[Solved] https pages not accessible with Firefox on Android 11

42 Posts
7 Users
9 Reactions
964 Views
(@thomasbeier-team-de)
Trusted Member
Joined: 6 Jahren ago
Posts: 37
Topic starter  

Smartphone Google Pixel 4A, Android 11, https pages are partly not reachable with Firefox Ver. 83.1.0 and Fennec Browser Ver. 82.1.1, error message: "Secure connection failed", no display symbol Controlbar.

https pages Example: whisky.de, dasoertliche.de, mindfactory.de, mobilsicher.de, startpage.com etc. ........

Chrome Browser, InBrowser and SmartCookie Browser no error message, Symbol Controlbar is displayed

Certificate included after instruction, MAC address of the device is used !! TOR and VPN deactivated.
eBlocker Dashboard shows with certificate present: "!" on red background.

Raspberry Pi 4 B 4GB RAM, eOS 2.5.6, FilterList Nov. 21, 2020, Network Mode (Auto), Mask 255.255.255.0, Router Fritzbox 7560 Gateway 192.168.178.1, eBlocker DNS-Firewall external 1.1.1.1,

On my old smartphone Sony Xperia Android 9 I did not have these problems.

[EDIT] This thread got off topic. Sorry.
The solution how to install the certificate with android/fennec/Firefox is here [/EDIT]


   
(@pio78)
Member
Joined: 6 Jahren ago
Posts: 329
 

Hi,

how long is your certifikate valid?

3 our 2 years?

 

regards

PIO78


   
(@thomasbeier-team-de)
Trusted Member
Joined: 6 Jahren ago
Posts: 37
Topic starter  

@pio78

Hello thanks for answer

The.certifikate is valid for 3 years, started at 13.09.2020

Thomas


   
(@pio78)
Member
Joined: 6 Jahren ago
Posts: 329
 

@thomasbeier-team-de

generate a new certificate that is only 2 years valid.

I hope this may help ...

 

Please tell me

 

regards

PIO78


   
Random reacted
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 

@thomasbeier-team-de I thought with 2.5.x root cert is 2yrs by default. Did you change it by chance? Or it might be a bug? 🤔 

THX!


   
(@thomasbeier-team-de)
Trusted Member
Joined: 6 Jahren ago
Posts: 37
Topic starter  

Thanks for your answers. Will create a new certificate and then report.
But I have put the Raspberry Pi 4 with the final version of eOS into operation on 13.09.2020 and on that day I also created the certificate with the duration of 3 years.
Let's see if the new certificate will be created for only 2 years.
Maybe today, but I will have to reinstall the certificates on 2 laptops, 2 smartphones and 1 PC........ 😉


   
(@thomasbeier-team-de)
Trusted Member
Joined: 6 Jahren ago
Posts: 37
Topic starter  

Hello

Now I have renewed the certificate in the eBlocker under Settings, HTTPS, Duration under Settings set to 2 years.

In the Smartphone (Android 11) I have installed the new certificate under Settings > Security > Advanced > Encryption and Logon Data > Install a Certificate > CA Certificate.
This certificate appears then under Settings > Security > Advanced > Encryption and Logon Data > Trusted Logon Data > Users, also.

I also installed the new certificate under Settings > Security > Advanced > Encryption and Credentials > Install a Certificate > WLAN Certificate.
This then appears under Settings > Security > Advanced > Encryption and Credentials > User Credentials.

Then the same way under Settings > Security > Advanced > Encryption and Credentials > Install a Certificate > VPN & App User Certificate, then the error message appears: File cannot be used, This file cannot be used as VPN & App user certificate.

Unfortunately all without success !!!
The described error still occurs. Now I do not know any more.

Greetings Thomas


   
(@thomasbeier-team-de)
Trusted Member
Joined: 6 Jahren ago
Posts: 37
Topic starter  

Hello love community
One more try ...
I downloaded the current image of the eBlocker OS and installed it on a new SD card. But even after starting the OS and embedding the certificate on my smartphone I still get the same error. (See above)

I noticed that the default setting for the duration of the certificate is 3 years.

Doesn't anybody have an idea what can be done or where the mistake lies?

Greetings Thomas


   
(@benne)
Famed Member Admin
Joined: 6 Jahren ago
Posts: 1099
 
Posted by: @thomasbeier-team-de

In the Smartphone (Android 11) I have installed the new certificate under Settings > Security > Advanced > Encryption and Logon Data > Install a Certificate > CA Certificate

The duration of eBlocker‘s root certificate is OK with three years. In 2.4 the validity of the „on the fly“ signed website certificate was wrong. So this is all good. @random might got mixed up here 😉 

Now, I‘m not on Android. But granting the eBlocker certificate root (full CA status) is essential. With iOS Apple has some extra hurdle implemented a user has to take. With Android there might be something similar. Each single step of the described certificate installation process must be followed. 

Even you have done it: Please try anew and follow the wizard’s instructions carefully. There might be a last step (to grant CA root status) you have overseen.

BTW: It‘s enough to follow the instructions and it‘s not helpful to add eBlocker‘s root certificate in other places (as you discussed i.e. VPN & user certificate). The described error is expected as it‘s not a user certificate (but a CA root cert).

Hope this helps.


   
Random reacted
(@thomasbeier-team-de)
Trusted Member
Joined: 6 Jahren ago
Posts: 37
Topic starter  

Thanks Benne for your personal answer, but now this:

On your advice, I have carried out all the steps once again in detail.
I have renewed the certificate in eBlocker under Settings, HTTPS, Certificate, renewed, leave the term standard 3 years.

In the new smartphone (Google Pixel 4a) I have deleted all old eBlocker certificates and installed the new certificate only under Settings > Security > Advanced > Encryption and Logon Data > Install a Certificate > CA Certificate.

After that it appears under Settings > Security > Advanced > Encryption and Logon Data > Trusted Logon Data > Users, but not under Settings > Security > Advanced > Encryption and Logon Data > Trusted Logon Data > System. So I guess it is not installed as a root certificate. Android apparently prevents this !!! ???

By the way, after deleting all certificates in my old Sony Smartphone and reinstalling it, the same error occurs there.

Remember: Error message: "Secure connection failed", and no display of the icon Controlbar.
Concerns only Firefox, current version, for Android with "Improved protection against activity tracking" turned off

https pages examples: whisky.de, dasoertliche.de, mindfactory.de, mobilsicher.de, wikipedia.org etc. ........


   
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 

@thomasbeier-team-de I‘m in a Google free zone - so not Android, sorry.
But searching for your issue I found this which might help: https://stackoverflow.com/questions/61386312/cant-install-ca-certificate-on-android-11#62465897

You might want to consider stepping back from Google if you value you privacy... 🤔

Remember: If you buy cheap you probably pay a lot... 😉 

THX!


   
(@thomasbeier-team-de)
Trusted Member
Joined: 6 Jahren ago
Posts: 37
Topic starter  

Hello

I guess there's nothing you can do about it 😉
I have now deactivated the HTTPS support via WLAN for the smartphone and only enabled the VPN service.

Unfortunately the error has now also occurred with my old Sony Smartphone with Android 9.
Both under eOS 2.5.6 on Raspberry Pie 4 and on my company eBlocker under eOS 2.4.5 on Raspberry Pie 3.
On the Sony Smartphone you can still use the certificate as "VPN and Apps", and "WLAN".
See instructions https://eblocker.github.io/help/de/360002342774.html

Maybe there will be a solution for Android users some day.

Thanks for the answers, see you soon.
Thomas


   
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 

@thomasbeier-team-de I can‘t judge or help about Android but v9 should rather work 🤔 

Well, but there is good news: even if https is not enabled you still get 90-95% protection from trackers/ads by the DNS based blocker which automatically kicks in... 😉 

THX!


   
(@thomasbeier-team-de)
Trusted Member
Joined: 6 Jahren ago
Posts: 37
Topic starter  

Thanks for the explanations.
You're right, Android 9 also worked until the update from eOS to 2.5.6.

Thomas


   
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 
Posted by: @thomasbeier-team-de

Android 9 also worked until the update from eOS to 2.5.6

Misunderstanding: Android 9 should work. Only Android 11 seems not to allow CA certificates to install (as I understood).

THX!


   
 Joe
(@joe)
Trusted Member
Joined: 5 Jahren ago
Posts: 36
 

Hi,
i guess i came across the same problem (allegedly no certificate available according to the dashboard, although everything was installed according to instructions).
The reason: In August the eBlocker certificate expired - I renewed it as usual. Worked on all devices except my LG with Android 9 and FF 82.1.1. Waited for the update eOS 2.5.x. But it did not bring any improvement.
So I did some more research. After Chrome "found" the certificate in the dashboard it was clear to me that it is probably due to FF.

I found a description in the internet (I don't know where), which tells FF to read the certificates from the central directory. Unfortunately the input of parameters with "about:config" does not work with FF under Android at the moment. Therefore Fennec is now necessary. Set the parameter security.enterprise_roots.enabled to true in Fennec using about:config - and it worked again and in the dashboard there is a green tick again. 😀 
I don't have any expertise in certificates - maybe someone here can explain it better technically.
@Thomas: if you should try it, I would appreciate it if you post your result here.

My eBlocker configuration: white Cube 2.5.8, Fritzbox 7490, fixed IP's and "routing" via Gateway + DNS entry at the clients.

Joe

translated with the help of deepl


   
Random reacted
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 

@joe VERY good!

Posted by: @joe

Therefore Fennec is now necessary. Set the parameter security.enterprise_roots.enabled to true in Fennec using about:config - and it worked again and in the dashboard there is a green tick again.

This might even work on Android 11.

It seems the parameters instruct the OS to enable other (imported) root certificates (That's what I suspect from the parameter'S name...). The eBlocker's certificate needs to be accepted as root to work... - now this should make it happen then 🤔 😀 

THX very much!


   
Anton reacted
 Joe
(@joe)
Trusted Member
Joined: 5 Jahren ago
Posts: 36
 
Posted by: @random

THX very much!

It is a pleasure for me to be able to give a little support here 😀 

Joe


   
(@thomasbeier-team-de)
Trusted Member
Joined: 6 Jahren ago
Posts: 37
Topic starter  

Hello everyone, Hello Joe

The problem is solved !!!!!!!!

You are right, after I set the parameter "security.enterprise_roots.enabled" to true using "about:config" in Fennec, the https pages will work again with eBlocker https support enabled.

Many, many thanks Joe for your help

Thomas


   
Random reacted
 Joe
(@joe)
Trusted Member
Joined: 5 Jahren ago
Posts: 36
 

Hi, Thomas,
great that this works for you and thanks for the positive feedback 😊 


   
Random reacted
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 
Posted by: @pio78

@thomasbeier-team-de

generate a new certificate that is only 2 years valid.

You are kidding, why has this problem not been fixed? 

I was a "crowd funder" for this product, but was never really happy with it. So today I thought I would give it another try and spent forever trying to get it to work. My certificate was for FOUR years. 

What use are a whole bunch of new features if a MAJOR bug like this breaks the whole product and still is not fixed? At least now I got my laptop working again, after changing the certificate to 2 years!!!

Now I will try to get ANDROID to work with this certificate.


   
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 

FF under ANDROID will not allow the import of certificates. There is a solution for this.

Worked for me!!!  FF and certificates under ANDROID!


   
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 
Posted by: @robertocravallo

My certificate was for FOUR years. 

You might have overseen that all the major OS manufacturers have changed this to less than 36 month (and it's beyond our scope to change Apple's certificate acceptance period).

BTW: This has been fixed some years(!) ago with eBlockerOS and 36 month is default.

THX!


   
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 
Posted by: @random

BTW: This has been fixed some years(!) ago with eBlockerOS and 36 month is default.

THX!

Sorry, but: I downloaded the newest version today and the certificate generated was for 4 years!

Since this is a major problem, in my eyes, there should be at least a BIG warning message. 


   
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 
Posted by: @robertocravallo

Sorry, but: I downloaded the newest version today and the certificate generated was for 4 years!

No sir, you are wrong.

I've just double checked a fresh 2.6.2 eBlockerOS and the default period for eBlocker's root certificate is 36 month.

Of course you can change this to a longer period, if you know what you do. So I can only guess that you have changed the default... - and if you didn't do a clean install on a new SD card - an update (on an existing eBlockerOS) will take over your choice from the past!

THX!


   
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 

Well Sir, I guess I have to stop drinking early in the mornings!!! 

On my system, there was definitely > 2 years. 

I downloaded the newest version today and installed it on a brand new chip. 

By the way, last time I tried quite a while back, exactly same problem, only I hat forgotten about it. Ok, I am 65 years old, so that might be part of the problem.

As soon as I changed it to 24 months everything worked fine on my MacBook. So whatever the default is that is set (by eBlocker?), it is not 24 months. And that is what works on my system. So I did change the default, but I set it to LESS!


   
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 
Posted by: @robertocravallo

definitely > 2 years

Yes, again: the eBlocker default is 36 month. This period should work with every OS, as far as I know - but my knowledge is limited 😆

Please share your exact OS version/build and bowser if 36 month do not work. Would be great if you could double-check this again - or maybe other users with the same OS can confirm this behavior?

THX!


   
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 

I have "macOS 12.0 (21A5268h)" up and running.


   
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 
Posted by: @robertocravallo

I have "macOS

Now my confusion is perfect. This thread is about Android and Firefox. You‘ve mentioned issues with Android. So I expected you‘d to name some Android OS. macOS works to my knowledge without problems

It would be great if you could clarify on which OS you have issues with root certificates of 36 month. And if there is room for improvement, we are happy to apply…

THX! 


   
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 

Well, I changed the certificate time via my MAC. On ANDROID I then just downloaded the certificate.

I could not reach any websites on my MAC before reducing the time to two years. So the problem was initially with the MAC and disappeared after changing the validity length of the certificate.

On ANDROID the problem was FF, but using the nightly build version and the tip above, I can still use FF under ANDROID. The "normal" FF does NOT recognize system certificates and it is not possible to  install one into FF. NIGHTLY has the "secret settings" where you can tell FF to use system certificates. Works for me...


   
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 

@robertocravallo Sorry mate, but I fear this discussion is not taking us anywhere. You claim

Posted by: @robertocravallo

if a MAJOR bug like this breaks the whole product and still is not fixed?

So please, WHERE is this "MAJOR bug"?

We are super happy to improve, if you help to reproduce your "findings". So far I have not received ANYTHING helpful from you but rather impolite assaults - for no reason!

From my perspective there is no bug but obviously there is some misinterpretation on your side how to install the certificate correctly...

THX!


   
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 

So you don't think that nothing working correctly until the certificate is set to 2 years is not major?

Is it that hard to just have 2 years by default? Easy fix I would think. Maybe, if you are a techie, no problem for you, but normal users just give up and turn to a different product. So if that is not helpful (or should I SHOUT, like you seen to like to do...), then what is? 

Please show where I "impolitely assaulted" you!

Posted by: @random

here is some misinterpretation on your side how to install the certificate correctly...

Well, if I do not know, that a certificate with a longer validity does not work, I can install it correctly all I want. I just won't work. Strange, how I installed it correctly, even if you seem to think that it is impossible for me to do so. Still did not work until, I guess I have to shout now, AFTER I reduced the validity to 2 years and deleted the old certificate and installed the new one! For me, that is a major bug. You keep mentioning 36 months, but that default did not work for me!!!

You take the easy way out and just go with

Posted by: @random

From my perspective there is no bug

but obviously, there are other perspectives, which you seem to completely ignore.

I guess we are done here! It looks like I can't articulate the problem, so that anyone can understand it. 

I fell for the exact same problem when I tried eBlocker once again last year. So it is very sad to be told, that there is no problem! I guess I am just imagining it. 


   
(@benne)
Famed Member Admin
Joined: 6 Jahren ago
Posts: 1099
 

@robertocravallo @random

First of all I kindly ask the two of you to lower the tension. I find raising tension with "you must be kidding" is as much inappropriate as "SHOUTING". There is no reason for either!

This is a fact based forum, so please stay calm and let's sort the facts:

  1. eBlocker generates a 36 month root certificate by default.
  2. If @robertocravallo's certificate was "FOUR" years (to cite above 😉) this can easily be validated for further bug tracking. @robertocravallo Could you please share the certificate - which is probably in your download folder still, so we can investigate the issue . And no worries it's a public key anyway. support at eBlocker.org or here. Thanks!
  3. So far we have not heard of any macOS user mentioning certificate length issues with the default settings.
  4. @robertocravallo now claims a 24 month certificate is needed to be accepted by macOS 12.0 (21A5268h).
  5. This thread is completely off topic meanwhile. 🤔 😉 

 

@robertocravallo As I don't have a Mac, personally I can not help here unfortunately. But since it's all IT, there is only one truth: 24 or 36? 😎 

It would be great if other mac users could double check the thesis:

"eBlocker's root certificate (default 36month length) is not accepted by macOS 12"

(@bpr, @mainzelM maybe?)

And of course @robertocravallo, we will instantly change the default length if your thesis holds truth.

To sum up: As of today there are no known "MAJOR bugs" 😉 but we happily listen and try to get better every day. 👍 

Thanks very much for your help.


   
Random and QP1808 reacted
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 

Hi Bene,

you are right of course, but it kind of sucks if you are not taken seriously! And that is the feeling I got here.

I will now strart a new thread "Problems with Mac OS and ANDROID" as I had a interesting phenomenon since yesterday. Spoiler: It's APPLEs "fault". 😆 


   
(@benne)
Famed Member Admin
Joined: 6 Jahren ago
Posts: 1099
 
Posted by: @robertocravallo

if you are not taken seriously

From my perspective @random has taken your request very seriously and kindly asked to please double check. He told you the fact that there is no know issue.

For your IT background: If a bug can not be reproduced it‘s not considered a bug. Reality shows that in 99.99% of these „bug“ cases it‘s rather human error

I‘m with you that @random’s words „obviously there is some misinterpretation on your side how to install the certificate correctly...“ reflecting this reality might not be considered polite. 

But on the other hand I‘m not sure if opening a bug report for a „MAJOR bug“ with the words „You are kidding, why has this problem not been fixed“ is very polite either. Especially if there is no known „MAJOR bug“.

Just an idea for a polite version opening an issues: „I ran across this issue XYZ and wonder if this is known or can be reproduced by you.“…

Nevertheless, I‘m a mathematician and I trust stats. If stats proof that thousands of mac users are happy, and only one mac user claims a new bug, I wouldn‘t trust that bug report too much either, unless proven otherwise.

You are taken very seriously - but so far you are lacking proof still.

Again, I kindly ask you to share your FOUR year certificate - and maybe screenshots proving that 36month certs don‘t work. And btw: Yesterday, I‘ve talked to the eBlocker lead developer. He is using a mac and he can not reproduce your findings either… 🤔 

So please help! You are taken seriously…


   
Random reacted
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 

Is it ok to upload the certificate here? I am pretty sure that I still have the one that did not work. Might also have been 36 months, the default.

Default definitely did not work for my system. Changing to 2 years worked. On 21/11/2020 the suggestion for 2 years was given above. So there must be some sort of idea what might be going on. The last time I tried, quite a while back, I had the exact same phenomenon and was happy to find the mention of reducing the certificate duration. I am not sure if it was the above post or an older one. Same "problem" on 07/01/2020, fixed by Boris Prinz. That might have been the post I saw the last time.

By the way: Website ist back up to speed.... 


   
(@benne)
Famed Member Admin
Joined: 6 Jahren ago
Posts: 1099
 
Posted by: @benne

And no worries it's a public key anyway. support at eBlocker.org or here. Thanks!

Posted by: @robertocravallo

Is it ok to upload the certificate here?

To answer your question see above in bold.

 


   
(@subscriber)
Eminent Member
Joined: 5 Jahren ago
Posts: 19
 
Posted by: @robertocravallo

Default definitely did not work for my system.

I run Monterey and eBlocker’s default certificate works just fine. Thesis is invalid. 

What error msg did u get?


   
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 

Had to rename to TXT, otherwise I could not upload it. When this certificate was installed, I could not reach any websites. Sorry, don't remember the error message in my browser. 

Regenerated certificate with 2 years validity worked fine.


   
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2082
 

Please zip the crt-file before upload. 

Posted by: @robertocravallo

Regenerated certificate with 2 years validity worked fine.

You are repeating the same but you fail to prove 36 month „does not work“ so far. If you want to help, please rather try to repeat the issue. That’s a „double check“. Take screenshots of every step - or at least the error message you get. Otherwise it seems you are the only mac user experiencing this issue. 🤔 

I guess there might be some coincidence to your „Apple changes the certificate“ post  https://eblocker.org/community/main-forum/problems-with-mac-os-and-android/#post-4182

Could it be that your initial „FOUR“ year certificate was exactly the certificate „Apple had changed“?

THX!

 


   
(@robertocravallo)
Trusted Member
Joined: 5 Jahren ago
Posts: 62
 
Posted by: @random

You are repeating the same but you fail to prove 36 month „does not work“ so far.

I'm surely not going to change anything in my system, now that it is running. True, I can't "prove" it, only tell you about it. Maybe I should look for my post on this, from the last time I tried. Maybe I wrote something back then.

Posted by: @random

Otherwise it seems you are the only mac user experiencing this issue. 🤔 

Same thing with my car. I always have intermittent stuff that never ever happens, when I'm in the shop.... 😥

Posted by: @random

Could it be that your initial „FOUR“ year certificate was exactly the certificate „Apple had changed“?

No, because that did not work and I deleted it. I started the update after installing the 2 year certificate with everything working just fine. After the update, the first thing I did, was check on the certificate and the trust was reset. What can I tell you, I have the before and after screen shots, but they are no help!

So I have to change my story to "probably just on my 2 MACs"! 🤣 


   
(@benne)
Famed Member Admin
Joined: 6 Jahren ago
Posts: 1099
 

As this thread got completely off topic, I‘m summing up the above how to install eBlocker‘s certificate under android / fennec / firefox!

Posted by: @joe

Unfortunately the input of parameters with "about:config" does not work with FF under Android at the moment. Therefore Fennec is now necessary. Set the parameter security.enterprise_roots.enabled to true in Fennec using about:config - and it worked again and in the dashboard there is a green tick again.

 

In regard of the off topic, I’m happy to gather the facts:

  1. One user (@robertocravallo) reports eBlocker‘s default certificates don‘t work on macOS 12
  2. In addition the same user claims „Apple updates are changing certificate trust
  3. No other user is experiencing this, but other say everything is working fine 
  4. Unfortunately @robertocravallo can not repeat the „issue“. He also couldn't come up with other evidences for his thesis.
  5. The certificate shared above is 3 years valid (not 4 as he claimed) and works nicely under macOS without any problems.
  6. On the Internet there are no other reports regarding certificate issues under macOS nor reports that "Apple changes certificate" trust.

 

In total, I conclude:

There is no issue with certificates on macOS or other OS. Hi thesis above is untrue.

But yes, certificate installation can be challenging for some users or for „very special“ environments…🤔😉


   

Nach oben scrollen