox 76.0.1). But the same issue on my iPad and iPhone.

@thomasbeier-team-de merged your post here. seems all same issue.

@random

Don’t know what happened, but my eBlocker works again.

- rebooted the eBlocker

- removed the certificate in settings of my iPad

- opened eBlocker-settings-HTTPS-certificates and simply downloaded the certificate

  (dated 2020/06/01 and valid until Jun 1st, 2022)

- installed and validated the certificate under iOS

- opened eBlocker dashboard and activated HTTPS-support

Et voila, ca marche! 

Rob

🙁

Cheered to early! Dashboard/Status/Web filtering HTTPS still shows exclamation mark!

@robfranssen-fr, @random

I think there is a problem due to an expired root certificate since June 1st 2020:

https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT

The eblocker.com and eblocker.org certificates are also signed by the Sectigo CA.

I could reproduce the problem with my eBlocker on version 2.4.5 at https://eblocker.org/. I hope the problem can be solved with a software update that contains the newer root certificates. I will look into that now.

@bpr Great job in analyzing this issue!!

@all If you have not understood @bpr's technical post here is some background:

Each web server needs a certificate for encrypted communication (https/ssl). The issuer of this certificate has a so called root certificate that he uses to sign a website's cert. Now each cert has a validity. If the validity of the root certificate expires - all the certificates that were signed by this cert will automatically expire (This is now the case with certificates issued by Sectigo.)

In case a root cert expires, usually the issuer issues a new root certificate with a longer expiration. Now, this new root certificate is not yet known by eBlocker. Therefore all certs signed by Sectigo are automatically refused and you get the dialog "cert expired" as posted by some users.

Now the question is: can we just add the new root certificate with a filter update - or is this a software update. The later is easy for the beta version - but for the 2.4.5 this might be a little tricky as we wanted to lift everyone to 2.5.x first and then joinedly perform software updates to all eBlockers at one.

To sum up: We know the cause, we know how to fix it in theory. Now we need to find the best way to fix this asap...

In the meantime you'll surely experience issues on sites with certificates from Sectigo and you might want to pause eBlocker for those sites or put the cert on the exemption list (which will still block all trackers etc but allow communication with an "expired" cert).

Two more comments:

• eBlocker's error message is misleading, because it says "expired" but shows the expiration date of the (still valid) server certificate.
• The beta 2.5.1 seems not to be affected, for example I could get a connection to https://eblocker.org/ with icon and controlbar.

@random , @bpr

Thx for the information and the explaining of the issue.

I am really happy that a solution is in sight.

It's even more complicated 🙁

There is also a problem in the web server configuration.

During the TLS handshake the web server usually sends its own certificate including the chain of intermediate certificates. For example, our server sent:

• eBlocker.org server certificate
• Sectigo CA
• USERTrust CA (expired May 30th 2020)

This chain leads to the AddTrust CA Root, which is also expired.

The correct chain is now:

• eBlocker.org server certificate
• Sectigo CA
• USERTrust CA Root (valid until 2038)

eBlockerOS 2.4.5 even has this root installed! But the Squid proxy on the eBlocker was not smart enough to see that there is an alternative chain to a valid root.

On eBlockerOS 2.5.1 there is a newer version of Squid that is obviously smart enough to select the valid chain, regardless of the incorrect chain the server sent.

But the problem can also be solved on the server. For our servers eblocker.org and eblocker.com I now removed the expired USERTrust CA, so eBlocker 2.4.5 can connect and is not confused by an invalid chain.

But of course that does not help on other websites, e.g. https://www.kicker.de. The server administrator of that server would have to remove the expired USERTrust CA from the web server's configuration, too.

@bpr

Thx for the further and acutal information!

... but that means we have to wait for 2.5.x for the final solution?

@all To make a long story short:

For eBlocker self-build Raspi users: If you upgrade to eBlockerOS 2.5.x beta the issue is solved already. This upgrade is recommended for everyone as the beta is very stable already.

For all others (ie. white cube users): Stay tuned as we are working on an update. If you are running into a website where eBlocker states the cert is expired: add site to exemption list (this can be removed later, once the update is out). Trackers etc. will still be blocked - so no worries.

Sorry for any inconvenience. This was unforeseen and we are trying our best to get it fixed asap.

THX!

@bpr

@random

Pfff. Was about to abandon the eBlocker altogether. Just in time Boris; you made my day. Now just wait and see until you guys come up with a solution; thank you in advance both of you for the support trough the open source forum. 

@robfranssen-fr No need to worry, buddy 😀 We love our eBlocker and we'll make sure it works.

But as with every complex technology: things might break depending on the always changing environment - like here: an expiring root cert nobody thought about when we initially build this part (years ago!). Nevertheless, we get it fixed asap and everyone running the 2.5.x beta got the fix already.

For everyone not willing to read this long thread, I've posted a brief summary here: https://eblocker.org/community/bugs-features/ssl-certificate-expired-eos-2-4-5-message-when-visiting-a-website/

THX for your patience... 😉 

Great work. Just installed the beta. It works... quite.

Kicker.de now throws another error 😉

Same for me with Kicker.de 🙂

https://www.kicker.de/ under Win10 2004 & Opera 68.0.3618.125

@webwude @calimero

I‘m on 2.5.1 and have no issues with kicker (no exceptions set) - see attached. But maybe kicker have changed their buggy server config meanwhile?

Pls empty all caches and reboot. 

I'm still on 2.4.5 and as you konw I have the discribed issue with the expired certificate - but I also can open "kicker.de" with activated https-function so they must have changed anything at their server.

A good site to check the issue with the certficate is startpage.com

Posted by: @snappy_gambler

A good site to check the issue with the certficate is startpage.com

What do you mean? startpage.com works well without issues - and has always worked well for me. 

Pls. post error/screenshot here to understand your post better.

THX!

Hi random,

I can't attach files, I don't know how to do. I tried this serveral times, but I have no idea, why I have this problems with the uploads.

I tried startpage.com 5 minutes ago und I get the eBlocker-message with the expired certificate.

@snappy_gambler You attached a file?! Pls state more clearly what you mean by „I can‘t attach files“. 

Pls. reboot your complete infrastructure incl. eBlocker (router, local dns, client etc). I believe there’s some caching taking place. I can‘t reproduce the issue (under iOS/safari at least). Will try different clients later. What client/browser are you using?

Sorry, but this time, it was possible to attach the file - strange.

Mainly I use a PC and Win10 and I tried Firefox (v77, private mode) and Edge, but I also have the problems with the iPad. I have already rebootet the system (PC, router = FRITZ!Box, eBlocker version 2.4.5) and cleared all caches so far I know them.

Everything worked perfectly until the end of last week. Since then I have had the problems described - "Startpage.com" only works with "HTTPS-Unterstützung" deactivated, with "HTTPS-Unterstützung" activated I get this certificate error.

Of course I can try it all again during the day, at the moment I am working.

@snappy_gambler „Cert expired“ bug is known unter 2.4.5. 

Just upgrade to 2.5.x where this bug is fixed.