SSL Certificate Issue (HTTPS Protection)

29 Posts
6 Users
5 Reactions
1,628 Views
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  

So yesterday I did my first setup of eBlocker on my Raspberry Pi 3 (Before I had the PiHole with Banana Pi)...

And everything smooth, working nice and tidy. I wanted to enable the HTTPS protection (That is basically a MITM) so the Pattern blocking and the "Controllbar" are able to appear.

I noticed the generated certificate always shows that it was Issued in 2017 and it will expire on July 2020 (even after prolonging the certificate to the maximum expiry date on the "renew button", that is 36 months that goes exactly to 2020.)

After adding the certificate the macOS Keychain and trusting it for SSL layer, still, when I try to open webpages on Safari it gives that the certificate is not trusted/valid for almost any page eg.: facebook.com, cnn.com, startpage.com. Conveniently for google.com, youtube.com it was working... The error is the same as when you have self-signed certificates.

Is there a known issue regarding this matter?

 

PS: I'm also using AdGuard on that Mac that also uses the MITM pattern with a self-signed root certificate. Could it be that they're conflicting?


   
ReplyQuote
(@calimero)
Member
Joined: 5 Jahren ago
Posts: 527
 

Hi @ovflowd,
which version of eBlocker do you have actually?
on my eBlocker 2 and 3, I have no problem with the certificate.

 eblocker version
 eblocker certificate

You seem to have two things
1) certificate issue on eBlocker
2) your AdGuard thing

Can you remove the AdGuard for testing purposes?

best regards
Sven


   
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  

@calimero thanks for answering. I'm actually using a Raspberry Pi 3 Model B. With eBlocker 2.4.5.

 

My eBlocker certificate says that it was created in 2017. Like I said the certificate itself it's generated. I believe this is a technical issue rather than just the pressing of buttons. 😥 

 


   
ReplyQuote
(@calimero)
Member
Joined: 5 Jahren ago
Posts: 527
 

@ovflowd

I've reinstalled my PI 2 yesterday and the certificate thing is working like a charm... Maybe a reinstall of your raspi can help here?

Best regards
Sven


   
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  

Hey @calimero, I believe I said that I made a fresh install yesterday 🙂

 


   
ReplyQuote
(@calimero)
Member
Joined: 5 Jahren ago
Posts: 527
 
Posted by: @ovflowd

Hey @calimero, I believe I said that I made a fresh install yesterday 🙂

 

Maybe a fresh fresh install today? 🙂


   
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  

@calimero hum... why not? 🤨 

 


   
ReplyQuote
(@bpr)
Famed Member Admin
Joined: 6 Jahren ago
Posts: 308
 

It might be this Catalina issue: https-certificate-mac-os-catalina-and-ios-13

The workaround is to generate a new certificate with only 2 years validity.


   
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  

Thanks, @bpr! This seems odd for me, but for some reason, the SSL certificate says it was created in 2017. And I'm not able to generate a new one... Just to extend it.

Any workaround or should I do a fresh install?


   
ReplyQuote
(@calimero)
Member
Joined: 5 Jahren ago
Posts: 527
 

@ovflowd

Renew certificate and go to the second tab
There you can change the validity

Cheers
Sven

 Renew Certificate

   
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  

Hey @calimero again, I already did it. If you see what Boris said, the certificate cannot be valid for more than 24 months.

The certificate renewal doesn't change the date of creation, just extends the expiry date to a longer date, at least that's what's happening here.

The renew certificate button opens the modal that asks for how long you want it to expire.

Remember, the creation date is still 2017. Extending it to 36 months will make it expire on July 2020. And 36 months also make the certificate be invalidated, as Boris said.

 

 


   
ReplyQuote
(@calimero)
Member
Joined: 5 Jahren ago
Posts: 527
 

@ovflowd

Ok, so the valid from time doesn't change...

hmm strange, but this should be no problem with mac, because this is an eBlocker function...

So my thought is, reinstall eBlocker, because this should work.


   
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  

@calimero so you're saying on your end the valid from value changes? Hmmm, then that's interesting.

Well with MacOS Catalina it is 🙁

 


   
ReplyQuote
(@calimero)
Member
Joined: 5 Jahren ago
Posts: 527
 

Pls make a screenshot of certificate window and update, because it could be, that your eblocker doesn't fetch the correct time, which causes the "valid from 2017"...


   
Benne reacted
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  

I will be only able to send a screenshot later. This eBlocker it's not on my home but in a friend home.


   
CalimerO reacted
ReplyQuote
(@benne)
Famed Member Admin
Joined: 6 Jahren ago
Posts: 1097
 

@calimero Good guess. I agree: system time issue too / no Internet connection 

@ovflowd make sure Internet connection is not blocked by „whatever“ at install 

 


   
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  

Yes, Christian, I believe it is probably a time sync issue. Still curious how. Will do a clean install.


   
ReplyQuote
(@calimero)
Member
Joined: 5 Jahren ago
Posts: 527
 

@ovflowd

Or if you use a fritzbox with Filters active, give eblocker unlimited access without restrictions.


   
ReplyQuote
(@calimero)
Member
Joined: 5 Jahren ago
Posts: 527
 

@ovflowd

Good evening 🙂

And update on this issue?
Best regards
Sven


   
ReplyQuote
(@pio78)
Member
Joined: 6 Jahren ago
Posts: 329

   
ovflowd reacted
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  
Posted by: @calimero

@ovflowd

 

Good evening 🙂

And update on this issue?
Best regards
Sven

Hey Sven, sorry for not answering! I did not receive a notification for this post.

Like I said the setup isn't mine, so I can only reinstall the eBlocker on the Raspberry PI when I get to my friends home. He's using my Raspberry.

 

I'm probably going to buy a new one so I could also test locally. 


   
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  
Posted by: @calimero

@ovflowd

 

Or if you use a fritzbox with Filters active, give eblocker unlimited access without restrictions.

He's not using a Fritzbox. It's a Vodafone modem and an ASUS router. He has the eBlocker Banana PI also. But we're doing the setup on the Raspberry for testing.


   
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  
Posted by: @pio78

Hello,

see this post:

https://eblocker.org/community/bugs-features/unable-to-load-license-agreement-an-internet-connection-is-required/#post-141

 

regards

PIO

 

I have no problems with the License Agreement. The eBlocker setup is working. Just no HTTPS filtering because of the (weird certificate).

 

When I get time to go to my friends home I will do a clean install and try to diagnose it 🙂


   
ReplyQuote
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2068
 
Posted by: @ovflowd

weird certificate

@ovflowd Please state more clearly what you mean by "weird"?


   
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  
Posted by: @random
Posted by: @ovflowd

weird certificate

@ovflowd Please state more clearly what you mean by "weird"?

Oh sorry, I believe I already explained on the main post hehe.

Basically like I said the certificate issuing year says 2017, and then I can only renew it on maximum 36 months that goes to July 2020.

But a valid SSL certificate may not be extended for more than 24 months, that's why the HTTPS Filtering doesn't work and Chrome says the certificate isn't valid.

Like I said it could just be a faulty installation, that's why I'm going to reinstall it next time I'm on my friends home 😀


   
ReplyQuote
(@pio78)
Member
Joined: 6 Jahren ago
Posts: 329
 

Hi,

the problem ist that your eBlocker Tme was not sync before you create the Certifikate.

1. do the installation

2. make the network configuration

3. make a reboot, after this look unter system - event (Ereignisse) that your eblocker has the correct time.

4. activate https and create the certifikate

 

But if your certificate is now "too old" got to https - certificate and go to the bottom, there ist a button to create a new one. 🤩 

Hope this helps

 

Regards PIO

 


   
ReplyQuote
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2068
 

@ovflowd New install is probably not needed.

As @pio78 said: Check if time is correct (i.e. under settings/system/events - last event should be current time). If not try factory reset (system/reset) and make sure eBlocker has Internet connection at boot.

Once time is correct, renew certificate (settings/https/certificate/renew now) or after factory reset follow https wizard step by step.

This generates a new root cert with current date and might fix your „weirdness“ 😉 

 


   
ovflowd reacted
ReplyQuote
(@ovflowd)
Trusted Member
Joined: 5 Jahren ago
Posts: 53
Topic starter  

Yup time is correct 🙂 that's why it was indeed something odd on my opinion.

I'll double-check when I go to my friends home, I'm still sick at home.

 


   
ReplyQuote
(@calimero)
Member
Joined: 5 Jahren ago
Posts: 527
 

@ovflowd

Get well soon!

You don't need to go to your friend, you only need access to one of his PC's 🙂

Anydesk.de is very usefull for this kind of work.

Kind regards
Sven


   
Random reacted
ReplyQuote

Nach oben scrollen