Adguard complaining cert needs moved after updating/overwriting from Stable

[privacyguy123]

Updated to Nightly from Stable to check this new feature out.

[privacyguy123]

Removed certs manually, uninstalled and reinstalled module and still this error.

Ironically older versions worked just fine. On Samsung S20 FE 5G Snapdragon Android 13.

[sfionov]

@privacyguy123 Does your device has multiple users?

Do you have adb shell access to your device?

If yes, can you provide output of these commands?

su
ls /data/misc/user/*/cacerts-added/0f4ed297.*

[privacyguy123]

@privacyguy123 Does your device has multiple users?

Do you have adb shell access to your device?

If yes, can you provide output of these commands?

su
ls /data/misc/user/*/cacerts-added/0f4ed297.*

No I don't think so ... pm list users shows just one.

[sfionov]

@privacyguy123 Thank you!

I need a log of adguardcert module then, can you do cat /data/local/tmp/adguardcert.log in terminal?

[privacyguy123]

@privacyguy123 Thank you!

I need a log of adguardcert module then, can you do cat /data/local/tmp/adguardcert.log in terminal?

Sure, I had a look my self and can't see anything wrong.

at /data/local/tmp/adguardcert.log                              <
+ MODDIR=/data/adb/modules/adguardcert
+ AG_CERT_HASH=0f4ed297
+ IFS=.
+ read -r left right
+ read -r left right
+ sort -nr
+ ls /data/misc/user/0/cacerts-added/0f4ed297.0
+ echo 0 /data/misc/user/0/cacerts-added/0f4ed297.0
+ read -r left right
+ echo /data/misc/user/0/cacerts-added/0f4ed297.0
+ AG_CERT_FILE=/data/misc/user/0/cacerts-added/0f4ed297.0
+ '[' -e /data/misc/user/0/cacerts-added/0f4ed297.0 ]
+ rm -f '/data/misc/user/*/cacerts-removed/0f4ed297.*'
+ cp -f /data/misc/user/0/cacerts-added/0f4ed297.0 /data/adb/modules/adguardcert/system/etc/security/cacerts/0f4ed297.0
+ chown -R 0:0 /data/adb/modules/adguardcert/system/etc/security/cacerts
+ set_context /system/etc/security/cacerts /data/adb/modules/adguardcert/system/etc/security/cacerts
+ getenforce
+ '[' Enforcing '=' Enforcing ]
+ default_selinux_context=u:object_r:system_file:s0
+ ls -Zd /system/etc/security/cacerts
+ awk '{print $1}'
+ selinux_context=u:object_r:system_security_cacerts_file:s0
+ '[' -n u:object_r:system_security_cacerts_file:s0 ]
+ '[' u:object_r:system_security_cacerts_file:s0 '!=' '?' ]
+ chcon -R u:object_r:system_security_cacerts_file:s0 /data/adb/modules/adguardcert/system/etc/security/cacerts
+ '[' -d /apex/com.android.conscrypt/cacerts ]
+ rm -f /data/local/tmp/adg-ca-copy
+ mkdir -p /data/local/tmp/adg-ca-copy
+ mount -t tmpfs tmpfs /data/local/tmp/adg-ca-copy
+ cp -f /apex/com.android.conscrypt/cacerts/01419da9.0 /apex/com.android.conscrypt/cacerts/04f60c28.0 /apex/com.android.conscrypt/cacerts/0d69c7e1.0 /apex/com.android.conscrypt/cacerts/10531352.0 /apex/com.android.conscrypt/cacerts/1ae85e5e.0 /apex/com.android.conscrypt/cacerts/1b0f7e5c.0 /apex/com.android.conscrypt/cacerts/1df5a75f.0 /apex/com.android.conscrypt/cacerts/1e1eab7c.0 /apex/com.android.conscrypt/cacerts/1e8e7201.0 /apex/com.android.conscrypt/cacerts/1ec40989.0 /apex/com.android.conscrypt/cacerts/1f58a078.0 /apex/com.android.conscrypt/cacerts/219d9499.0 /apex/com.android.conscrypt/cacerts/23f4c490.0 /apex/com.android.conscrypt/cacerts/252252d2.0 /apex/com.android.conscrypt/cacerts/2add47b6.0 /apex/com.android.conscrypt/cacerts/2d9dafe4.0 /apex/com.android.conscrypt/cacerts/302904dd.0 /apex/com.android.conscrypt/cacerts/304d27c3.0 /apex/com.android.conscrypt/cacerts/31188b5e.0 /apex/com.android.conscrypt/cacerts/33ee480d.0 /apex/com.android.conscrypt/cacerts/35105088.0 /apex/com.android.conscrypt/cacerts/399e7759.0 /apex/com.android.conscrypt/cacerts/3ad48a91.0 /apex/com.android.conscrypt/cacerts/3c860d51.0 /apex/com.android.conscrypt/cacerts/3c899c73.0 /apex/com.android.conscrypt/cacerts/3c9a4d3b.0 /apex/com.android.conscrypt/cacerts/3e7271e8.0 /apex/com.android.conscrypt/cacerts/41a3f684.0 /apex/com.android.conscrypt/cacerts/455f1b52.0 /apex/com.android.conscrypt/cacerts/48a195d8.0 /apex/com.android.conscrypt/cacerts/4be590e0.0 /apex/com.android.conscrypt/cacerts/4c3982f2.0 /apex/com.android.conscrypt/cacerts/5046c355.0 /apex/com.android.conscrypt/cacerts/52b525c7.0 /apex/com.android.conscrypt/cacerts/53a1b57a.0 /apex/com.android.conscrypt/cacerts/583d0756.0 /apex/com.android.conscrypt/cacerts/5a3f0ff8.0 /apex/com.android.conscrypt/cacerts/5acf816d.0 /apex/com.android.conscrypt/cacerts/5f47b495.0 /apex/com.android.conscrypt/cacerts/5f9a69fa.0 /apex/com.android.conscrypt/cacerts/5fdd185d.0 /apex/com.android.conscrypt/cacerts/60afe812.0 /apex/com.android.conscrypt/cacerts/6187b673.0 /apex/com.android.conscrypt/cacerts/63a2c897.0 /apex/com.android.conscrypt/cacerts/69105f4f.0 /apex/com.android.conscrypt/cacerts/6b03dec0.0 /apex/com.android.conscrypt/cacerts/6f7454b3.0 /apex/com.android.conscrypt/cacerts/75680d2e.0 /apex/com.android.conscrypt/cacerts/76579174.0 /apex/com.android.conscrypt/cacerts/7892ad52.0 /apex/com.android.conscrypt/cacerts/7a7c655d.0 /apex/com.android.conscrypt/cacerts/7a819ef2.0 /apex/com.android.conscrypt/cacerts/81b9768f.0 /apex/com.android.conscrypt/cacerts/82223c44.0 /apex/com.android.conscrypt/cacerts/83e9984f.0 /apex/com.android.conscrypt/cacerts/85cde254.0 /apex/com.android.conscrypt/cacerts/86212b19.0 /apex/com.android.conscrypt/cacerts/869fbf79.0 /apex/com.android.conscrypt/cacerts/8794b4e3.0 /apex/com.android.conscrypt/cacerts/882de061.0 /apex/com.android.conscrypt/cacerts/88950faa.0 /apex/com.android.conscrypt/cacerts/89c02a45.0 /apex/com.android.conscrypt/cacerts/8d6437c3.0 /apex/com.android.conscrypt/cacerts/9282e51c.0 /apex/com.android.conscrypt/cacerts/9339512a.0 /apex/com.android.conscrypt/cacerts/93851c9e.0 /apex/com.android.conscrypt/cacerts/9479c8c3.0 /apex/com.android.conscrypt/cacerts/9576d26b.0 /apex/com.android.conscrypt/cacerts/9591a472.0 /apex/com.android.conscrypt/cacerts/95aff9e3.0 /apex/com.android.conscrypt/cacerts/9685a493.0 /apex/com.android.conscrypt/cacerts/985c1f52.0 /apex/com.android.conscrypt/cacerts/99e1b953.0 /apex/com.android.conscrypt/cacerts/9aef356c.0 /apex/com.android.conscrypt/cacerts/9d6523ce.0 /apex/com.android.conscrypt/cacerts/a2c66da8.0 /apex/com.android.conscrypt/cacerts/a3896b44.0 /apex/com.android.conscrypt/cacerts/a716d4ed.0 /apex/com.android.conscrypt/cacerts/a81e292b.0 /apex/com.android.conscrypt/cacerts/a9d40e02.0 /apex/com.android.conscrypt/cacerts/ab5346f4.0 /apex/com.android.conscrypt/cacerts/ab59055e.0 /apex/com.android.conscrypt/cacerts/b0ed035a.0 /apex/com.android.conscrypt/cacerts/b0f3e76e.0 /apex/com.android.conscrypt/cacerts/b30d5fda.0 /apex/com.android.conscrypt/cacerts/b3fb433b.0 /apex/com.android.conscrypt/cacerts/b74d2bd5.0 /apex/com.android.conscrypt/cacerts/b7db1890.0 /apex/com.android.conscrypt/cacerts/b872f2b4.0 /apex/com.android.conscrypt/cacerts/b92fd57f.0 /apex/com.android.conscrypt/cacerts/b936d1c6.0 /apex/com.android.conscrypt/cacerts/bc3f2570.0 /apex/com.android.conscrypt/cacerts/bd43e1dd.0 /apex/com.android.conscrypt/cacerts/bdacca6f.0 /apex/com.android.conscrypt/cacerts/bf64f35b.0 /apex/com.android.conscrypt/cacerts/c44cc0c0.0 /apex/com.android.conscrypt/cacerts/c491639e.0 /apex/com.android.conscrypt/cacerts/c559d742.0 /apex/com.android.conscrypt/cacerts/c7f1359b.0 /apex/com.android.conscrypt/cacerts/c90bc37d.0 /apex/com.android.conscrypt/cacerts/cb1c3204.0 /apex/com.android.conscrypt/cacerts/ccc52f49.0 /apex/com.android.conscrypt/cacerts/cf701eeb.0 /apex/com.android.conscrypt/cacerts/d06393bb.0 /apex/com.android.conscrypt/cacerts/d16a5865.0 /apex/com.android.conscrypt/cacerts/d16a5865.1 /apex/com.android.conscrypt/cacerts/d18e9066.0 /apex/com.android.conscrypt/cacerts/d39b0a2c.0 /apex/com.android.conscrypt/cacerts/d41b5e2a.0 /apex/com.android.conscrypt/cacerts/d4c339cb.0 /apex/com.android.conscrypt/cacerts/d59297b8.0 /apex/com.android.conscrypt/cacerts/d7746a63.0 /apex/com.android.conscrypt/cacerts/d96b65e2.0 /apex/com.android.conscrypt/cacerts/da7377f6.0 /apex/com.android.conscrypt/cacerts/dbc54cab.0 /apex/com.android.conscrypt/cacerts/dbff3a01.0 /apex/com.android.conscrypt/cacerts/dc99f41e.0 /apex/com.android.conscrypt/cacerts/dfc0fe80.0 /apex/com.android.conscrypt/cacerts/e13665f9.0 /apex/com.android.conscrypt/cacerts/e442e424.0 /apex/com.android.conscrypt/cacerts/e48193cf.0 /apex/com.android.conscrypt/cacerts/e7c037b4.0 /apex/com.android.conscrypt/cacerts/e8651083.0 /apex/com.android.conscrypt/cacerts/ed39abd0.0 /apex/com.android.conscrypt/cacerts/edcbddb5.0 /apex/com.android.conscrypt/cacerts/ee532fd5.0 /apex/com.android.conscrypt/cacerts/f013ecaf.0 /apex/com.android.conscrypt/cacerts/f058632f.0 /apex/com.android.conscrypt/cacerts/f0cd152c.0 /apex/com.android.conscrypt/cacerts/f459871d.0 /apex/com.android.conscrypt/cacerts/f8fc53da.0 /apex/com.android.conscrypt/cacerts/fb5fa911.0 /apex/com.android.conscrypt/cacerts/fd08c599.0 /apex/com.android.conscrypt/cacerts/fde84897.0 /data/local/tmp/adg-ca-copy/
+ cp -f /data/misc/user/0/cacerts-added/0f4ed297.0 /data/local/tmp/adg-ca-copy
+ chown -R 0:0 /data/local/tmp/adg-ca-copy
+ set_context /apex/com.android.conscrypt/cacerts /data/local/tmp/adg-ca-copy
+ getenforce
+ '[' Enforcing '=' Enforcing ]
+ default_selinux_context=u:object_r:system_file:s0
+ ls -Zd /apex/com.android.conscrypt/cacerts
+ awk '{print $1}'
+ selinux_context=u:object_r:system_security_cacerts_file:s0
+ '[' -n u:object_r:system_security_cacerts_file:s0 ]
+ '[' u:object_r:system_security_cacerts_file:s0 '!=' '?' ]
+ chcon -R u:object_r:system_security_cacerts_file:s0 /data/local/tmp/adg-ca-copy
+ ls -1 /data/local/tmp/adg-ca-copy
+ wc -l
+ CERTS_NUM=135
+ '[' 135 -gt 10 ]
+ mount --bind /data/local/tmp/adg-ca-copy /apex/com.android.conscrypt/cacerts
+ umount /data/local/tmp/adg-ca-copy
+ rmdir /data/local/tmp/adg-ca-copy

[privacyguy123]

Keep in mind 1.2 with Adguard Stable moved the certs fine.

[sfionov]

@privacyguy123 Can you please enable debug logging in AdGuard, restart it, go to HTTPS filtering settings page, then save logs and send them to devteam@adguard.com?

https://adguard.com/kb/adguard-for-android/solving-problems/log/

[privacyguy123]

Still an issue, everything updated to latest stable

Seems to be visual bug at least, Internet browsing in Brave working showing cert fine in url bar. Would still be nice if it could be fixed.

[privacyguy123]

Problem is Magisk Alpha specific

[sfionov]

@privacyguy123 What "mount namespace mode" do you have in Settings -> Superuser?

[privacyguy123]

Root sessions will inherit their requester's namespace

[privacyguy123]

I moved back to Magisk Delta 26301 and I don't see this issue any longer however:

To be honest HTTPS Filtering is such a high level of extremely unstable I've had to disable it completely - too many strange issues with apps that have it on by default (for some reason almost every app?) And I fly swat bugs all day only to learn that apps aren't connecting to the Internet right with HTTPS Filtering even with user certs in the system store with the Magisk module. I think there should be a much more complex warning before allowing users to turn this option on - tbh it breaks fucking everything.

[privacyguy123]

@sfionov someone pointed out to me that it could be how "Unmount By Default" works on Magisk Delta. Could you comment on this? Is there files that Adguard needs mounted with root capabilities for this https filtering to work properly?

[privacyguy123]

@sfionov someone pointed out to me that it could be how "Unmount By Default" works on Magisk Delta. Could you comment on this? Is there files that Adguard needs mounted with root capabilities for this https filtering to work properly?

I have no idea, surely a dev of the app/module would know better?

I've noticed that VPN mode (non root, ironically) works much better so it certainly seems like it's a problem with this "Automatic Proxy Routes" option which is one of the reasons I even rooted in the first place ...

EDIT: com.android.proxyhandler - perhaps some component like this needs mounted by root?

[sfionov]

Sorry, I missed the last reply.

I think #52 is duplicate of this issue, so this issue should also be closed.

The problem with new Magisk is that post_fs_data.sh is executed on separate mount namespace, thus namespace patched in script is not namespace of init(1).